In this video I will be showing you how to pivot between multiple devices, that is, gaining access to one device on a network, and then using our access to move between multiple devices. This is a bit more complicated than some of the previous simulations, so return to this when you feel comfortable using some of the other methods. I will begin by starting my MSFConsole handler and continue to open a simple web server on port 80. Open the Windows machine to download the previously created application exploit and then run it. Now let's check the web server and Materpreter. Great, I have a session. Here I'm checking out some basic Materpreter commands, getuid, get user I.D, sysinfo, system info, and pwd, print working directory. Now I'm going to migrate to a stable process, explorer.exe is the best choice for that. Now I'm checking out the IP config of the exploited machine. Here you can see the 192.168.56.4 interface present on Windows 7. It indicates that it is connected to 192.168.56.0 series network. I will use Windows 7 as a pivot to explore the other machine on 192.168.56 network. To determine the other host on the 192.168.56 network I'm going to use a Materpreter ARP scanner module. Type run arp_scanner-r 192.168.56.0 \24. It shows that the IP 192.168.56.5 is alive in the pivot network. Now it's our mission to exploit that machine. Things become difficult when we want to exploit a machine on a pivot network, we need a route to the machine. Here we're routing to the 192.168.56 network. Now we will make a route 192.168.56 network using the session that we have. To do that in the background, open the current Materpreter and enter the following command, route add 192.168. 56.0 255 .255.255.0. The one at the end of the route statement indicates that we are using session one for the route. Let's check the route with the route print command. Now I'm going to set up a TCP scanner to scan the host 192.168.56.5 using the route of the session one that I have added. The command is use auxiliary/scanner /portscan/tcp. Let's show the options. Set rhost, remote host, to the secondary victim machine, and set threads to 10. Then, my favorite command, run. Scanning takes time as I'm working on a pivot network, so I'll interrupt with control-c. This is how we can scan the network. Now we need to determine the services enabled on each port, so that we can think of further exploitation. In this case I'll use the portfwd Materpreter command. I'll type portfwd add -l 9999 -l 139

- r 192.168 .56.5. This will bind the local port, 9999 to remote port 139 of the remote host 10.128.0.1. Verification of local port forward is done by scanning the local port, 9999. For this I'll use Nmap, the port scanning application. It is pre-installed in Kali. I'm now entering Nmap -sV

- p 9999 127.0.0.1 in a new terminal window. This will scan the IP address using that port. Okay, so it's Samba smbd 3.X. There's a working exploit for Samba in Metasploit, with the name use exploit/multi/ samba/usermap_script. Configure Metasploit module as follows. I'll look at the reverse shell payload and configure carefully. Let's see if I find anything strange. The attacker Ip, my IP, is 10.0.2.30 Kali, and I'm sending a reverse shell to 192.168.56.4 Windows 7. So Windows 7 will have the reverse shell. When we're using a Materpreter session and working with portfwd utility, our Materpreter is programmed to route the reverse shell to the attacker as it knows portfwd is in use. It is the responsibility of the materpreter session to handle the route and victim's session and give it back to the attacker. And now, with everything ready, I can use another favorite command of mine, exploit, and I have a Linux shell that I can use to exploit multiple devices, and that is pivoting.