Metasploit question
Hi guys, I was just had a quick metasploiting question. Situation is this:
Say I'm doing a pentest remotely, and I have that box facing the net with a public IP (77.77.77.77 for omen's sake), and have a exploit/multi/handler listening for a reverse TCP connection, which will upload meterpreter handler. Now, this other box's reverse connection comes from within the internal network, via NAT, past their router into 77.77.77.77, which connects back through their public IP (we'll say 66.66.66.66) onto the computer on the LAN, who's IP is 192.168.0.2. Now, from there I want to pivot and scan other PC's on the network through that box, because it has permissions to access them (you get where I'm coming from, you penetrate one box, manipulate priveleges etc., that it has with other boxes). Now, I know you have to background the session and then:
route add ip subnet session#
In the form of this for the given example:
route add 192.168.0.0 255.255.0.0 1
But, my question is this: Is that the correct command? Because I've tried scanning the router from there in this test scenario, and it doesn't work with nmap or any of the other auxiliary modules. Am I doing something wrong? Thanks for taking the time to read,
~phoenix910
that looks correct
when you do a route print do you see your route?
i havent been able to get nmap to work successfully thru the pivot but i was able to get aux modules to work.
for testing, can you drop to a shell and ping other hosts in the 192 network? you just want to make sure traffic is being passed
Yeah, did a route print and it was all there. Couldn't test with auxiliary scanners at the time, but I did manage to get an nmap working - problem was I was on Ubuntu, and at the moment (without installing the Ruby dev libraries) it's stuck with the dodgy ruby packages - i.e., don't work with metasploit. I switched to BT3 and all was good - could nmap scan through hosts no worries. I haven't actually tried hopping through a host to 'sploit another with dual nics, and hopping onto the second network yet - that's my next aim.
~phoenix910
Seems exactly what I'm looking for. Thanks God that the thread is not closed. Did you find the answer? I'm on BT3 btw, still can't do the nmap scan. What am i missing?Originally Posted by phoenix910
The only way to achive what you want you will have to upload scanline and use it to scan from the compromised host.
meterpreter currently does not have that capability
Actually it does (everywhere I've read has mentioned that capability, which is where I got the idea from), and I got it to work - I just realised that the other machine I was attempting to scan didn't like it. I changed a few options here and there, and scanned my ADSL router through my main machine, which was compromised by me via a server in the UK.
~phoenix910
could you please post the steps that you used, my understanding was that in meterpreter the route command was for the pivoting of exploits that had the support to be channeled thru the meterpreter session. Thanks
Yeah, the steps are the same (as in my tutorial, and for pivoting exploits), but because Metasploit/Meterpreter (can't remember which one - it's late here :P) supports intergrated nmap scans (such as in Autopwn), so it works fine
~phoenix910
What type of scan are you doing with Nmap? Can you post the switches your using with it? When you scan, are you at least seeing port 80? I only ask because most ISP gayeways drop all traffic but that, unless something specific is needed. Is there a firewall in front? If there is, have you looked into firewalking? Im not an expert but your route add looks right.
Scan switches I use are these:
nmap -sS -sV -T 4 -P0 -O xxx.xxx.xxx.xxx
Yes, I see port 80.
~phoenix910
Posting Permissions
