This question is a doozey, but is something I am trying to figure out for a simulation penetration test. Maybe I'm going the wrong way about it, and maybe I should post this in another forum, but given what I'm actually asking it felt appropriate here.
I am able to remotely connect to another computer, and access a windows command prompt. The other computer is behind a VPN. Using only the tools I have at my disposal (that is, a reverse connected meterpreter) how can I find out the TRUE external IP address of the remote machine?
I am thinking I will need to hit an external site (like ipchicken.com) or even just pull down an external webpage (since I have the server logs to that server) via the command line, while forcing it to NOT go through the VPN.
Any help would be appreciated!
Answer
First, check the local IP address! Make sure a public address is not assigned to the device.
If there is indeed a NAT, you would need to look at your routing table first.
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
Using that you should see what routes exist on that computer. Most likely there will be a route going over a VPN (yours) and then other routes. What you are looking for is the default route, make sure it exists and then send traffic over it; if the default route is your VPN then try to find a more specific route that leads you out of the network.
If you have a default route that is not your VPN go to any server in which you can track IP address that connected to it. This can be your server in which you try to ping, or try and access a webpage on your server.
Edit:
Adding a route in Windows:
route ADD *prefix* MASK *subnet* *gateway* METRIC *metric* IF *interface number*
route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 30
Although you can change the route using meterpreter:
route add *prefix* *subnet* *gateway*
route add 157.0.0.0 255.0.0.0 157.55.80.1
Source:
http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands#route
route /?
No comments:
Post a Comment