Post-exploitation and pivoting
No matter what operating system we have compromised, Metasploit offers a dozen of post-exploitation reconnaissance modules which harvest gigs of data from the compromised machine. Let's make use of one such module:
Running the enum_configs post-exploitation module, we can see that we have gathered all the configuration files which existed on the target. These configs help uncover passwords, password patterns, information about the services running, and much much more. Another great module is enum_system, which harvests information such as OS-related information, user accounts, services running, cron jobs running, disk information, log files, and much more, as shown in the following screenshot:
Having gathered an enormous amount of detail on the target, is it a good time to start reporting? Not yet. A good penetration tester gains access to the system, obtains the highest level of access, and presents his analysis. However, a great penetration tester does the same but never stops on a single system. They will try with the best of his abilities to pe into the internal network and gain more access to the network (if allowed). Let's use some of the commands which will aid us in pivoting to the internal network. One such example command is arp, which lists down all the contracted systems in the internal network:
We can see the presence of a separate network, which is in the 192.168.116.0 range. Let's issue the ifconfig command and see if there is another network adapter attached to the compromised host:
Yup! We got it right-there is another network adapter (Interface 3) which is connected to a separate network range. However, when we try to ping or scan this network from our address range, we are not able to because the network is unreachable from our IP address, which means we need a mechanism that can forward data from our system to the target (otherwise inaccessible) range through the compromised host itself. We call this arrangement pivoting. Therefore, we will add a route to the target range through our gained Meterpreter on the system, and the target systems in the range will see our compromised host as the source originator. Let's add a route to the otherwise unreachable range through Meterpreter, as shown in the following screenshot:
Using the autoroute post-exploitation module from post/multi/manage directory, we need to specify the target range in the SUBNET parameter and SESSION to the session identifier of the Meterpreter through which data would be tunneled. We can see that by running the module, we have successfully added a route to the target range. Let's run the TCP port scanner module from Metasploit and analyze whether we can scan hosts in the target range or not:
We simply run the portscanner module on the target we found using the arp command, that is, 192.168.116.133 with ten threads for ports 1-10000, as shown in preceding screenshot:
Success! We can see that port 80 is open. However, our access is limited through Meterpreter only. We need a mechanism where we can run some of our external tools for browsing port 80 through a web browser to understand more about the target application running on port 80. Metasploit offers an inbuilt socks proxy module which we can run and route traffic from our external applications to the target 192.168.116.133 system. Let's use this module as follows:
We simply need to run the socks4a module residing at the auxiliary/server path. It will set up a gateway on the local port, 1080, to route the traffic to the target system. Proxying on 127.0.0.1:1080 will forward our browser traffic through the compromised host. However, for external tools, we will need to use proxychains and configure it by setting the port to 1080. The port for proxychains can be configured using the /etc/proxychains.conf file:
The next thing is to only set this address as a proxy in the browser or use proxychains as the prefix on all the third-party command-line applications such as Nmap and Metasploit. We can configure the browser, as shown in the following screenshot:
Make sure to remove localhost and 127.0.0.1 from the No Proxy for section. After setting the proxy, we can just browse to the IP address on port 80 and check whether we can reach port 80:
Nice! We can see the application, which says it's a Disk Pulse Enterprise, Software v9.9.16, which is a known vulnerable version. We have plenty of modules for Disk Pulse in Metasploit. Let's make use of one of them, as follows:
Yup! I am one of the original authors of this exploit module. Let's understand the vulnerability before exploiting it.