Mapping the Internal Network The attacker has compromised a host on the target network, escalated the privileges, installed
a backdoor on the target machine, and harvested important data. What’s left is to discover
other hosts on the internal network so that he can exploit them and penetrate the network
further.
We would use armitage for this exercise as it makes the postexploitation process, especially
“pivoting,” easier for us. We can do the same from Metasploit but for the sake of simplicity and
demonstration, I will use Armitage.
So we will assume another scenario where we have already compromised a box on the target
network with SYSTEM privileges having an IP 172.16.222.156.
264 ◾
Ethical Hacking and Penetration Testing Guide Finding Network Information Our first step would be to take a note of things such as the IP address and the default gateway
of the target. We can do that with the
ipconfig
command in Windows and the
ifconfig
command in Linux.
Since here we have compromised a Windows machine on the network, we will use the
ipconfig
command to display the information about the network interface card.
We can also use the “
route print
” command to view information about the routing table.
The same command works for Linux too.
Postexploitation ◾
265 So in this case we come to know that the subnet mask of the victim is 255.255.255.0 and the
default gateway is 172.16.222.2. This information would be useful when we proceed to the next steps.
Identifying Further Targets Now we need to identify further targets on the network. We can use a meterpreter script called
“ARP_Scanner,” which will perform the ARP scan to determine other hosts on that network. The
scanner works by sending ARP requests on the network to see who sends an ARP reply.
To launch it, select the “ARP Scan” from the meterpreter menu.
The ARP Scanner has automatically suggested that we scan the whole range 172.16.222.0–255.
You can define your own ranges or choose a different subnet mask, if your target has a different one.
266 ◾
Ethical Hacking and Penetration Testing Guide In some time the ARP scan will finish and detect all the other hosts upon the same network.
We will now try exploiting other targets to penetrate the network further.