Multi Manage Network Route via Meterpreter Session - Metasploit
This page contains detailed information about how to use the post/multi/manage/autoroute metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Multi Manage Network Route via Meterpreter Session
Module: post/multi/manage/autoroute
Source code: modules/post/multi/manage/autoroute.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting. See documentation for more 'info -d' and click 'Knowledge Base'
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/manage/autoroute
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/manage/autoroute
msf post(autoroute) > show options
... show and set options ...
msf post(autoroute) > set SESSION session-id
msf post(autoroute) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/manage/autoroute")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Overview
This module is used to add routes associated with the specified Meterpreter session to Metasploit's routing table. These routes can be used to pivot to private networks and resources that can be accessed by the compromised machine. This module can search for routes and add them automatically. Routes can also be added manually, deleted, or displayed.
CMD Options
This module has several command "CMD" options that are used to control the module's behavior.
autoadd
This is the default behavior for this module. When this CMD option is used, the module searches the compromised machine's routing table and network interface list looking for networks that the machine can access. Once found, the module automatically adds routes to the networks to Metasploit's routing table. Duplicate routes from new sessions are not added.
add
This CMD option is used to manually add routes to Metasploit's routing table. An IPv4 subnet and netmask (IPv4 or CIDR) are required to add routes manually. The session number of the Meterpreter session to run the module on is also required.
Subnet Example set SUBNET 192.168.1.0
Netmask Examples set NETMASK 255.255.255.0
or set NETMASK /24
delete
This CMD option is used to remove a route from Metasploit's routing table. The IPv4 subnet and netmask (IPv4 or CIDR) of the route to be removed are required. The session number of the Meterpreter session to run the module on is also required. Use route print
or the print CMD option to display the current Metasploit routing table.
To remove all routes associated with the specified session, use CMD delete and leave the subnet option blank.
This CMD option is used to display Metasploit's routing table. This option has the same functionality as the route print
command.
default
This CMD option is used to add a default route to Metasploit's routing table that routes all TCP/IP traffic; not otherwise covered in other routes, through the specified session when pivoting.
Use this option with caution.
This option is useful in special situations. An example would be when the compromised host is using a full traffic VPN where the VPN server does the routing to private networks. In this case, the routing table of the compromised host would likely not have entries for these private networks. Adding a default route would push the routing off to the VPN server, and those networks would likely become accessible.
Additionally, the default route combined with a Socks proxy server and Proxychains can be used to browse the Internet as the compromised host. Instructions for this are below.
Pivoting
Once routes are established, Metasploit modules can access the IP range specified in the routes. Scans and exploits can be directed at machines that would otherwise be unreachable from the outside. For other applications to access the routes, a little bit more setup is necessary. This involves setting up the Socks4a Metasploit module and using Proxychains in conjunction with the other applications.
Socks 4a Server Module Setup
Metasploit can launch a Socks 4a Proxy server using the module: auxiliary/server/socks4a. When set up to bind to a local loopback adapter, applications can be directed to use the proxy to route TCP/IP traffic through Metasploit's routing tables. Below are the steps to initiate this module.
use auxiliary/server/socks4a
set SRVHOST 127.0.0.1
set SRVPORT 1080
exploit -j
Proxychains Setup
First, make sure that you have Proxychains.
sudo apt-get update
sudo apt-get install proxychains
Now edit the Proxychains configuration file located at /etc/proxychains.conf. Add the below line to the end of the file to set Proxychains to use the Socks 4a server that you just set up.
socks4 127.0.0.1 1080
Note: If there are other proxy entries in the configuration file, you may need to comment them out as they may interfere with proper routing.
Using Proxychains
Now you can combine Proxychains with other application like Nmap, Nessus, Firefox and more to scan or access machines and resources through the Metasploit routes. All you need to do is call proxychains before the needed application. No need to change the proxy settings in Firefox of Iceweasel.
$ proxychains firefox
Scanning
For scanning with Nmap, Zenmap, Nessus and others, keep in mind that ICMP and UPD traffic cannot tunnel through the proxy. So you cannot perform ping or UDP scans.
For Nmap and Zenmap, the below example shows the commands can be used. It is best to be selective on ports to scan since scanning through the proxy tunnel can be slow.
