1 00:00:00,500 --> 00:00:08,420 Pivoting is a kind of post exploitation technique that allows you to move around different networks 2 00:00:08,810 --> 00:00:10,570 by using a compromise target. 3 00:00:12,120 --> 00:00:16,920 So you're going to access other networks that is reachable by the compromise target. 4 00:00:18,280 --> 00:00:21,670 Now, to understand how this works, I'll give you a simple example. 5 00:00:22,870 --> 00:00:28,810 So assume that you compromise a target on the network and you have an interpreter session open. 6 00:00:30,430 --> 00:00:35,350 And then you move on to collect internal information gathering on that target. 7 00:00:36,800 --> 00:00:45,950 Oh, what's that you say you used IP config or IAFF config, and there is a second network that your 8 00:00:45,980 --> 00:00:48,320 victim can reach, but you can't. 9 00:00:50,070 --> 00:00:53,310 That's when pivoting comes in particularly handy. 10 00:00:54,730 --> 00:01:00,550 So what you'll do is you'll use your compromise target to jump in the second network that you can't 11 00:01:00,550 --> 00:01:01,840 get to otherwise. 12 00:01:03,470 --> 00:01:08,480 So you'll use an interpreter to add routes to reach a second network. 13 00:01:09,660 --> 00:01:12,080 The whole flow is called pivoting. 14 00:01:13,290 --> 00:01:16,920 And your first compromise machine is your pivot point. 15 00:01:19,340 --> 00:01:24,860 So here I already have a session on Métis Voidable three using the Yes exact module. 16 00:01:26,160 --> 00:01:30,570 But before starting up, I think it's important to understand the logic. 17 00:01:31,960 --> 00:01:32,770 If config. 18 00:01:34,110 --> 00:01:38,310 So this is my IP address to understand to one six. 19 00:01:39,430 --> 00:01:45,910 And I have a session on the machine 10 that tend to court one seven, which is just voidable three. 20 00:01:47,430 --> 00:01:53,730 So then when I use my session on Metters voidable three to connect to one, seven to eight to eight, 21 00:01:53,740 --> 00:01:59,850 that one to eight five Windows seven, which is in another network that. 22 00:02:00,000 --> 00:02:01,350 Well, I just can't reach. 23 00:02:01,350 --> 00:02:01,620 Right. 24 00:02:03,470 --> 00:02:04,280 So when I. 25 00:02:05,250 --> 00:02:08,820 Ping 10 dot and two one seven. 26 00:02:10,460 --> 00:02:11,450 I can reach. 27 00:02:12,510 --> 00:02:20,280 When I ping one seven two two eight one two eight six, which is an other interface of Métis voidable 28 00:02:20,280 --> 00:02:22,800 three I can reach out to. 29 00:02:24,410 --> 00:02:34,390 But when I ping 172 to a one two eight dot five, which is Windows seven, I can't reach it. 30 00:02:35,320 --> 00:02:35,710 Right. 31 00:02:35,740 --> 00:02:37,240 So I think that's pretty clear. 32 00:02:38,480 --> 00:02:41,090 So what I'm going to do is interact with my session. 33 00:02:42,630 --> 00:02:47,280 Let me check just once more who I am and where I am, it's always a good thing to know. 34 00:02:48,030 --> 00:02:52,770 All right, so I have the system level mateparae to show on Métis voidable three. 35 00:02:53,920 --> 00:02:57,780 So after gaining an interpreter show, you have many things to do. 36 00:02:58,720 --> 00:03:04,610 And getting the network configuration of the target is one of the most important things you can do. 37 00:03:05,500 --> 00:03:08,980 So IP config or if config. 38 00:03:10,070 --> 00:03:14,030 That'll bring up and display the basic IP information of the target. 39 00:03:15,460 --> 00:03:19,180 Now, when you look at these results carefully. 40 00:03:20,360 --> 00:03:27,260 You're going to find that the target has another interface, which has the IP address of one seven two 41 00:03:27,770 --> 00:03:30,350 two eight one two eight dot six. 42 00:03:31,480 --> 00:03:34,690 But you are not in that network. 43 00:03:35,640 --> 00:03:39,120 So in order to get more from your penetration test. 44 00:03:40,020 --> 00:03:42,390 You can also try to access that network. 45 00:03:43,680 --> 00:03:49,530 By the way, it is possible to use an interpreter, get local subnet script. 46 00:03:51,360 --> 00:03:54,000 And it will also display the subnets of the target. 47 00:03:56,120 --> 00:03:59,090 Amateur amateur has a man named Rupert. 48 00:04:00,670 --> 00:04:04,210 And as the helpful help menu suggests. 49 00:04:05,330 --> 00:04:07,580 It displays the round table of the target. 50 00:04:09,140 --> 00:04:14,630 But it not only displays it, but also you can add and delete and list this table. 51 00:04:15,670 --> 00:04:21,070 So route without any parameter displays, all routes on Métis voidable three. 52 00:04:21,970 --> 00:04:29,400 And you can get local subnets and the networks that are reached by the target from this result as well. 53 00:04:30,950 --> 00:04:33,470 So now that we have all the network information. 54 00:04:34,510 --> 00:04:40,720 We can go ahead and run Métis Boit Auto Route as our post module to create a route to Windows seven 55 00:04:41,050 --> 00:04:42,580 over Métis voidable three. 56 00:04:48,170 --> 00:04:51,050 And here's the info command for Auto Round. 