- we have our Meterpreter shell access on the Ubuntu server (the pivot host)
- we want to perform enumeration scans through the pivot host, but we would like to take advantage of the conveniences that Meterpreter sessions
tmux env setup
Creating Payload for Ubuntu Pivot Host
Configuring & Starting the multi/handler
copy the shell.elf binary file to the Ubuntu pivot host over SSH
execute shell.elf to gain a Meterpreter session
Step 2 - ping sweep
We know that the Windows target is on the 172.16.5.0/23 network. So assuming that the firewall on the Windows target is allowing ICMP requests, we would want to perform a ping sweep on this network. We can do that using Meterpreter with the ping_sweep module, which will generate the ICMP traffic from the Ubuntu host to the network 172.16.5.0/23.
Step 3 - proxy
Configuring MSF's SOCKS Proxy
Confirming Proxy Server is Running
Adding a Line to proxychains.conf if Needed After initiating the SOCKS server, we will configure proxychains to route traffic generated by other tools like Nmap through our pivot on the compromised Ubuntu host. We can add the below line at the end of our
proxychains.conf file located at
/etc/proxychains.conf if it isn't already there.
Step 4 - AutoRoute
Creating Routes with AutoRoute Finally, we need to tell our socks_proxy module to route all the traffic via our Meterpreter session. We can use the
post/multi/manage/autoroute module from Metasploit to add routes for the 172.16.5.0 subnet and then route all our proxychains traffic.
It is also possible to add routes with autoroute by running autoroute from the Meterpreter session.
Listing Active Routes with AutoRoute
Testing Proxy & Routing Functionality