My how time flies. It seems like only yesterday I wrote the post Got Meterpreter? Pivot!, but it has been four and a half years. In our industry, the only thing constant is change and Mr. Ed Skoudis gave me the opportunity to revisit this topic to see what has changed. Thank you Ed.
So, once again, we will start with the same scenario:
We have a Metasploit Meterpreter shell with Admin/System privileges on an in-scope target Windows box. We will call this system X and it is in the DMZ. Do the root dance, pillage the heck out of it and get ready to pivot!
There are many ways to leverage the exploited system to discover, scan, and pivot to other devices in the target network. This article will discuss some ways to leverage the Metasploit Framework (http://www.metasploit.com/) (hereafter referred to as Metasploit) to accomplish various kinds of pivots, although there will be some non-Metasploit tips scattered throughout as well. Where a technique from the previous post is still valid, it will be referenced. Our test system, X, uses a dual homed network, one network connected to the 172.16.33.x DMZ network and one connected to the 192.168.100.x internal network. The same techniques described below can be used for VLANs or physically separate networks that have paths to route to different networks.
Let's go.
Sniffer
Watching the network interactions between devices is still one of my favorite ways to learn who, what, when and why an exploited system communicates with others on the network.
Meterpreter still has the sniffer module discussed in the last post available. In fact it has been updated with x64 support since then. However, rather than rehash sniffer, we will use the Packet Recorder sniffer extension written by Carlos Perez.
Packet Recorder uses sniffer, but makes it even easier. Start by executing the command "run packetrecorder -li" in the Meterpreter session to list out the available network interfaces, then execute the command "run packetrecorder -i 3". To end the capture, carefully press CTRL-C then open up the capture and look for interesting info. The example below shows the entire process.
Not using Metasploit? For some reason when writing the post in 2012, I didn't mention the built in netsh capability so let me correct that oversight now. The netsh trace command can be used. There are all sorts of filters that can be used but a simple method is just to use the IPv4Address flag as shown in the screenshot below.
This capture is saved in ETL format and can be viewed using Microsoft Message Analyzer. You can also convert the ETL capture to PCAP format with a couple of PowerShell commands. See the Internet Storm Center post in the references for more details
Route and Auxiliary scan
There are more than 250 post-exploitation modules currently available in Metasploit. A lot of them are used to gather info from the exploited system and a few of these are very useful in a pivoting situation.
A couple of good ones, again compliments of Carlos Perez, which can be used to determine what other systems are on the network are
"post/windows/gather/arpscanner and post/multi/gather/pingsweep".
As illustrated above, these scans identified a few systems we can potentially pivot to.
Routing and Proxy
Routing is even easier than it was in 2012. From within your Meterpreter session simply type "run autoroute -s subnet", then ctrl-z to go back to the Metasploit console and use the new route with some of the auxiliary TCP based scan modules and if we find something juicy, even exploit through the autoroute. The example below shows using our exploited system as route to identify listening ports from the systems discovered during the ping_sweep,
PORTFWD, SOCKS proxy and SSH Tunnelling illustrated in the previous post still works well. If you haven't used them yet, you should. Re-read the post and setup a test lab to ensure you see it in action. You won't regret it.
One new development since that post is the addition of PowerShell version of SSH. Personally, I have only done limited tunnelling testing with the Microsoft backed version https://github.com/PowerShell/Win32-OpenSSH. If you have had some successes or challenges using PowerShell implementations of SSH for pivoting I would love to see them in the comments below.
No MSFMAP
Unfortunately, it appears that the module MSFMap by SecureState is no longer working in the current versions of Metasploit. All is not lost, though. There have been some very handy additions to Meterpreter that we can use in its place.
PowerShell
There are many ways to get a PowerShell session with Metasploit. One of the easiest is to use an existing session to create a PowerShell session. Background the existing session and do the following run the module "exploit/windows/local/payload_inject" with the "Windows/powershell_reverse_tcp payload" as shown below.
From here you can run (almost) any PowerShell module. In the example below, a PowerShell script, "Invoke-TSPingSweep", which was modified a bit to make it more display friendly, was uploaded via Meterpreter, imported and then executed.
Note that some scripts will behave differently when run in the injected session. In particular watch out for scripts that use "out-host" and some that do not handle network connection timeouts will return big ugly errors like this one below, but will typically continue.
Python
Another new addition is the ability to run Python directly in a Meterpreter session!!
This ability is still being developed and currently, there are some technical issues that limit some of the usefulness, for instance you can't have the Python script run in the background (https://github.com/rapid7/metasploit-framework/issues/6369),. Still, this is an great addition and one that certainly will be useful when pivoting.
Imagine being able to easily use your favorite Python code from Black Hat Python, Violent Python or the SANS Security 573 class. Wonderful!
Not using Metasploit? As briefly shown above, PowerShell is a very powerful tool for the penetration tester and can be especially handy for post exploitation activities. All of the automated penetration testing programs provide PowerShell modules and a lot of very good work is being done on utilizing PowerShell for both defense and offense.
PowerShell remoting may not always available, but if it is, it can be a quick way to pivot around a network. From an existing PowerShell session run the command "New-PSSession -ComputerName abc.fg.hi" then to interact with the shell run the command "Enter-PSSession X"
What's next?
I don't see any slowdown in the opportunities to pivot through the network anytime in the near future. Do you have a favorite I haven't mentioned? If so, please share it in the comments.
Thank you for your time
Cliff
References:
- https://isc.sans.edu/forums/diary/No+Wireshark+No+TCPDump+No+Problem/19409
- https://gallery.technet.microsoft.com/scriptcenter/Invoke-TSPingSweep-b71f1b9b
- https://technet.microsoft.com/en-us/magazine/ff700227.aspx
- https://blog.netspi.com/powershell-remoting-cheatsheet/
- http://www.darkoperator.com
- https://vimeo.com/140723133
