Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Metasploit question

  1. #1

    Default Metasploit question

    Hi guys, I was just had a quick metasploiting question. Situation is this:
    Say I'm doing a pentest remotely, and I have that box facing the net with a public IP (77.77.77.77 for omen's sake), and have a exploit/multi/handler listening for a reverse TCP connection, which will upload meterpreter handler. Now, this other box's reverse connection comes from within the internal network, via NAT, past their router into 77.77.77.77, which connects back through their public IP (we'll say 66.66.66.66) onto the computer on the LAN, who's IP is 192.168.0.2. Now, from there I want to pivot and scan other PC's on the network through that box, because it has permissions to access them (you get where I'm coming from, you penetrate one box, manipulate priveleges etc., that it has with other boxes). Now, I know you have to background the session and then:
    route add ip subnet session#
    In the form of this for the given example:
    route add 192.168.0.0 255.255.0.0 1
    But, my question is this: Is that the correct command? Because I've tried scanning the router from there in this test scenario, and it doesn't work with nmap or any of the other auxiliary modules. Am I doing something wrong? Thanks for taking the time to read,

    ~phoenix910

  2. #2

    Default

    that looks correct

    when you do a route print do you see your route?

    i havent been able to get nmap to work successfully thru the pivot but i was able to get aux modules to work.

    for testing, can you drop to a shell and ping other hosts in the 192 network? you just want to make sure traffic is being passed

  3. #3

    Default

    Yeah, did a route print and it was all there. Couldn't test with auxiliary scanners at the time, but I did manage to get an nmap working - problem was I was on Ubuntu, and at the moment (without installing the Ruby dev libraries) it's stuck with the dodgy ruby packages - i.e., don't work with metasploit. I switched to BT3 and all was good - could nmap scan through hosts no worries. I haven't actually tried hopping through a host to 'sploit another with dual nics, and hopping onto the second network yet - that's my next aim.

    ~phoenix910

  4. #4
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by phoenix910 View Post
    Hi guys, I was just had a quick metasploiting question. Situation is this:
    Say I'm doing a pentest remotely, and I have that box facing the net with a public IP (77.77.77.77 for omen's sake), and have a exploit/multi/handler listening for a reverse TCP connection, which will upload meterpreter handler. Now, this other box's reverse connection comes from within the internal network, via NAT, past their router into 77.77.77.77, which connects back through their public IP (we'll say 66.66.66.66) onto the computer on the LAN, who's IP is 192.168.0.2. Now, from there I want to pivot and scan other PC's on the network through that box, because it has permissions to access them (you get where I'm coming from, you penetrate one box, manipulate priveleges etc., that it has with other boxes). Now, I know you have to background the session and then:
    route add ip subnet session#
    In the form of this for the given example:
    route add 192.168.0.0 255.255.0.0 1
    But, my question is this: Is that the correct command? Because I've tried scanning the router from there in this test scenario, and it doesn't work with nmap or any of the other auxiliary modules. Am I doing something wrong? Thanks for taking the time to read,

    ~phoenix910
    Seems exactly what I'm looking for. Thanks God that the thread is not closed. Did you find the answer? I'm on BT3 btw, still can't do the nmap scan. What am i missing?

  5. #5

    Default

    The only way to achive what you want you will have to upload scanline and use it to scan from the compromised host.
    meterpreter currently does not have that capability

  6. #6

    Default

    Quote Originally Posted by BadKarmaPR View Post
    meterpreter currently does not have that capability
    Actually it does (everywhere I've read has mentioned that capability, which is where I got the idea from), and I got it to work - I just realised that the other machine I was attempting to scan didn't like it. I changed a few options here and there, and scanned my ADSL router through my main machine, which was compromised by me via a server in the UK.

    ~phoenix910

  7. #7

    Default

    could you please post the steps that you used, my understanding was that in meterpreter the route command was for the pivoting of exploits that had the support to be channeled thru the meterpreter session. Thanks

  8. #8

    Default

    Yeah, the steps are the same (as in my tutorial, and for pivoting exploits), but because Metasploit/Meterpreter (can't remember which one - it's late here :P) supports intergrated nmap scans (such as in Autopwn), so it works fine

    ~phoenix910

  9. #9
    Member
    Join Date
    Feb 2010
    Location
    Root
    Posts
    121

    Default

    What type of scan are you doing with Nmap? Can you post the switches your using with it? When you scan, are you at least seeing port 80? I only ask because most ISP gayeways drop all traffic but that, unless something specific is needed. Is there a firewall in front? If there is, have you looked into firewalking? Im not an expert but your route add looks right.

  10. #10

    Default

    Scan switches I use are these:
    nmap -sS -sV -T 4 -P0 -O xxx.xxx.xxx.xxx

    Yes, I see port 80.

    ~phoenix910

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •