.

Metasploit and pivoting

<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Jul 04, 2008 8:14 pm

Metasploit and pivoting

Hello everyone,

A while back I played with a copy of Core Impact.  The tool is quite powerful, with its  neatest feature being pivoting.  You can use a system  you have just exploited as an attack point.  I have heard that SAINT has a similar feature in the works.  I am just not a fan of shelling out $20k for a license of Core Impact.  I lean more towards open-source and Metasploit. 

When I exploit a system with Metasploit, I have a few files and scripts that I ftp / tftp down to allow me to do some basic work from a command line shell on the remote system, but my abilities are very limited at this point.  It would be great to be able to use something like Nmap, Nessus, or Metasploit from the remote system.  Does anyone have a method for doing something similar?  Perhaps there is a meterpreter option out there?    It would be great if there was an agent that ran entirely in RAM for Metasploit.

What do you do with a system once you exploit to attempt to further penetrate the network?  I am curious to see what some of your methods are.  I know there has to be a way and I am just missing it.  I feel like I am lacking in this area and would appreciate some advice.
~~~~~~~~~~~~~~
Ketchup
<<

LSOChris

Post Fri Jul 04, 2008 9:30 pm

Re: Metasploit and pivoting

use token stealing and passing the hash to move further into the network.

from a "what next" meterpreter doesnt give you much in the way of choices unless you can code.  if you want to port scan you either have to upload something like scanline or write yourself a injectable dll that will do whatever it is you need to do.

metasploit will "pivot" but not quite the same way as core does and you cant make the agent persistent, so that kinda sucks.

i did a couple of blog posts on using some of the pass the hash and token stealing tools and i think the pivoting stuff.

that help?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 05, 2008 11:15 am

Re: Metasploit and pivoting

Chris,

Thank you!  I read your blog entries on using pivoting with Metasploit.  If I understood correctly, you can use meterpreter to basically route though a particular session.  This seems like 50% of what Core does for $20k.    The trick is going to be identifying a vulnerability on the remote host.  This could be tough if your pivot host is your only point of entry. 

The pass the hash and token stealing options are also very cool and new to me.  Chances are if you exploit a machine that's on the domain, there is going to be a domain user on the box.  Makes privs escalation easier.

Ketchup
~~~~~~~~~~~~~~
Ketchup
<<

LSOChris

Post Sat Jul 05, 2008 11:42 am

Re: Metasploit and pivoting

ketchup you are exactly right on that first part, it is extremely hard to identify an exploitable host inside the lan. 

if msf is you only option you'll need to set up shop on that first host and scan from there (which kinda sucks)
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Fri Jul 11, 2008 10:18 pm

Re: Metasploit and pivoting

Good old fashion hacking was once you exploited a box you would tftp over a trojan that gave you complete control. Depending on how that trojan was written and the level of control you had, it was easy to install your tools to scan the network from that box and run a simple exploit script from that same box to hopefully own a new target. This was back in the hey day of the dcom exploit and it was easy to move that simple script along with netcat from box to box.  You would build a "netcat chain".  That was an amazing time because all the window boxes were vulnerable so you really didn't even need to scan other than find the IP so you could have a target. While this kind of attack is dated, there is value to the theory if you know ,or know somebody that can code. Part of the challenge today is not being detected by AVs and slipping through firewalls. I think its good to also try and think of ways to hack that don't require Core or Canvas or even Metasploit. While I think Core is a great tool, hackers don't use it. Its a very noisy tool and better suited for an admin that wants to check the security of his own network, rather than a hacker trying to sneak in. That's just my 2 cents of course, but seems to be what my experience suggests.
Last edited by Kev on Fri Jul 11, 2008 10:26 pm, edited 1 time in total.
<<

LSOChris

Post Sat Jul 12, 2008 9:16 am

Re: Metasploit and pivoting

you didnt put a paragraph in there, so can you maybe  reiterate your point?

that we should attempt to use something to hack besides one of the exploit frameworks? how?

your other options would be web and client side, but once you have a login or a shell you are back to network hacking and the problem already mentioned of finding more vulnerable boxes inside the network.

i agree core is loud and noisy, adding a single host and launching A single exploit at a box after you have done some enumeration is far better than the RPT
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Jul 12, 2008 11:50 am

Re: Metasploit and pivoting

I was thinking I should start a new thread about it, but I was trying to push the idea of how hackers used to exploit before tools like metasploit, core or canvas came about. What I am seeing with people that are new to hacking is the tendency to get totally tool dependent. If metasploit doesn't do it, maybe a new bigger fancier point and click program will be the answer!  Exploiting one box and then trying to install metasploit or nessus so you can move through the network is really not practical, but you could actually do it in a few instances if you wanted to be that obvious.
Last edited by Kev on Sat Jul 12, 2008 11:54 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 12, 2008 1:19 pm

Re: Metasploit and pivoting

I definitely see what Kev is talking about.  You can upload a small footprint of tools that you normally use to the exploited machine, like cryptcat, rootkits, a small scanner, and a couple of well written exploit scripts.    If you had sufficient time, this method definitely works and is probably the most stealthy thing you can do, provided you know what you are doing.

There are issues with this in today's world though.  If you are dealing with Windows boxes, then you have to port your python, perl, or c code over to something windows can interpret on the fly.  I am not an expert in this, but porting Perl code to something like VBScript or another Shell, seems like a difficult task. 

Another issue is that many of us are doing this as part of a penetration test, we are not simply hacking.  As part of a pen test, we have to find the most number of vulnerabilities that we possibly can, in the smallest amount of time.  No one is going to pay me to hack a network for a few months manually, unfortunately.  It comes down to time and money.

At the same time, I do have to agree with Kev to some degree.  You at least have to be able to use the manual methods before you spend the money on an expensive tool, you don't fully understand.  At the same time, the advanced hackers out there won't use a tool like Core.  They probably will not use Metasploit either.  They also have access to tons of 0day code that most of us are unaware of.  A pen test will not simulate a determined hacker in my opinion.  It more simulates a determined script kiddie. 

Those are just my two cents. 

Ketchup
~~~~~~~~~~~~~~
Ketchup
<<

LSOChris

Post Sat Jul 12, 2008 5:23 pm

Re: Metasploit and pivoting

kev, I agree with you on your point, people need to be able to do something besides install metaspoit on a remote box, etc

ketchup, i disagree that real hackers arent using metasploit.  the whole point of metasploit is to speed up exploit development and expand the usability of exploits by allowing you to choose the payload and run time and you can always write your own exploits for it.  just because all brand new CEH graduates can do is run the gui doesnt make it a bad tool.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 12, 2008 9:25 pm

Re: Metasploit and pivoting

Chris, since I don't consider myself a hacker yet, I will defer to you on the Metasploit subject.  I have much learn as a young gwasshoppa :)

Still, it seems that Metasploit is a bit of a large footprint to move around with you.  If you develop a exploit in Metasploit, can you use it outside of the framework?

Also, with so much 0day stuff other, coupled with great rootkits, do experienced hackers really need tools like Metasploit?  I am primarily speaking of black hat hackers.  Remember, they are not after penetrating a machine from all different angles.

Again, not arguing, just curious what some of the more experienced folks think on this subject.
~~~~~~~~~~~~~~
Ketchup
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Jul 15, 2008 11:27 pm

Re: Metasploit and pivoting

That’s a good question Ketchup, but it’s complicated to answer.  Do we make a category of black hat hackers or do we just put them all together from the script kiddie to the high level skilled?  If we put them all in one category I would be say the majority uses metasploit.  If we are talking about the higher more dangerous group, I would say no. Its really hard to know for sure. There are only a few ways to know what black hats use. We gather our forensic data after a breach and try to determine how it happened. We hang out in circle that black hats frequent and talk. We run a honeynet and observe how it’s breached.

Many so called black hats just run tools and look for easy targets. They only want to hack something for bragging rights. But there are those that are greedy and want to make money.  They want to steal data so they can sell it.  Being stealthy is extremely important.  Attacking the front gates with exploits doesnt work that much anymore. Client side attacks and basic social engineering are the preferred method from my experience.
<<

LSOChris

Post Wed Jul 16, 2008 9:23 pm

Re: Metasploit and pivoting

i would lean that if someone can confidently write exploits for metasploit they could port them to C and make binaries that could be run on exploited windows boxes on the inside.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software