Port forwarding and pivoting
"This blog is already published on infosecinstitute"
In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host
More info on Port forwarding
1 - Attacker (Kali)
2 - WinXP
3 - Linux (Metasploitable or any vulnerable Linux Machine).
Vmware IP Setup
eth0 - (C Class IP) eg. 192.168.1.104
1 Ethernet - (C Class IP) eg.1 18.104.22.168
2 Ethernet - (A Class IP) eg. 10.128.0.3
eth0 - (A Class IP) eg. 10.128.0.1
How to configure in Vmware?
1 - Open Vmware - > Edit - >"Virtual Network Editor"
2 - Click on "Add Network" and add any 2 Network in my case i am
adding VMnet2 and VMnet3
3 - Select VMnet2 and change Subnet IP - 192.168.1.0 and Subnet mask -
255.255.255.0 also select "Host - Only"
4 - Select VMnet3 and change Subnet IP - 10.0.0.0 and Subnet mask -
255.0.0.0 also select "Host - Only"
5 - Now add Network Adapter in all 3 machine
6 - In Attacker Network Adapter Change NAT to Custom "Select VMnet2"
7 - In WinXP add 2 Attacker Network Adapter
1st Network Adapter "Custom VMnet2"
2nd Network Adapter "Custom VMnet3"
8 - In Linux add Network Adapter Change NAT to custom "Select VMnet3"
Attacker (Kali Linux) IP is 192.168.1.104
Windows XP is connected to Vmnet 2 (192.168.1.131) and Vmnet 3 (10.128.0.3) so it has 2 IP address. My 183 segment is just for internet access.
Metasploitable IP is 10.128.0.1 as it is connected to Vmnet 3
Try to ping XP form Kali. Try to ping metasploitable from XP. Ping will be success full if everything is configured correctly.
Now the next thing is to take a meterpreter session of Win XP. Any feasible and continent method can be used. I have installed vulnerable BadBlue 2.72b on Win XP to take up the meterpreter session.
App can be downloaded form exploit-db badblue 2.7.2b
Checking out some basic meterpreter commands. getuid and sysinfo.
Now migrate to some stable process. explorer.exe is the best choice for that.
Now Checking out IPconfig of the exploited machine
We can see 10.128.0.3 interface present on Windows XP. It indicates that Windows XP is connected to 10.xxx series network.
We will use xp as a pivot to explore other machine on 10xxx series network.
To determine other host on 10.xxx series network we use an meterpreter arp_scanner module.
meterpreter>run arp_scanner -r 10.128.0.1/24
It shows that the IP 10.128.0.1 is alive in the pivot network.
Now our mission is to exploit that machine. Things become difficult when we want to exploit a machine on a pivot network.
Routing to 10.xxx series network.
Now we will make a route to 10.xxx series network using the session that we have.
To do that background the current meterpreter and enter the following command:
The 1 at the end of the route statement indicates that we are using session 1 to for the route.
Lets check the route
Setting up a tcp scanner to scan the host 10.128.0.1 using the route of session 1 that we have added.
Then My favorite command run ;)
Scanning takes time as we are working on a pivot network. This is how we can scan the network.
Now the Question is how to determine the services enabled on each port so that we can think of further exploitation.
The answer is protfwd meterpreter command.
This will bind the local port 9999 to remote port 139 of the remote host 10.128.0.1
Verification of local port forward is done by scanning the local port 9999.
Ohk so its Samba smbd 3.X. There's a working exploit for Samba in metasploit with the name usermap_script. Configure metasploit module as follows.
Look at Reverse shell payload and configuration carefully. Did you find anything fishy?
Attacker IP is 192.168.1.104 (Kali) and we are having a reverse shell to 10.128.0.3 (XP) so practically windows xp will have the reverse shell.
No it is not like that. When we are using a meterperter session and working with portfwd utility, our metterpreter is programmed to route the reverse shell to the attacker as it knows portfwd is in used.
So it is the responsibility of Metterpreter session to handle the route, victim session and give it back to the attacker.
Well I know it's kind of difficult to understand, but to clarify this concept you need to watch Metasploit megaprimer from Securitytube.com (Vivek Ramachandran). He explained the concept there.
Again my favorite command exploit
Confirming list of session shows there's a meterpreter and a unix shell that is piped.
Confirming the same at metasploitable.