Metasploit Basics, Part 10: Pivoting to Compromise the Network

Hacking Metasploit

Welcome back, my Metasploit aficionados!

In this series, we began with the Metasploit basics and have progressed through exploitation and creating our own custom payloads. In this tutorial, we will examine how we can proceed after having exploited a single system on a network to controlling the entire network.

 
 
 
 

Very often to compromise a network or a target system, we can gain a foothold into single user’s system and then leverage that to take over other systems on the network that might be more valuable. For instance, we might compromise a single user’s system via social engineering or an improperly patched application, to move to the more valuable database server on the same network.

Let’s take a look at how we might do that.

Step #1 Fire Up Kali and open Metasploit console

The first step, of course, is to fire up Kali and open the Metasploit console.

kali > msfconsole

Step #2 Exploit the System

The next step, of course, is to exploit the system. There are multiple ways to do this. You can create a malicious link, embed a rootkit into malware, use Eternal Blue or use .NET vulnerability, among many others.

Here, I will be exploiting an unpatched Windows 7 system with the NSA’s EternalBlue SMB exploit. You can find it in Metasploit by entering;

msf > search eternalblue

Once we load it and the meterpreter payload and send it to the target system, we will get a meterpreter prompt like below

Step #3 Reconnaissance

Now, begins the interesting part. We have exploited the Windows 7 system and have embedded a meterpreter listener/rootkit on the system. Let’s see what IP address(es) and any other network interfaces are on the compromised system.

meterpreter > ipconfig

As you can see, the compromised system has just the loopback interface and another NIC with IP address 192.168.89.191.

Step #4 Scan the Network for other Systems

The next step to compromising the network is to scan for other systems on the network. The meterpreter has an ARP scanner built in that we can use for that purpose. We can scan the entire network for additional systems by using the command, arp_scanner, the -r switch followed by the network using CIDR notation.

meterpreter > run arp_scanner -r 192.168.89.0/24

As you can see above, our ARP scan found three machines on the network, 192.168.89.193, 192.168.89.191 and 192.168.89.190.

Now that we know what systems are on our network, the next step is to scan them with the post auxiliary module, auxiliary/scanner/portscan/tcp, to what ports are open. The open ports are a good indication of the services running on the system.

First we need to background our meterpeter to use this auxiliary module.

meterpreter > background

Now, we need to add a route to the meterpreter session.

msf > route add 192.168.89.191 255.255.255.0 1

msf > route print

Note that the route add command includes the IP address, the subnet mask and the ID of the meterpreter session (1).

Step #5 Port Scan

Now that we know what systems are on our network and we have a route established to the compromised machine, the next step is to scan them with the post auxiliary module, auxiliary/scanner/portscan/tcp.

We need load this auxiliary module.

msf > use auxiliary/scanner/portscan/tcp

In this auxiliary module, we need to set the RHOSTS (remote or target hosts) and the PORTS we want to scan. I suspect that this system might be running Microsoft’s SQL Server as a database that runs on port 1433, so I selected ports 1-1500. Note that MySQL runs on port 3306 and Oracle on port 1521, so if it is running one of those databases, this scan will not detect them and we would need to revise the port variable to include those ports.

Here, I am scanning a single host for brevity, but in a real pentest, you would likely want to scan the entire network, setting the RHOSTS to 192.168.89.0/24. In that case, the output will be voluminous.

msf > set RHOSTS 192.168.89.191

msf > set PORTS 1-1500

msf > run

As you can see above, the port scanner found multiple TCP ports open including port 1433, meaning that this system is likely running MS SQL server database!

This is the system we want to target next from our foothold on this network.

Pivoting enables us to compromise a single user’s system on a network and then leverage that to compromising every machine on the network. From the route we had added to the compromised system, we can launch attacks against nearly anything other machine on the internal network from our Metasploit console!