As a follower of the "only way to exploit is Metasploit" we often encounter situation where most servers are behind NAT . In order for the exploitable server to be successful connected back to the attacker machine in a typical pentest workaround is by forcing the exploitable server to make a reverse_tcp payload back to the attacker machine.
However this technique require several weakness:
- The attacker need to have an ext.PI
- The attacker would be in trouble if he is also in a NAT enviroment..
- The attacker Network have limited open ports.
A fakap situation
Solving the issue can be done in two ways..
1. Thinkering with your company policy to allowed port forwarding to the internal IP
2. Using an external IP interfacing box as a trampoline point to our internal network..
We used an external Box as our trampoline point. You could install metasploit on the server but that may violated blax3 policy plus consume a lot resources.
P.O.C of attack
Suppose we found a CFM FCKeditor bugs on chaah.gov.my , we can easily deploy the exploit as it is.
But the tricky part is the payload settings. On my Settings i have this type of connection.
My Setup.
1. Setup VPN or Poor Man VPN on your external box
My Setup.
1. Setup VPN or Poor Man VPN on your external box
2. Redir traffic for one port on the external box to your own internal VPN IP:port
3. Exploit
Setting up the metasploit payload..
3. Exploit
Setting up the metasploit payload..
On your external Box u can use iptables to redirect traffic
iptables -t nat -A PREROUTING -p tcp --dport 6767-j DNAT --to-destination 192.168.6.14:6767 (Owned interface VPN IP)
Back to metasploit here is the jewel crown.. we set ReverseListenerBinAddress to our own VPN IP.
.... And the ritual begin
iptables -t nat -A PREROUTING -p tcp --dport 6767-j DNAT --to-destination 192.168.6.14:6767 (Owned interface VPN IP)
Back to metasploit here is the jewel crown.. we set ReverseListenerBinAddress to our own VPN IP.
.... And the ritual begin
No comments:
Post a Comment