double pivoting with meterpreter

hello folks

today we will talk about double pivoting using Meterpreter shell sessions
I will just focus on pivoting and some techniques – without exploitation because that, not our topic today

at first, this is our topology

our machine Kali Linux assuming as an attacker have IP = 192.168.40.128

the next win7 is assuming as first pivot point have 2nic first IP is =192.168.40.142 2nd IP is = 192.168.30.133

the next win7 is assuming as second pivot point have 2nic first IP is =192.168.30.131 2nd IP is = 192.168.20.130

and at last, our target metasploitable have only one IP = 192.168.20.128

at first, as I told before whatever how we gain access to the machine it’s not my problem today assuming that you find to exploit in first target win7 and you used it to get meterpreter shell so we have meterpreter shell we will use command ipconfig to network cards for this machine and see how many networks this machine connected to it

as we see and I told you before we have 2 Nic first IP is =192.168.40.141 2nd IP is = 192.168.30.133

so we need to access to the other network that we are not connected directly on it

so we will use command #run autoroute -s 192.168.30.0/24

 then check for routing table by # run autoroute -p

now you are ready to access the 192.168.30.0 network but in Metasploit, so I already know there is another target that ip 192.168.30.131 (second pivot point )

so I will make meterpreter shell by msfvenom and make bind shell to get meterpreter and configure handler to receive connection for the second target

 

 

also, check for nic's via #ipconfig

oh there is third network connected to machine  😀  as we see 192.168.20.0/24 ok let’s route it

now we can access to remote network 192.168.20.0/24 and as I told until now we can access it in Metasploit so you will find many posts and aux that work with you, for example, I will use post/ping_Sweep that make local network discover 🙂

so as we see here we found many IP’s such as 192.168.20.128 that metasploitable machine so what about using another auxiliary to check ports open on this machine such as lovely Nmap did 🙂

 

so as we see here we have many ports open so you can deice which port you will choose to start attacking his services 😀 if you are web PT I know you will look for port 80 and if you network PT maybe you look to port 21 or 22 to make some brute force attack

whatever which port you need what if you need to access this port locally, for example, you need to access port 80 for meta through your local web browser to make this it’s very easy mesy you will use port forwarder so let’s forward port 80

 

from last meterprter ssestion we use command

#portfwd add -L XmyIPX -l Xmy-localport-listen-to-remote-portX -p Xremote port i need to accessX -r Xremote host IPX

then you can access this from your browser like this

now we finish examples for used Metasploit aux and post and port forward what if you need to use outside (Metasploit) tolls such as Nmap etc. so here we need to use a module called socks4a and configure proxychains a

t first we use /server/socks4a

 

after the finish when you use command #jobs you will find 2 jobs for socks work

now you need to configure proxychains file

here I forget to take screenshots 😀 for file config but it’s very easy

you will just put 2 lines in the file

socks4 127.0.0.1 1080

socks4 127.0.0.1 1090

and don’t forget to save it

now your proxychains is ready to use let’s try it

it works fine without problem with Nmap
in my case, i use proxychains4 that better than normal proxy chains

 

in conclusion

I would thank Ebrahim Kadhi and Eslam Medhat
now we are finished and I hope you like my topic