In the last article we covered how to catch a callback from a target network. Catching a callback is not necessarily a tough task but it does require a bit of finesse and accurate parameters. Once you have a foothold on the network, it’s now time to find out where to move and where to maintain a presence within the target environment. Understanding the host network and surrounding devices is critical to a successful penetration test.
During a live penetration test, it’s best to use the tools already on the host or within the network. This is called “Living off the Land”. There are two excellent resources on built-in executables on both Windows and Linux that can help during a penetration test. These sites are lolbins and gtfobins. On a test network, or during a penetration test, it’s worth taking the time to use the built-in tools on the Windows and Linux operating systems to gain an advantage within the network. With that said, there are times in a penetration test when bringing tools to a target is necessary to accomplishing a specific task. The following are tips and ideas on how to survey network neighbors to facilitate lateral movement within the network. Some of these tools have been covered previously but not in this context. This article shows approaches on how to survey a network and builds upon some of the concepts found in an earlier article, Pentesting 101: Fingerprinting Continued. The methodology that you employ in a penetration test will depend on the network.
Nearly every penetration tester knows about the Metasploit framework and has probably used it on an engagement. Metasploit is a framework bundled with many tools. Among those tools are the ability to create a database of network and host information and the ability to route packets and connections through a host. Setting up a database to house credentials and search results for Metasploit is very easy and can be very rewarding on a penetration test. It also helps categorize and organize scan results, exploits used, credentials stored and connections.
Setting up the Metasploit database is extremely easy to accomplish. Using Kali Linux during the penetration test, it only takes a couple commands to set up the database and use it while in Metasploit. First we must check to see if PostgreSQL is installed.
Now that we’ve established the PostgreSQL is installed, we must check to see if it’s running or not. If it’s not, we need it to run. One way to improve this would be to configure PostgreSQL to run at startup so we don’t have to remember to start it every time we want to use Metasploit with a database backend. To do this, we must issue a couple of commands. First, we will use the “service” command to check the status of PostgreSQL to see if it’s running. We can then use the “update-rc.d” command to enable it to start at boot. If it’s not currently running, we can manually start the service. The below screenshot contains all the steps just outlined.
Now we’re ready to set up the database for Metasploit usage. This is very straightforward. Using the “msfdb” command, only two commands are needed, “msfdb init” and “msfdb start”.
Metasploit can now be started and the database will automatically be populated with data when the database oriented commands are used. Some information we can store includes scanning information of other hosts on a network. For example, imagine you’re on a penetration test and have compromised a Windows host with a Meterpereter callback. From here, we can use a couple of commands to scan other hosts on the local network and save them to the database for future reference.
Now we see there is another host on the 172.16.5.0/24 network. There are two ports that are listening on the host, port 22 and port 80. If we’d like, we can see what the webpage is hosting. We can do this using Metasploit’s built-in proxy service. Below is how to set up this proxy server on the local computer and configure Firefox to use the proxy to browse to the internal website.
In an earlier screenshot you might have noticed the initial hop point into the network was connected to two different networks: the 172.16.5.0/24 network and the 10.1.1.0/24 network. It would be wise to scan this network to see if there are any hosts on the network and to identify the ports they are serving. Instead of using the built-in port scanner in Metasploit, we can use Metasploit to act as a proxy to scan that network. This is similar to the last example of how we used Firefox to browse to the internal network website.
I’d like to briefly talk about a subject that was brought up in an earlier article about scanning. The article talked about fingerprinting while hiding and using nmap through a SOCKS proxy. This same technique can be applied here with the built-in Metasploit SOCKS proxy. Below is a brief example using nmap and proxychains through the Metasploit SOCKS proxy.
SOCKS proxies can broker all types of TCP connections to include SSH connections. For example, if during the penetration test SSH credentials are found for the 10.1.1.177 host, it’s possible to use SSH with proxychains to log into the host from Kali through the initial foothold.
Be on the lookout for Part 2 of the Surveying Series, coming soon!