Tuesday, June 14, 2016

METASPLOIT - Double Pivoting


- Layout for this exercise:

- First, the XP system must be exploited, because it is the closest to the attacker, being located in the same network
It will used as the first pivot, for further attacks to other inside networks.

- Scanning available ports and services at pivot 1 XP::

- Let's try to attack XP on port 445, using the ms08_067_netapi exploit:

- Setting XP's IP as the RHOST:

- Launching the exploit,  a successful meterpreter session is achieved:

- Now, post exploitation shows that XP is connected to an inner network

- Scanning for machines inside, a new is discovered.
This is the pivot 2 to be used at the attack against the final victim:

- Backgrounding the session 1:

- So far, there is only one active meterpreter session 1:

- A route to the inner network is added using session 1:

- Printing the route:

- Backing:

- Nex step would be to exploit the intermediate machine, whose IP is For that purpose, let's discover open and available ports:

- Let's try to attack port 80 using a vulnerability at Bad Blue application, web server usually working on that port:

- Setting the remote host to the new discovered system:

- In this case, the meterpreter payload is set to bind_tcp, because otherwise (reverse_tcp) the final victim would not know how to go back to the attacker:

- Launching the exploit a second meterpreter session is opened. We learn that the pivot 2 is a Windows 7 system:

- Also, it is interesting to notice that W7 has got two interfaces, one the and the other connected to the innermost network, with IP

- Let's discover other machines inside the network As a  result, we learn that the final victim has got the IP

- Backgrounding the meterpreter session 2:

- Backing to the original msfconsole prompt:

- Now, there are 2 active meterpreter sessions:

- A second route is needed to access the innermost network, using meterpreter session 2:

- Now, the last step would be to attack the final victim, with IP To achieve this goal we need to know what ports are open and available to be attacked, running this auxiliary script:

- Let's try to attack port 21, usually devoted to FTP service, for instance using the exploit vsftpd_234_backdoor:

-Launching the exploit, the attack is successful because a third session shell is opened at the innermost victim:

- So finally there are 3 open and active sessions for the whole process:

- It is interesting to view how netstat shows all the connections from each computer. From the attacker's point of view:

- From the Linux innermost computer's point of view:

- From the XP's point of view:

- From W7's point of view: