Let's say that you have compromised one machine on a network and you want to keep going to another machine. You will use the first machine as a staging point/plant/foothold to break into machine 2. Thid technique of using one compromised machine to access another is called pivoting. Machine one is the `pivot` in the example. The `pivot` is just used as a way to channel/tunnel our attack.
Let's say that you have compromised one machine on a network and you want to keep going to another machine. You will use the first machine as a staging point/plant/foothold to break into machine 2. The technique of using one compromised machine to access another is called pivoting. Machine one is the `pivot` in the example. The `pivot` is just used as a way to channel/tunnel our attack.
#### Ipconfig
## Ipconfig
We are looking for machines that have at least THREE network interfaces (loopback, eth0, and eth1 (or something)). These machines are connected to other networks, so we can use them to pivot.
@@ -16,66 +16,6 @@ ifconfig
ifconfig -a
```
## Metasploit
### Ping-sweep the network
First we want to scan the network to see what devices we can target. In this example we already have a meterpreter shell on a windows machine with SYSTEM-privileges.
```
meterpreter > run arp_scanner -r 192.168.1.0/24
```
This command will output all the devices on the netowork.
### Scan each host
Now that we have a list of all available machines. We want to portscan them.
We will to that portscan through metasploit. Using this module:
```
use auxiliary/scanner/portscan/tcp
```
If we run that module now it will only scan machines in the network we are already on. So first we need to connect us into the second network.
On the already pwn machine we do
```
ipconfig
```
Now we add the second network as a new route in metasploit. First we background our session, and then do this:
```
# the ip addres and the subnet mask, and then the meterpreter session
route add 192.168.11.1 255.255.255.0 1
```
Now we can run our portsanning module:
```
use auxiliary/scanner/portscan/tcp
```
### Attack a specific port
In order to attack a specific port we need to forwards it like this
Now this port will be available on your localhost.
@@ -194,7 +133,8 @@ nc localhost:10000
Remote port forwarding is crazy, yet very simple concept. So imagine that you have compromised a machine, and that machine has like MYSQL running but it is only accessible for localhost. And you can't access it because you have a really crappy shell. So what we can do is just forward that port to our attacking machine. The steps are as following:
Here is how you create a remote port forwarding
Here is how you create a remote port forwarding:
```
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
```
@@ -216,6 +156,7 @@ Now we can check netstat on our attacking machine, we should see something like
This can be used to dynamically forward all traffic from a specific application. This is really cool. With remote and local port forwarding you are only forwarding a single port. But that can be a hassle if your target machine has 10 ports open that you want to connect to. So instad we can use a dynamic port forwarding technique.
Dynamic port forwarding sounds really complicated, but it is incredibly easy to set up.
Just set upp the tunnel like this. After it is set up do not run any commands in that session.
Just set up the tunnel like this. After it is set up do not run any commands in that session.
```
# We connect to the machine we want to pivot from
ssh -D 9050 user@192.168.1.111
```
Since proxychains uses 9050 by defualt (the defaultport for tor) we don't even need to configure proxychains. But if you want to change the port you can do that in **/etc/proxychains.conf**.
Since proxychains uses 9050 by defualt (the defaultport for tor) we don't even need to configure proxychains. But if you want to change the port you can do that in `/etc/proxychains.conf`.
```
proxychains nc 192.168.2.222 21
@@ -253,7 +194,7 @@ Machine1 - 111.111.1111.111 - The server that works as our proxy.
Machine2 - The computer with the web browser.
First we check out what out public IP adress is, so that we know the IP address before and after, so we can verify that it works.
First you set ssh to
First you set ssh to:
```
# On Machine2 we run
@@ -275,6 +216,15 @@ But we are not done yet. It still says that we have **WebRTC leaks**. In order t
**media.peerconnection.enabled**
## SShuttle
I haven't used this, but it might work.
```
sshuttle -r root@192.168.1.101 192.168.1.0/24
```
## Port forward with metasploit
We can also forward ports using metasploit. Say that the compromised machine is running services that are only accessible from within the network, from within that machine. To access that port we can do this in meterpreter:
@@ -290,12 +240,65 @@ Now we can access this port on our machine locally like this.
nc 127.0.0.1 3306
```
### Ping-sweep the network
## SShuttle
First we want to scan the network to see what devices we can target. In this example we already have a meterpreter shell on a windows machine with SYSTEM-privileges.
```
sshuttle -r root@10.0.0.1 10.10.10.0/24
meterpreter > run arp_scanner -r 192.168.1.0/24
```
This command will output all the devices on the netowork.
### Scan each host
Now that we have a list of all available machines. We want to portscan them.
We will to that portscan through metasploit. Using this module:
```
use auxiliary/scanner/portscan/tcp
```
If we run that module now it will only scan machines in the network we are already on. So first we need to connect us into the second network.
On the already pwn machine we do
```
ipconfig
```
Now we add the second network as a new route in metasploit. First we background our session, and then do this:
```
# the ip addres and the subnet mask, and then the meterpreter session
route add 192.168.1.101 255.255.255.0 1
```
Now we can run our portscanning module:
```
use auxiliary/scanner/portscan/tcp
```
### Attack a specific port
In order to attack a specific port we need to forwards it like this
