In most of the organizations the internal networks are behind firewalls which allow only port 80 for connections in order their workers to have access to the Internet.No other ports are open.So how a penetration tester that performs an external penetration testing can gain access to these systems and how he can discover and compromise other hosts that are on the same network but in different subnet?

Lets say that we are performing an external penetration test and we want to send a malicious Java applet to the company users in order to bypass the firewall restrictions.For that scenario we can use SET.We will not demonstrate the implementation of this attack in this article as it has been already explained here.

The first thing that we will try of course is to send the website that will load the malicious Java applet to the email addresses of the company’s employees and to see who is going to run it.In nowadays you can discover very easily work emails through professional social networks like Linkedin.

Malicious Java Applet

 

The payload of this applet has been encoded 4 times in order to avoid antivirus detection.So if one of the users runs this Java applet we will get a meterpreter session.

Meterpreter Session Opened

 

Now that we got access as a first step is to find some more information about the target with the command sysinfo.As you can see from the next image it is a Windows 7 machine.

Information about the target

 

Our next option is to try to discover any important files that exist on the local drive of this remote host.For that reason we will need to obtain a shell instead of the meterpreter session.

Getting a shell and discover potential important files

 

We can use the ipconfig command in order to check the interfaces of the target.As you can see from the image below this target has 2 interfaces which means that it is connected to another network as well.

Discover other interfaces

 

The second IP of our target is the 192.168.2.2.Before we try to inspect this network we will try to escalate privileges in order to become system user.As we already know it is a Windows 7 machine which means that the UAC will not let us.So we will try to bypass it first.We will return to the meterpreter and we will run the script bypassuac.

Bypass UAC

 

Now we can try to escalate privileges by using the common command of meterpreter getsystem.

Privilege Escalation

 

The privilege escalation have succeeded and now we have full control of the remote system.We can also attempt to check the routing table in order to discover other valid networks and IP addresses.

Routing Table

 

From the above table we can identify the existence of another network 192.168.2.0 which our machine belongs as well.So our next option is to try to find any other hosts that are part of this network.Metasploit Framework has a module called nbname which can discover other hosts through the NetBIOS service.

Searching for nbname

 

Before we configure the netbios scanner we will create the pivot by instructing metasploit to route all traffic from our meterpreter session to the network 192.168.2.0.

Route Traffic to the other network

 

The pivot has created and all the traffic will pass to the network 192.168.2.0 (which is a network that we cannot reach directly from outside) from the machine that we have already compromise through the meterpreter session 5.We can now configure the module.For this scenario we will scan only a small range of IP’s from 192.168.2.1 to 192.168.2.5.

nbname configurations

 

The output of the scan indicates that there is another machine which have the name PC1 with the IP 192.168.2.1

Discovery of another system into the second network

 

So we obtain another one IP address and our next step is to scan this IP in order to discover any open ports.We will search in the metasploit framework for the available port scanners and we will use the TCP scanner.

Searching for available port scanners

 

We are configuring the scanner giving the port range from 1-500 and we run it.

Configuring the TCP port scanner

 

The traffic of this port scan will pass through our pivot point to the other host and then it will return the results to us.

Port Scanner Results

 

The results above are showing that the port 445 is open so we will try to use the netapi exploit which uses that port in order to see if we can compromise this machine as well.

netapi exploit configurations

 

As you can see from the image above we have chosen as a payload a meterpreter bind_tcp and not the reverse_tcp.The reverse connection will not work in this case because the target IP address 192.168.2.1 will not know how to reach back our IP address.Now that everything is ready it is time to exploit the target.

Target Exploitation

 

We have exploited the target machine and we have successfully opened a new meterpreter session.As the last line of the above screenshot indicates this was achieved through the pivot machine.The next image is showing that now we have two active sessions on computers which are on different subnets.

Active Sessions

 

Conclusion

In this article we saw how we can attack one system which is on the same subnet with our machine and then how to use the machine that we compromise in order to attack a computer on a different subnet.This scenario it is not far away from the reality because in most of the cases the corporate firewall will block everything except of the port 80.So the real problem here doesn’t has to do with a vulnerability but with human weakness.An unsuspicious employee can create a hole to the network just because he clicked a malicious link or he allowed a Java applet to run.

As vulnerabilities are getting patched quickly the only way for an attacker to break into a network is to take advantage that someone will be tempt to open a malicious file or link.So social engineering attacks will become more and more sophisticated in order to produce better results.The only way to prevent these kind of attacks is education of the employees.