I’m currently working my way through the PTPv4 course offered by eLearn Security. One of the labs involves extending our reach to otherwise inaccessible networks by pivoting through a Victim that we already have an active Meterpreter session on.
I’m going to skip the network discovery part and jump straight into the interesting bits! Therefore assume the network map looks like this:
As seen below, we have an existing Meterpreter session active for Victim 1. We will be using this session to pivot via Victim 1 to access Victim 2.
Socks Module Setup
We will need to use the Socks4a Metasploit module to setup a proxy from Meterpreter to our system. The Socks proxy is required because Meterpreter uses its own separate routing table vs what the host uses. Meaning only Metasploit can access the routes it sets up unless we use a proxy.
Adding Default Routes
Next up we will use the Autoroute module with the CMD set to default and the SESSION set to 14 (see Figure 1). The SUBNET setting is not required when using default. This tells Metasploit to add a default route to its routing table, routing all traffic Metasploit see’s through VICTIM 1. When combined with the Socks proxy setup previously, it allows access to any system that VICTIM 1 can access via our machine.
The final step is to use our proxy outside of Metasploit. In this case, I’m using FoxyProxy in Firefox but another common route is to use proxychains (which comes installed by default in Kali).
All thats left to do is to test we can accesss VICTIM 2 via Firefox, and as seen in Figure 5 it works!
- Metasploits routing table != system routing table
- Pivoting is a great way to gain access to networks that aren’t connected to the internet!
comments powered by Disqus