$ sudo proxychains nmap -n -sT -sV -PN -p 445 10.10.125.0/24
Combined With Default Route
Using the default route option along with the Socks proxy and Proxychains, you can browse the internet as the compromised host. This is possible because adding a default route to a Meterpeter session will cause all TCP/IP traffic; that is not otherwise specified in Metasploit's routing table, to route through that session. This is easy to set up and test.
You need a Windows Meterpreter session on a host that has a different public IP address than your attacking machine.
First set up a default route for the Meterpreter session.
meterpreter > run post/multi/manage/autoroute CMD=default
or
msf > use post/multi/manage/autoroute
msf post(autoroute) > set SESSION session-id
msf post(autoroute) > set CMD default
msf post(autoroute) > exploit
Then open Firefox or Iceweasel without invoking Proxychains.
$ firefox
Go to www.ipchicken.com
This displays your current public IP address. The one that is logged when you visit a website.
Now open Firefox or Iceweasel with Proxychains.
$ proxychains firefox
Go to www.ipchicken.com
Now you will see the public IP address of the compromised host. You are essentially using the compromised host as a proxy to browse the Internet.
This does not guarantee anonymity! Your browser, and its setting may still give you away.
Go back to menu.
Msfconsole Usage
Here is how the multi/manage/autoroute post exploitation module looks in the msfconsole:
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > show info
Name: Multi Manage Network Route via Meterpreter Session
Module: post/multi/manage/autoroute
Platform:
Arch:
Rank: Normal
Provided by:
todb <[email protected]>
Josh Hale "sn0wfa11" <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
SESSION yes The session to run this module on.
SUBNET no Subnet (IPv4, for example, 10.10.10.0)
Description:
This module manages session routing via an existing Meterpreter
session. It enables other modules to 'pivot' through a compromised
host when connecting to the named NETWORK and SUBMASK. Autoadd will
search a session for valid subnets from the routing table and
interface list then add routes to them. Default will add a default
route so that all TCP/IP traffic not specified in the MSF routing
table will be routed through the session when pivoting. See
documentation for more 'info -d' and click 'Knowledge Base'
Module Options
This is a complete list of options available in the multi/manage/autoroute post exploitation module:
msf6 post(multi/manage/autoroute) > show options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
SESSION yes The session to run this module on.
SUBNET no Subnet (IPv4, for example, 10.10.10.0)
Advanced Options
Here is a complete list of advanced options supported by the multi/manage/autoroute post exploitation module:
msf6 post(multi/manage/autoroute) > show advanced
Module advanced options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/manage/autoroute module can do:
msf6 post(multi/manage/autoroute) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/manage/autoroute post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/manage/autoroute) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- No routes associated with this session to delete.
- There are currently no routes defined.
- There are currently no IPv4 routes defined.
- There are currently no IPv6 routes defined.
- Could not add route to subnet <SUBNET>/<NETMASK><ORIGIN>.
- Could not add route to subnet <SUBNET>/<NETMASK><ORIGIN>.
- <RE.CLASS> <RE.MESSAGE>n<VALUE>
- Could not remove route to subnet <SUBNET>/<NETMASK>
- <RE.CLASS> <RE.MESSAGE>n<VALUE>
- Unable to get routes from session, trying interface list.
- Did not find any new subnets to add.
- Unable to get interface information from session.
- Session is not yet fully established. Try again in a bit.
- Missing subnet option
- Subnet invalid (must be IPv4)
- Netmask invalid (must define contiguous IP addressing)
- Netmask invalid
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No routes associated with this session to delete.
Here is a relevant code snippet related to the "No routes associated with this session to delete." error message:
107: end
108: break if count == 0
109: end
110: print_status("Deleted all routes")
111: else
112: print_status("No routes associated with this session to delete.")
113: end
114: end
115:
116: # Print all of the active routes defined on the framework
117: #
There are currently no routes defined.
Here is a relevant code snippet related to the "There are currently no routes defined." error message:
172:
173: # Print Route Tables
174: print_status(tbl_ipv4.to_s) if tbl_ipv4.rows.length > 0
175: print_status(tbl_ipv6.to_s) if tbl_ipv6.rows.length > 0
176: if (tbl_ipv4.rows.length + tbl_ipv6.rows.length) < 1
177: print_status("There are currently no routes defined.")
178: elsif (tbl_ipv4.rows.length < 1) && (tbl_ipv6.rows.length > 0)
179: print_status("There are currently no IPv4 routes defined.")
180: elsif (tbl_ipv4.rows.length > 0) && (tbl_ipv6.rows.length < 1)
181: print_status("There are currently no IPv6 routes defined.")
