background image



When entering the 




 commands, be sure to 

specify the 


 flag, which tells Incognito where to add the domain administra-

tor account. In this case, that would be the IP address of a domain controller. 
The implications for this attack are devastating: Essentially, the Kerberos 
token on any system that a domain administrator logs into can be assumed 
and used to access the entire domain. This means that every server on your 
network is your weakest link!

Pivoting onto Other Systems


 is a Meterpreter method that allows for the attack of other systems 

on a network through the Meterpreter console. For example, if an attacker 
were to compromise one system, he could use pivoting to compromise other 
systems on the same network or to access systems to which he could not 
otherwise route traffic, for whatever reason.

For example, suppose you’re performing a penetration test from 

the Internet. You compromise a system through a vulnerability and have a 
Meterpreter console to the internal network. You can’t directly access other 
systems on the network, because the system you compromised did not pro-
vide you with everything you need to do so, but you need to penetrate the 
network further. Pivoting will allow you to attack multiple systems on the 
internal network through the Internet, using the Meterpreter console.

In the following example, we’ll attack a system from one subnet and route 

that system to attack another system. First, we’ll exploit the Windows XP 
machine, and then we’ll piggyback the attack from our attacking machine to 
an Ubuntu system on the internal network. We’ll come from a 
address and attack systems within the network.

We’ll assume that we already have access to one server via a compromise 

and will focus on establishing a connection to that network. Next, we intro-
duce external scripts written with Meterpreter that can be found in the 



 directory. These scripts offer additional functionality that we can 

use within Meterpreter.

We begin by displaying local subnets on the compromised system within 

a Meterpreter session with 

run get_local_subnets

, as shown at  .

[*] Meterpreter session 1 opened ( ->

meterpreter > 

run get_local_subnets


Local subnet:
meterpreter > 



msf exploit(handler) > 

route add 1


msf exploit(handler) > 

route print


Active Routing Table

   Subnet             Netmask            Gateway
   ------             -------            -------      Session 1