FTP Pivoting through RDP
From Offensive Security
Pivoting is a technique to get inside an unreachable network with help of pivot (center point). In simple words, it is an attack through which an attacker can exploit those systems which belong to the different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then the attacker will able to target the client system for the attack.
Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine: window operating system with two network interface
Target Machine: window 7 (Allow FTP service)
Exploit pivot machine
Use exploit MS17-010 or multi handler to hack the pivot machine and bypass its UAC to achieve admin privileges.
From the given image you can confirm that I owned a pivot machine (192.168.0.101) meterpreter sessions 1.
Launch the sticky key attack
Here I need to make post exploits to launch the sticky key attack
|use post/windows/manage/sticky_keysmsf post(sticky_keys) > set session 1msf post(sticky_keys) >exploit
Great!! It has successfully launched a sticky attack in pivot machine and now we will utilize it later for establishing a connection with the target FTP server.
Enable RDP service
Open meterpreter session1 and type following command which will enable remote Desktop service in the pivoted machine.
|meterpreter> run getgui -e
Verify the network interface of the pivot
Check the network interface through the following command:
From the given image you can observe two networks interface in pivot’s system 1stfor IP 192.168.0.101 through which the attacker is connected and 2nd for IP 192.168.100.102 through which FTP server (targets) are connected.
Since the attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface, therefore, it is not possible to directly make an attack on client network until unless the attacker acquires the same network connection. In order to achieve 192.168.100.0 network attacker need to run the post exploitation “autoroute”.
This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. The default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.
|use post/multi/manage/autoroute msf post(autoroute) > set session 1msf post(autoroute) > exploit
This module will perform IPv4 ping sweep using the OS included ping command.
|use post/windows/gather/ping_sweepmsf post(ping_sweep) > set rhosts 192.168.100.1-110msf post(ping_sweep) > set session 1msf post(ping_sweep) > exploit
Here we found a new host IP 192.168.100.103 as shown in the given image. Let’s perform TCP port scan for activated services on this machine.
Use TCP Port Scan
This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
|use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) > set ports 21msf auxiliary(tcp) > set rhosts 192.168.100.103msf auxiliary(tcp) > set thread 10msf auxiliary(tcp) >exploit
From given you can observe port 21 is open and we know that 21 used for FTP services.
FTP Login Brute Force
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
|use auxiliary/scanner/ftp/ftp_loginmsf auxiliary(ftp_login) > set rhosts 192.168.100.103msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txtmsf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txtmsf auxiliary(ftp_login) > set stop_on_success truemsf auxiliary(ftp_login) > exploit
From the given image you can observe it is showing the matching combination of username: raj and password: 123 for login.
Connect to pivot through RDP
Open a new terminal in Kali Linux and type the following command to connect with pivot machine through RDP service
If you remember we had launched sticky attack above which will open a command prompt on logon screen when you will hit 5 times shift key.
Now press 5 times to shift key then you will get command prompt and type “start iexplore.exe” which will lunch Internet Explore.
Connect with FTP server
Execute the following URL in the browser for FTP connection:
Now enter the credential which we had found through FTP login brute force attack i.e. raj: 123
Congrats!!! We are successfully connected with FTP server through pivot machine.