USING METASPLOIT SOCKS PROXY AUXILIARY MODULE OVER A METERPRETER SESSION
During a penetration test , once you have compromised a machine on the internal network, the next step generally is to pivot and then scan, fingerprint exploit and compromise other hosts in the same internal network. Sometimes, it might be useful to tunnel all the TCP communications via a meterpreter session, and not just a single port or a group of ports. This can be achieved in Metasploit using the socks proxy auxiliary module, which allows a pen-tester to tunnel TCP traffic generated by external programs like Nessus and Nmap to be tunneled via the socks proxy, which in-turn forwards the traffic via the meterpreter session , to the internal network that is not directly accessible. To force external programs to use the socks proxy, the pen-tester can use proxychains utility. Let’s, take an example:
In the above diagram the attacker has compromised HOST1 and has a meterpreter session number 1. First, to route the traffic destined to 192.168.168.0/24 network via this session he needs to issue the following command:
msf> route add 192.168.158.0 255.255.255.0 1
The next step is to start the socks proxy form the metasploit and bind it to local loopback adapter on port 1080 (default port):
msf > use auxiliary/server/socks4a
msf auxiliary(socks4a) > set SRVHOST 127.0.0.1
msf auxiliary(socks4a) > set SRVPORT 1080
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
Now, the socks proxy server is listening on the loopback adapter on port 1080. The next step is to configure external tools and software like Firefox, nmap ,nessus etc. to use the proxy service configured.
In case of Firefox this can be done easily by clicking tools, options , network then settings. On the Connection setting tab one needs to choose Manual proxy configuration and Socks Host and Port should be set to 127.0.0.1 and 1080 respectively. The socks protocol should be set to SOCKSv4 as metasploit socks proxy only supports socks v4.
To tunnel nmap and nessus traffic via the metasploit socks proxy, the pen-tester needs to use a tool called proxychains. First, step is to configure proxychains to forwards the TCP traffic via the socks proxy setup earlier. This can be achieved by editing the /etc/proxychains.conf file and by adding the following lines :
socks4 127.0.0.1 1080
Finally, we can invoke/execute nessus like the following :
# killall -9 nessusd
# proxychains nessus-service –D
Now we can open a browser and point it to http://127.0.0.1:8834 and start the nessus scan. One important point to note here is that it is not possible to tunnel ICMP and UDP traffic via the socks proxy and hence ping packets and UDP scans should be omitted from the nessus scan list.
Similarly, it is possible to perform nmap scan via the socks proxy using the following command:
# proxychains nmap –n –sT -sV -PN -p 80,22,443,445 192.168.168.2-254
As we can see the metasploit socks proxy auxillayr module is really handy and canhelp a lot during pivoting.