Sometimes we need to jump from one network to another, sometimes because of network segregation or perhaps to jump past a firewall. This is called a Pivot. Pivots are different between operating systems, and so the Metasploit modules you need to use might be different. Here, we will pivot from a Windows machine. On a segregated network, the machine we need to attack is the machine that has an interface on both networks. Sometimes this can be found in your network probes, from the leaked system information gleaned from RPC or SNMP probes. Also, sometimes machine names will give away this information. If there is a machine named JumpBox, that is the one you want.
Below, we see the layout of our attack. Even if you are not a "visual person," you have to consider that the methodology you use to test a network should be welldocumented for your presentation to the client or to present in court. It will also help you later, when you have tested 200 networks and you are asked to go back and check one for its quarterly checkup. The sketch doesn't have to be anything fancy, but it does give you a lot of information just by looking at it.
The following drawing is done with Solidworks DraftSight, which is a program similar to AutoCAD. CAD may not be the best choice for you if you do not have an engineering background. If you want a nice simple diagram-creation application that is available for Linux distros, you can get Dia in a few seconds. It is not installed on the default Kali instance. To get your copy, type:
apt-get -y install dia
It is simple and easy to use.
We are coming in from the 10.100.0.0/24 network. You can also use this for firewall egress. If the address for BO-SRV2 was a public address, this would work just as well, and even if it was protected by a firewall NAT would still allow the exploit and the pivot. The firewall will handle the translation and you will be on the 10.100.0.0/24 network.
The following diagram shows the transversal of the firewall. You can see by comparing the two diagrams that the exploit path is basically the same and you are just passing through another device. The actual attack is still on BO-SRV2.