57 00:04:52,210 --> 00:04:53,380 So let's go ahead and use that. 58 00:04:54,660 --> 00:05:02,130 To view the roots, run post multi manege auto root. 59 00:05:03,080 --> 00:05:06,740 With a parameter, ACMD equals print. 60 00:05:08,630 --> 00:05:11,120 And what this will do is print the route information. 61 00:05:12,070 --> 00:05:13,390 If you've done it before. 62 00:05:14,490 --> 00:05:15,570 So there's no route. 63 00:05:16,600 --> 00:05:22,060 So the same command, but this time change the command value to add. 64 00:05:22,960 --> 00:05:32,110 And then define the subnet value, so subnet equals one seven to dot to eight that one two eight zero. 65 00:05:33,080 --> 00:05:33,650 Hit enter. 66 00:05:35,710 --> 00:05:39,240 And the route is added, so let's print the route information again. 67 00:05:41,790 --> 00:05:48,150 And now you see you have a round two network, one seven two two eight, not one two eight nine zero 68 00:05:48,420 --> 00:05:50,370 over interpretor session one. 69 00:05:51,510 --> 00:05:53,280 So you're going step by step. 70 00:05:54,340 --> 00:05:58,240 So you can send this session to the background or B.G.. 71 00:06:00,690 --> 00:06:07,440 And outside of them, interpretor session, you can also observe the route information, but this route 72 00:06:07,440 --> 00:06:12,320 command is it belongs to motorsport itself. 73 00:06:13,080 --> 00:06:17,130 So when you display the help menu, you can find the syntax of it. 74 00:06:17,700 --> 00:06:19,050 It's going to be a little different. 75 00:06:20,260 --> 00:06:26,710 And you can also add the route from here, whichever way it's up to you, but either way, I'll work. 76 00:06:28,120 --> 00:06:31,180 So let's try to ping Windows seven once more. 77 00:06:34,840 --> 00:06:40,930 New denied and the results the same, I can't reach it, so I'll go back. 78 00:06:42,130 --> 00:06:49,180 Now, because you have a route to the other network, you can discover the new targets by scanning for 79 00:06:49,180 --> 00:06:51,730 open ports and detecting services. 80 00:06:52,910 --> 00:06:56,600 So I'm first going to start with a simple sin port, Skåne. 81 00:06:57,520 --> 00:06:59,830 Use auxiliary scanner. 82 00:07:01,070 --> 00:07:03,050 Port, Skåne, sin. 83 00:07:05,710 --> 00:07:07,390 Show me the options. 84 00:07:08,760 --> 00:07:09,720 Said our hosts. 85 00:07:10,660 --> 00:07:14,950 To 172 to 281 to eight, not five and six. 86 00:07:16,040 --> 00:07:19,720 Now, because it is so slow, I'm not going to do this for the whole network. 87 00:07:20,840 --> 00:07:21,720 Said ports. 88 00:07:23,220 --> 00:07:25,620 From one to a thousand. 89 00:07:26,930 --> 00:07:29,630 And set thread's to 50. 90 00:07:32,160 --> 00:07:33,300 So the options again. 91 00:07:35,670 --> 00:07:37,100 And everything seems OK. 92 00:07:38,130 --> 00:07:39,660 So let's run the module. 93 00:07:41,470 --> 00:07:48,700 And the execution of the module is slow due to routing issues, so I'll just pause a recording here 94 00:07:48,700 --> 00:07:50,220 and I'll come back to you in a second. 95 00:07:52,000 --> 00:07:56,700 All right, so we can stop execution at this point, I don't want to wait too much longer. 96 00:07:57,670 --> 00:08:01,720 And as you can see, port for four or five is open on Windows seven. 97 00:08:02,890 --> 00:08:03,600 Was that mean? 98 00:08:04,870 --> 00:08:11,470 It means you can try to piece exact to it with the credentials that you've already gathered from the 99 00:08:11,470 --> 00:08:12,400 beginning of the course. 100 00:08:13,850 --> 00:08:20,420 So use exploit windows SMB Pipes exec. 101 00:08:22,430 --> 00:08:24,010 Show me the options. 102 00:08:25,690 --> 00:08:28,480 Set our host to Windows seven at. 103 00:08:31,340 --> 00:08:33,680 I don't think there's anything else to change. 104 00:08:35,080 --> 00:08:36,580 All right, so XPoint. 105 00:08:37,590 --> 00:08:38,310 Seems good. 106 00:08:43,740 --> 00:08:46,160 Oh, something went wrong. 107 00:08:47,230 --> 00:08:48,820 So options. 108 00:08:50,020 --> 00:08:51,480 Aha, I found it. 109 00:08:51,520 --> 00:08:54,640 Did you have a look, it's the wrong payload. 110 00:08:56,270 --> 00:09:03,890 Now, because you can reach that network over a route, the network still can't connect back to us, 111 00:09:04,760 --> 00:09:09,560 so you need to change the payload to a bind payload. 112 00:09:10,500 --> 00:09:11,010 Makes sense. 113 00:09:12,850 --> 00:09:13,750 Set payload. 114 00:09:15,240 --> 00:09:18,060 To Windows Mature Peter. 115 00:09:19,440 --> 00:09:21,480 Binde PXP. 116 00:09:25,010 --> 00:09:26,270 Show me the options. 117 00:09:27,230 --> 00:09:29,960 All right, so this time it's all OK to me. 118 00:09:31,290 --> 00:09:32,840 Then exploit. 119 00:09:38,910 --> 00:09:42,030 Perfecta Mundoo, you get the session. 120 00:09:43,370 --> 00:09:47,840 Get UUID system level shell this info. 121 00:09:48,860 --> 00:09:52,190 OK, you have an interpreter session on Windows seven. 122 00:09:54,180 --> 00:09:55,150 What time is it? 123 00:09:55,710 --> 00:10:00,960 Hey, it's time to dig into this target and infiltrate the network.