Introduction to Pivoting using Metasploit Framework with lab setup
In this blog, I will go through the simple method of pivoting from one victim to another using Metasploit. I have created a lab setup to practice this method, which you can follow as well. In my case, I have used VirtualBox but you can use any virtualization software of your liking the process is similar.
I have taken two victims, one is Metasploitable-3 a Windows machine, and DC-1 VulnHub Machine which is a Debian Linux machine. The following are the download links for both machines:
- Metasploitable-3 Fully built → https://drive.google.com/uc?id=1-cDEpDRl5_-QWBU8Ckpp_Zep-1-9-EY4&export=download
- DC-1 VulnHub → https://www.vulnhub.com/entry/dc-1,292/
I imported all the machines into VirtualBox and created a group with my Kali Linux machine to just keep things tidy.
Network Setup:
This is our network setup, our Metasploitable-3 machine will act as the pivot point for this lab. The subnet 192.168.50.XXX will act as our DMZ ( demilitarized zone ) which is reachable by our Attacker machine and the subnet 192.168.200.XXX will act as the internal network that is not reachable from the attacker machine, this subnet will contain our DC-1 VulnHub machine.
VirtualBox Network Setup:
- Go to the VirtualBox Network Manager and Create an additional Virtual Network Adapter, you can modify the IP address as you wish.
- Metasploitable-3
Adapter 1:
Adapter 2:
DC-1 (Adapter 1):
Kali Linux (Adapter 1):
Let’s first confirm that our DC-1 machine is unreachable from the Attacker machine.
Gaining a foothold in Metasploitable-3:
For the sake of demonstration, I’m skipping the enumeration parts and going straight forward into the exploitation phase. So for gaining access to our first Victim machine i.e Metasploitable-3, We are going to use the Metasploit exploit module exploit/windows/smb/psexec with the credentials vagrant:vagrant
Enumeration and Pivoting:
So I have gained an initial Meterpreter session. Now we can proceed with the pivoting and network enumeration.
We can identify there are two ethernet adapters and we can identify their IP addresses by using the Windows command ipconfig.
Let’s move on to pivoting, then we can enumerate the internal network and proceed to portforward a service from the DC-1 machine.
Now we have successfully created the pivot, now we can access the internal network through Metasploit modules. Let's check by ping-sweeping the internal subnet.
using post/multi/gather/ping_sweep module.
We have identified 4 hosts. Since I know that our second victim is 192.168.200.3. For the sake of demonstration, I’m skipping the enumeration for other hosts. But in a real setting, we would be enumerating each host.
Using auxiliary/scanner/portscan/tcp module we can enumerate the open ports.
We can see SSH -22 and HTTP — 80 ports are open, we can assume there is a website running on this host. We can port-forward the victim’s port 80 to our local port 4321 by using meterpreter’s portfwd command.
portfwd add -l 4321 -p 80 -r 192.168.200.3Now we can access the site in our localhost:4321.
We have successfully pivoted and portforwarded from an internal network with Metasploit framework. I hope this blog helps in getting started with pivoting with Metasploit. We can use run autoroute inside of meterpreter but that is depricated now and this is a far better way to be doing this.
That’s it for this blog . Keep exploring technologies , hope to see you on the next one ;)
Fun fact : Did you know you can long press on the 👏 below clap up to 50 times?
