How to Use Nmap with Meterpreter

You’ve sent your phishing ruse, the target has run the Meterpreter payload, and you have shell on their system. Now what? If you follow our blogs, you probably have quite a few ideas! One thing that I don’t typically do is port scan other systems on the network. There are a few reasons for this. Port scanning is quite noisy, many IDS packages are set to quickly alert on these activities, and most of the time it isn’t needed to achieve my goals. Regardless, let’s say that you do find yourself in a situation where you do need to find services on other systems. Maybe you’re on a segmented network, you’ve gained shell on a jump host, and now you want to explore the new world that has just opened up to you. There are a few options out there that you can utilize.

Metasploit has a few built-in scanner modules that you can use after you’ve achieved a Meterpreter session on a system. You just add a route in Metasploit to tunnel traffic through your session, provide the scanning module with the addresses that you’d like to scan, kick off the scanner, and then wait for the results. In my experience, I’ve had varying mileage when using this. Sometimes the feedback can be a bit lacking and the results aren’t always consistent. This could very well just be user error. Even with that in mind, I prefer to have a bit more flexibility than what the modules provide.

Wouldn’t it be great if we could use something like Nmap to do our scanning? Well, guess what? We can! We’ll utilize a combination of tools and features to get this quickly up and running [1]. The first step is to get a Meterpreter session on a system.

Once you’ve done that, add a route to tunnel traffic that is destined for your target subnet through your session.

Next, hop into the auxiliary/server/socks4a Metasploit module, set your srvport to 1090, and run the module. You could choose a different port, this is just the one that I chose to use. This will setup a SOCKS proxy-listener on your local system. The SOCKS proxy will be aware of the routes that you’ve added in Metasploit. Any traffic going through this proxy that has a destination address that is within the subnet route(s) that you’ve added will automatically be routed through the corresponding Meterpreter session.

Open another terminal on the same machine that you’re using to run Metasploit and install the proxychains package if you don’t already have it. For instance, on Ubuntu or Debian:

apt-get install proxychains

Now, use your favorite editor to open up the /etc/proxychains.conf file. Head to the bottom of the file and edit the last line to look like the image below.

Head back to your terminal and you’re ready to start scanning! I’ve found that the Syn scan and Ping Discovery options in Nmap don’t seem to work the best via proxychains. I suggest running Nmap with the -sT and -Pn options when using the proxychains method. The image below shows how to kick off a scan against a subnet on the target network that checks for some commonly-used ports, outputs the status to the screen, and saves the results in multiple formats that can easily be parsed later.

[1] https://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot

Follow Brian on Twitter @fullmetalcache