February 2019 | Ramandeep Singh

Digging Deep Into The Hidden Networks

blue background with lines connecting dots to indicate a digital network

You’re working in a corporate network where keeping critical systems and normal users in a single network is not recommended. Imagine yourself pentesting this network with n-layered security architecture, made intentionally to protect internal services, keeping Defense-In-Depth in mind.    

This can be tricky…let’s dig in on how to work your magic.  

Routing

This is the backbone process of the networking principles that determines how devices in WAN networks communicate. Routers (layer three devices) route the data packets to the relevant destination.

Pivoting

In simple words, it’s a process of accessing an inaccessible network by taking leverage of a compromised host on the network.  

Using this tunneled routing, you can pivot all requests to the target inaccessible host via compromised host.  

Behind the Scenes – Pivoting Process

The compromised host is connected to the router that connects to the demilitarized zone (DMZ) with privileges to access the systems (for example: a user authorized to access DMZ).

Time to use metasploit:  

Let’s Pivot  

Remember routing? Let’s talk about it more. Once the first target is compromised, you can then create a custom routing rule for pivoting.  

With the autoroute session in place, you can access the 8.8.8.0/24 network. Arp scanner would be good, right? Let’s see how an attacker uses it:

Sweet! Now, it’s time to have some fun utilizing pivoting. As the session is already initialized, routing configurations can be forwarded over a sock4 proxy that can be used within a Metasploit framework.  

Once it’s set up, port forwarding is the way to go, which is available within the Metasploit framework as a module. With a local port, you can forward a connection request to a port available on the target 8.8.8.2

With a nmap scan using proxychains, you can figure out what ports open on the target that you can use to add for port forwarding.  

Digging down further, you can use the browser and visit port 9090 on your machine to check the service on port 80 of the target.  

Voila! Now you can try tools like hydra to guess credentials for login. If not, find your way in with known exploits for the running services.  

Strategies to Mitigate these types of Risks

  • Setup systems in the DMZ structure to be accessible only within DMZ structures.

Ramandeep Singh is a lead instructor with Evolve Security Academy and a consultant with Evolve Security. You may contact him at connect@evolvesecurity.io.