By Mark Baggett
UPDATE (10-2010) : Metasploit SOCKS proxy is now fully functional. There is now an easier way to do this. Be sure to check out DigiNinja’s post here:
http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php
Scenario: You are doing a penetration test. The client’s internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.
The Players
Attacker 172.16.186.132
Victim 172.16.186.126
Step 1 – After you have meterpreter access install OpenSSH on the victim’s computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
Step 2 – After you’ve installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker’s machine to the SSH listener on the victim’s machine. For example:
meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
This command sets up a listener on port 8000 of the attacker’s IP (172.16.186.132) and forwards packets to port 22 on the victim’s machine (172.16.186.128).
Step 3 – SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
# ssh -D 127.0.0.1:9000 -p 8000 [email protected]
This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
Step 4 – Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
# proxychains /usr/sbin/nessusd -D
Step 5 – Start the nessus client and do you scan.
If you’re not familiar with proxychains be sure to check out the post from last week.
Here is a video demo:
Nessus Scan through a Meterpreter Session from PaulDotCom on Vimeo.
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.