How to use Pivoting in Metasploit to Hack Deeper into a Network
What is Pivoting?
Pivoting is a very important topic to understand, as it allows us to use the systems we've already hacked to learn more about the network. For example, if the system is dual homed (on two different networks) and one of the LANs is an internal network, we can use this hacking system to turn on the internal LAN, thus exposing a deeper layer of the network to us. Thankfully, Metasploit comes with pivotal functions. Now that we've covered the pivot, let's go into our laboratory and follow it.
Pivoting Example
Scenario
So, for this lab to be more logical, we will need a second to prepare a scenario. Suppose we were able to infect an internal server with a back-end connection chip. Unfortunately, because of unexpected circumstances, we have lost our foothold on the web and can no longer access the intranet where the hidden server is located. Our goal now is to access the end user's PC, and pivot to our back door on the server. So let's get started!
Laboratory
For this lab, our round server is Windows Server 2008 R2 64-bit VM and the end-user computer is a 32-bit Windows 7 Pro VM. As an added bonus, we will use Eternalblue and Doublepulsar to access the end user's PC. To use this exploit in Metasploit, we need to install it.To do this we simply clone this Github repo, make some directories, and move a file:
Now that the exploit has been installed, let's launch Metasploit and look for it:
Once we've identified our exploitation, we can use the show options command to list all the options we can set for this exploit:
We can leave track information on our own, but we will need to change PROCESSINJECT and RHOST as well as set load:
(Note: PROCESSINJECT will change depending on the structure of the victim operating system) Now that everything has been set up the way we want, let's start this exploitation on the end-user's computer:
Now that we have user-level access to the end user's computer, we need to do some concession escalation and get system privileges. So we will use Schlamperei. The quick use of the Metasploit search command should give us what we're looking for:
So we found our local exploit, let's choose it using the command and use it to point to the compromised end-user system:
Well, now that we have obtained system privileges, we can use the ipconfig command in the compiler to look at networks that are connected to the hacker computer:
There was a lot of production, so I sorted it out and found what we needed. Here we can see two interfaces of networks that interest us. First, there is the interface that we encountered to give up this PC, then there is another interface that will lead to the internal LAN where the back door will be. Now that we have become a focal point (end user computer), we can add a path to Metasploit that allows us to target this intranet using this computer as a gateway in:
Now that we have reached our path, let's move forward and use the ARP scanner module in Metasploit to enumerate through hosts on the internal LAN. Now because this environment is laboratory, there will be only one host, our server. But we can still use this module to find the IP address we need to connect to our back door:
Once all of our values are set correctly, we can run our scanner and find the IP address of the server:
With the results of the survey in mind, we can use the multi / handler unit to connect to our filter which, in this case, is a 64-bit EXE listening on port 8080. Now we have the route in place and the IP address of the server, we should be able to use the back door We have control over the server:
Now that we can access our hidden server again, we can "dump" this sensitive and sensitive data:
Finally, to make sure we have the correct server, we will use the sysinfo command to check the operating system:
There we have! Our first adventure is over, but we will certainly cover more in the future. Here we have shown only one technique for pivoting, which offers Metasploit more. If pivoting is combined with a variety of enumeration techniques and attacks, the attacker must be able to crawl across the entire network
No comments