Penetration testing software only shows its true capabilities on actual engagements. However, you cannot race a car before you've ever sat in the driver's seat. That's why in this article I'd like to show you how to set up a test environment for VPN pivoting, a Metasploit Pro feature for intermediate and advanced users recently described in this post.

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro. It enables users to route traffic through an exploited host to a different network. A TUN/TAP adaptor activates on the Metasploit Pro machine, showing no trace of a new network adapter on the exploited host. 

How does it work? VPN pivoting installs hooks at the kernel level of the target system without making any permanent or persistent change to the OS. In layman's terms, it gives the Metasploit Pro machine an IP address on the network of the exploited host. The use case is pretty cool, but we'll get into that later. 

You will need:

  • A copy of Metasploit Pro (download trial version if you don't have a license)
  • Some form of virtualization technology (I use VMware Workstation)
  • Two or more vulnerable VMs (at least one Windows because VPN pivoting currently only works on a Windows target)
  • A can-do attitude

Pivoting enables you to jump from one network segment to another. This requires that one target machine has two network adapters, constituting a bridge between the network segments for you to exploit. In my example, I'm using three virtual machines:

  • Metasploit Pro machine (external network)
  • Windows Server 2003 (two network cards, one internal IP, one external IP )
  • Windows XP (internal network )

We want to simulate an external penetration test where we exploit the Windows Server 2003 and then pivot into the internal network to exploit the Windows XP machine. If you can get a session on this machine, you can pivot to gain access to the private network. To simulate this we need one device that has both a public and private IP, and one device that just has a private IP. 

I find it easiest to use VMware's Virtual Network Editor in the Edit menu to configure the VMnet adapters.  You can add up to 8 network interfaces in VMware Workstation, but we'll only need 2. I chose VMNet1 and VMNet2. If you already have those reserved for something else, just substitute some of the additional adaptors for this use case. Set up the Metasploit Pro machine on vmnet1:

Virtual network adapterVmnet1 (external network)Host-only (connect VMs internally in a private network)YesConnect a host virtual adapter to this networkNoUse local DHCP service to distribute IP addresses to VMsYesSubnet IP192.168.187.0Subnet mask255.255.255.0

Windows Server 2003 networking as follows:

Virtual network adapterVmnet1 (external network)Vmnet2 (internal network)Host-only (connect VMs internally in a private network)YesYesConnect a host virtual adapter to this networkYesNoUse local DHCP service to distribute IP addresses to VMsYesYesSubnet192.168.187.0172.16.255.0Subnet mask255.255.255.0255.255.255.0

Setting up the Windows XP machine is much easier because it only needs one network adapter (vnmnet2):

Virtual network adapterVmnet2 (internal network)Host-only (connect VMs internally in a private network)YesConnect a host virtual adapter to this networkNoUse local DHCP service to distribute IP addresses to VMsYesSubnet IP172.16.255.0Subnet mask255.255.255.0

Once completed, your setup should look like this:

Now that we've done the heavy lifting, it's time to have some fun:

  1. Use Metasploit Pro to discover the Windows Server 2003 machine's external IP address.
  2. Exploit the host to get a session.
  3. Click on Create VPN Pivot from Sessions dialog. This option is only enabled if the shelled machine has a second IP address in a network segment that's not directly accessible by Metasploit Pro.
  4. Choose the 172.16.255.x network. (VMware's local DHCP service should automatically give you an IP address, if not just specify one manually).

  5. At this point, the layer 2 traffic from the Metasploit Pro machine is routed into the internal network. It's very much like you just connected to the target's corporate VPN, hence the name VPN pivoting.  Unlike other, proxy-based pivoting technologies, Metasploit Pro doesn't have any networking limitations, so you could also use a vulnerability scanner, such as NeXpose, to carry out an advanced discovery.

  6. Run another discovery specifying the network.
  7. Have your face melt when you see that the Windows XP machine appears in your hosts list! Huzzah!

Take some time to browse around the Windows 2003 server – you won't find a trace of the pivot. Essentially, you are now performing an internal penetration test from the outside. Pretty incredible, right?