182: end
There are currently no IPv4 routes defined.
Here is a relevant code snippet related to the "There are currently no IPv4 routes defined." error message:
174: print_status(tbl_ipv4.to_s) if tbl_ipv4.rows.length > 0
175: print_status(tbl_ipv6.to_s) if tbl_ipv6.rows.length > 0
176: if (tbl_ipv4.rows.length + tbl_ipv6.rows.length) < 1
177: print_status("There are currently no routes defined.")
178: elsif (tbl_ipv4.rows.length < 1) && (tbl_ipv6.rows.length > 0)
179: print_status("There are currently no IPv4 routes defined.")
180: elsif (tbl_ipv4.rows.length > 0) && (tbl_ipv6.rows.length < 1)
181: print_status("There are currently no IPv6 routes defined.")
182: end
183: end
184:
There are currently no IPv6 routes defined.
Here is a relevant code snippet related to the "There are currently no IPv6 routes defined." error message:
176: if (tbl_ipv4.rows.length + tbl_ipv6.rows.length) < 1
177: print_status("There are currently no routes defined.")
178: elsif (tbl_ipv4.rows.length < 1) && (tbl_ipv6.rows.length > 0)
179: print_status("There are currently no IPv4 routes defined.")
180: elsif (tbl_ipv4.rows.length > 0) && (tbl_ipv6.rows.length < 1)
181: print_status("There are currently no IPv6 routes defined.")
182: end
183: end
184:
185: # Validation check on an IPv4 address
186: #
Could not add route to subnet <SUBNET>/<NETMASK><ORIGIN>.
Here is a relevant code snippet related to the "Could not add route to subnet <SUBNET>/<NETMASK><ORIGIN>." error message:
239: begin
240: if Rex::Socket::SwitchBoard.add_route(subnet, netmask, session)
241: print_good("Route added to subnet #{subnet}/#{netmask}#{origin}.")
242: return true
243: else
244: print_error("Could not add route to subnet #{subnet}/#{netmask}#{origin}.")
245: return false
246: end
247: rescue ::Rex::Post::Meterpreter::RequestError => re
248: print_error("Could not add route to subnet #{subnet}/#{netmask}#{origin}.")
249: print_error("#{re.class} #{re.message}\n#{re.backtrace * "\n"}")
Could not add route to subnet <SUBNET>/<NETMASK><ORIGIN>.
Here is a relevant code snippet related to the "Could not add route to subnet <SUBNET>/<NETMASK><ORIGIN>." error message:
243: else
244: print_error("Could not add route to subnet #{subnet}/#{netmask}#{origin}.")
245: return false
246: end
247: rescue ::Rex::Post::Meterpreter::RequestError => re
248: print_error("Could not add route to subnet #{subnet}/#{netmask}#{origin}.")
249: print_error("#{re.class} #{re.message}\n#{re.backtrace * "\n"}")
250: return false
251: end
252: end
253:
<RE.CLASS> <RE.MESSAGE>n<VALUE>
Here is a relevant code snippet related to the "<RE.CLASS> <RE.MESSAGE>n<VALUE>" error message:
244: print_error("Could not add route to subnet #{subnet}/#{netmask}#{origin}.")
245: return false
246: end
247: rescue ::Rex::Post::Meterpreter::RequestError => re
248: print_error("Could not add route to subnet #{subnet}/#{netmask}#{origin}.")
249: print_error("#{re.class} #{re.message}\n#{re.backtrace * "\n"}")
250: return false
251: end
252: end
253:
254: # This function removes a route to the framework routing table
Could not remove route to subnet <SUBNET>/<NETMASK>
Here is a relevant code snippet related to the "Could not remove route to subnet <SUBNET>/<NETMASK>" error message:
261: # @return [false] If not
262: def delete_route(subnet, netmask)
263: begin
264: Rex::Socket::SwitchBoard.remove_route(subnet, netmask, session)
265: rescue ::Rex::Post::Meterpreter::RequestError => re
266: print_error("Could not remove route to subnet #{subnet}/#{netmask}")
267: print_error("#{re.class} #{re.message}\n#{re.backtrace * "\n"}")
268: return false
269: end
270: end
271:
<RE.CLASS> <RE.MESSAGE>n<VALUE>
Here is a relevant code snippet related to the "<RE.CLASS> <RE.MESSAGE>n<VALUE>" error message:
262: def delete_route(subnet, netmask)
263: begin
264: Rex::Socket::SwitchBoard.remove_route(subnet, netmask, session)
265: rescue ::Rex::Post::Meterpreter::RequestError => re
266: print_error("Could not remove route to subnet #{subnet}/#{netmask}")
267: print_error("#{re.class} #{re.message}\n#{re.backtrace * "\n"}")
268: return false
269: end
270: end
271:
272: # This function will exclude loopback, multicast, and default routes
Unable to get routes from session, trying interface list.
