metasploit

Internal Network Scanning with Metasploit

Once a system is compromised, internal network scanning helps identify other potential targets, open ports, and services for lateral movement. Using Metasploit, you can conduct reconnaissance within the compromised network by setting up an IP route, scanning for open ports, and forwarding traffic for deeper exploitation.

---

Step 1: Set an Internal IP Route

Routes internal network traffic through the compromised machine, allowing for internal scans.

run autoroute -s IP_RANGE

• The autoroute module adds a network route to the target subnet (10.0.16.0/20).

• Enables access to other internal systems through the compromised machine.

---

Step 2: Background the Session

Moves the Meterpreter session to the background for multi-tasking.

background

---

Step 3: Perform a TCP Port Scan

Uses the Metasploit auxiliary scanner to enumerate open ports on a target machine.

use auxiliary/scanner/portscan/tcp
set RHOSTS demo2.ine.local
set PORTS 1-100
exploit

• RHOSTS: Specifies the target internal domain or IP range.

• PORTS: Scans ports 1-100 for open services.

---

Step 4: Forward a Port for External Access

Once an internal service is identified, you can port forward it to access it externally.

1. Interact with the active session:

   sessions -i 1

2. Forward the discovered service from the internal network:

   portfwd add -l <PORT> -p 80 -r [DISCOVERED_IP]

   Note: Do not close msfconsole.

3. Verify active port forwarding rules:

   portfwd list

---

Step 5: Scan the Forwarded Port Using Nmap

Once port forwarding is set up, use Nmap to scan the forwarded service:

nmap -sV -sS -p <PORT> localhost