Hello,
I need help regarding pivoting. How do you know that there are further machines to pivot? In the enumeration phase of the post-exploitation phase, in this lab: INE, after having compromised the first machine, ipconfig only reveals only one Interface like in this screenshot
In this case, how would I know that there is another machine in the network only accessible through machine 1?
Thank in advance!
Hi. This lab is kinda confusing I admit. In this lab, it is assumed that we have knowledge of the second host IP (i.e. given at the start of the pentest).
With this knowledge and the fact it is a /20 subnet, we know that the second target is in the same subnet as the first target was, but we cannot connect from our Kali machine - maybe because of a firewall or rule that only allows traffic from that subnet.
Therefore, we can use the meterpreter shell as a hop to get further into the network.
It was kinda confusing for me too, but I hope that helped. In short, there is only one network adapter that is part of a /20 subnet that we are given at the start, therefore we simply route through it. In real scenarios, there may be two network interfaces or it may be the same scenario as here.
I no longer have access to the INE labs though I’ve completed the eCPPTv2 so I can’t tell you specifically. But, in general you can find other machines with a quick arp scan command or a TCP scan (usually done after a route is setup in meterpreter if it’s on another subnet). Also good to look at active connections with things like netstat to see if there are any other machines. If you try all of these and you still don’t see another machine in this lab you just go off of it being mentioned in the Lab guidelines similar to how a client might specify which targets are in your scope.
Hi,
Ok, let me go for a thoughtful explanation that could be useful for other readers as well.
Note: the IP addresses included in this post will change according to the instance of the lab.
As you know, during the post-exploitation phase, running the ifconfig command inside a meterpreter shell will supply you information about the NICs installed in the compromised machine. Inside that specified lab, the adapter to consider is “Interface 12”, that is the only one with a MAC address which is not set as localhost (i.e. all zeros). The network, in CIDR notation is 10.2.21.0/20 (IP v4). That means that the part reserved for the host is 12 bits long. In other words, the network can host up to 4096 IP addresses (4094 usable ones). IP subnet calculator here: IP Subnet Calculator
As already suggested, to discover the hosts inside that particular network probably the best option is using an ARP sweep. Since we are in a post-exploitation phase, we can put the meterpreter shell in background and then perform a search in Metasploit like this: search arp scanner (others, like restricting the search to post-exploitation modules, could work as well). The search will end up in few results, the most suitable is:
post/windows/gather/arp_scanner
since the first victim machine is based on Windows, like revealed by an nmap scan first and then confirmed by a sysinfo command in meterpreter.
When we type “options” to look at the arrow options supported/requested by that module, we see that we need to set the SESSION and RHOSTS (the whole network in CIDR notation) options. Then, just type “run” and you will get the hosts included in the network. In our case, it is an operation that requires quite a bit of time and, if you try it, you will get more than just two hosts, by the way. In the lab is not necessary because we get immediately the IP address of the second, victim machine, but in a real black-box pentest is a discovery phase mandatory for lateral movement.
A post-exploitation ICMP sweep (aka ping sweep) performed on 10.2.21.0/20 could be useful as well (for instance, the Metasploit module post/multi/gather/ping_sweep) to discover live hosts, but we have to consider that some of the machines inside the network could be protected by a firewall and drop our packets, so probably an ARP sweep is more reliable. After all, ARP exists for that, to map IP-MAC Addresses relationship in a LAN.
Best,
Paolo.
