Tips for an Information Security Analyst/Pentester career - Ep. 60: Pivoting attack
This post follows up from Tips for an Information Security Analyst/Pentester career - Ep. 47: Post-exploitation (pt. 3), where I had tried to perform a pivoting attack, but I had failed.
This time I'm going to show you how to perform a successful attack.
Pivoting attacks are part of the post-exploitation stage.
In other words, after compromising a target, you can use that target as a bridgehead to reach other networks, that might be otherwise unreachable directly from the attacking machine.
Network configuration
In this specific case, we're going to have the following network configuration:
Therefore, we can access the vulnerable XP machine only through LAN interface 2 in Windows 7.
Windows 7 attack (from Kali to Windows 7)
I'm going to perform the same steps explained in my previous post Tips for an Information Security Analyst/Pentester career - Ep. 42: Client-side attacks (pt. 3) but this time I need to change the IP address for the Kali machine to 192.168.1.107.
I run the malicious Winamp Rocketship skin and get a shell.
We're within our Windows 7 machine, as proven by the output of the sysinfo command.
We know this Windows 7 VM is multi-homed, as it has two different network cards, one of which is connected to an internal subnet unreachable from Kali.
The get_local_subnets meterpreter script allows us to display all local subnets found.
At this point, we need to add a manual route to the 172.16.137.0/28 subnet, so we can grab the network traffic from it.
Notice that this subnet is reachable by leveraging sessions 3, that's already open in Meterpreter.
Pivoting (from Windows 7 to Windows XP)
For the pivoting attack to succeed, we need a remote exploit.
My XP SP2 machine is vulnerable to the smb08_067 exploit, and that's why it can be reached but in an internal network.
We can't reach XP directly from Kali, but we can attack it from Windows 7, as it communicates on the same subnet.
Let's now configure and launch the attack.
We need to use a meterpreter bind shell, because a reverse shell wouldn't be able to reach back to Kali.
The attack is successful and we were able to pivot into a new machine on the 172.16.137.0/28 subnet.
(More details in the embedded video).
We can also use port forwarding to access the minishare server on XP and have a look at the files stored there.
Wrap-up
Pivoting attacks can be very dangerous and lead to the exploitation of a whole network, if security best practices and efficient segmentation are not in place.
Such an old machine shouldn't be run in a production environment, regardless of the fact it's not accessible from the Internet.
This internal network could be, for example, on the DMZ and, once we'd broken into that, we could successfully get on the domain controller and pwn the network.
I plan to add a Windows Server 2003 to this configuration and create a whole internal network of vulnerable machines within that specific subnet.
There are always ways to get in, in fact, as I just showed you.
Comments
Post a Comment