And while it is less common on Windows, you can upload one ( plink.exe is a stand-alone exe that is at /usr/share/windows-binaries/plink.exe on Kali). Most linux hosts will have an ssh client. I don’t have too much experience here, but it’s something that would work if you work within Metasploit. So after settign up autoroute, you can create a socks proxy that will listen, route traffic to the appropriate session, and then send it from there. This will allow you to route things through Metasploits routes as a proxy. You can also use auxiliary/server/socks4a. Give it the subnet you want to target, and the session you want to forward over, and run it, and then you can work against the subnet from within Metasploit as if you can talk directly to it. SUBNET no Subnet (IPv4, for example, 10.10.10.0) SESSION yes The session to run this module on. Name Current Setting Required DescriptionĬMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
Module options (post/multi/manage/autoroute): Msf post(multi/manage/autoroute) > options Mine looks like this when working with a -D 1080: To use proxychains, first edit /etc/nf by adding your proxy under at the bottom of the file (and commenting others out). When you’re using a proxy, you can do that with a browser (either in the browser settings, or I use FoxyProxy for quick changing), or you can use a tool called proxychains. To set up a proxy, use -D, and then set your proxy to 127.0.0.1.Then send traffic to 127.0.0.1:, and it will go through the tunnel to the. To tunnel a single port through an SSH tunnel, connect with -L.I won’t repeat that here, but the summary is this: I wrote a post earlier about SSH Tunneling. The easiest tunneling case is when you have ssh access to the beachhead machine. You won’t have access to all the nmap scripts, but you can get feel for what exists. Just grab a copy of that file from your local box, upload it to the beachhead and drop it in /etc. You can compile the source yourself, or there’s a few GitHub repos out there with statically compiled tools for various oses / architectures:įor nmap, if you’re in a very stripped down container, you may get an error Unable to open /etc/services for reading service information. If nmap isn’t already on the beachhead, my preferred method is to bring a copy of nmap that’s statically compiled to beachhead (typically via wget or curl on linux, or smb on windows). While it is possible to set up tunnels to scan, it’s very difficult to do, and flaky at best. Regardless of what kind of access I have to my beachhead, I’m going to want to scan the new network for host and port discovery. Bash scripting will take you a long way even if it’s just doing a ping sweep in parallel (putting the command in () with a & at the end will start them all in parallel, so this runs in a for i in $(seq 1 254) do (ping -c 1 10.2.2.$ | grep "bytes from" &) done Ħ4 bytes from 10.2.2.10: icmp_seq=1 ttl=64 time=0.013 ms They will likely have python and perl, and potentially gcc for compiling things. Linux workstations may have nmap already installed.
#DROPBEAR SSH 0.34 METASPLOIT HOW TO#
Live Off the Land Why?īefore going to a ton of effort to figure out how to get your workstation talking to target hosts through the beachhead, consider what you can do from the beachhead itself, since you can already run commands there. But, more often than not, I’ll find myself with only a nc reverse shell, and I’ll show some options here as well. The best case is if I can ssh into that host, because it allows me to port forward, and better yet, opens the door for a really nice tool, shuttle. How I do that will depend on what kind of access I have to the beachhead host. But there will be times that you want to use tools on your workstation to communicate with hosts through the beachhead.
There’s a lot you’ll be able to do from the beachhead itself. The goal here is to send traffic through a compromised host (which I’ll refer to as beachhead) to other target hosts the beachhead can talk to. Updated on to add references to two additional tools, Chisel and SSF. In this post I’ll attempt to document the different methods I’ve used for pivoting and tunneling, including different ways to use SSH, sshuttle, and meterpreter, as well as some strategies for how to live from the host you are currently working through. I’ve run into this in Sans Netwars, Hackthebox, and now in PWK. But once you realize that you need to pivot through that host deeper into the network, it can take you a bit out of your comfort zone. That beautiful feeling of shell on a box is such a high.
0 kommentar(er)