Here is a relevant code snippet related to the "Unable to get routes from session, trying interface list." error message:
308: if !Rex::Socket::SwitchBoard.route_exists?(subnet, route.netmask)
309: found = true if add_route(subnet, route.netmask, "host's routing table")
310: end
311: end
312: rescue ::Rex::Post::Meterpreter::RequestError => re
313: print_status("Unable to get routes from session, trying interface list.")
314: end
315:
316: if !autoadd_interface_routes && !found # Check interface list for more possible routes
317: print_status("Did not find any new subnets to add.")
318: end
Did not find any new subnets to add.
Here is a relevant code snippet related to the "Did not find any new subnets to add." error message:
312: rescue ::Rex::Post::Meterpreter::RequestError => re
313: print_status("Unable to get routes from session, trying interface list.")
314: end
315:
316: if !autoadd_interface_routes && !found # Check interface list for more possible routes
317: print_status("Did not find any new subnets to add.")
318: end
319: end
320:
321: # Look at network interfaces as options for additional routes.
322: # If the routes are not already included they will be added.
Unable to get interface information from session.
Here is a relevant code snippet related to the "Unable to get interface information from session." error message:
345: end
346: end
347: end
348: end
349: rescue ::Rex::Post::Meterpreter::RequestError => error
350: print_error("Unable to get interface information from session.")
351: end
352: return found
353: end
354:
355: # Take an IP address and a netmask and return the appropreate subnet "Network"
Session is not yet fully established. Try again in a bit.
Here is a relevant code snippet related to the "Session is not yet fully established. Try again in a bit." error message:
428: #
429: # @return [true class] Session is good
430: # @return [false class] Session is not
431: def session_good?
432: if !session.info
433: print_error("Session is not yet fully established. Try again in a bit.")
434: return false
435: end
436: return true
437: end
438:
Missing subnet option
Here is a relevant code snippet related to the "Missing subnet option" error message:
458: #
459: # @return [true class] Everything is good
460: # @return [false class] Not so much
461: def validate_cmd(subnet = nil, netmask = nil)
462: if subnet.nil?
463: print_error "Missing subnet option"
464: return false
465: end
466:
467: unless (check_ip(subnet))
468: print_error "Subnet invalid (must be IPv4)"
Subnet invalid (must be IPv4)
Here is a relevant code snippet related to the "Subnet invalid (must be IPv4)" error message:
463: print_error "Missing subnet option"
464: return false
465: end
466:
467: unless (check_ip(subnet))
468: print_error "Subnet invalid (must be IPv4)"
469: return false
470: end
471:
472: if (netmask and !(Rex::Socket.addr_atoc(netmask)))
473: print_error "Netmask invalid (must define contiguous IP addressing)"
Netmask invalid (must define contiguous IP addressing)
Here is a relevant code snippet related to the "Netmask invalid (must define contiguous IP addressing)" error message:
468: print_error "Subnet invalid (must be IPv4)"
469: return false
470: end
471:
472: if (netmask and !(Rex::Socket.addr_atoc(netmask)))
473: print_error "Netmask invalid (must define contiguous IP addressing)"
474: return false
475: end
476:
477: if (netmask and !check_ip(netmask))
478: print_error "Netmask invalid"
Netmask invalid
Here is a relevant code snippet related to the "Netmask invalid" error message:
473: print_error "Netmask invalid (must define contiguous IP addressing)"
474: return false
475: end
476:
477: if (netmask and !check_ip(netmask))
478: print_error "Netmask invalid"
479: return false
480: end
481: return true
482: end
483: end
Go back to menu.
Related Pull Requests
- #12673 Merged Pull Request: Fix call to method in null object in rpc_creds method
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8221 Merged Pull Request: move autoroute to a more sensible location
Go back to menu.
See Also
Check also the following modules related to this module:
- post/multi/manage/dbvis_add_db_admin
- post/multi/manage/dbvis_query
- post/multi/manage/fileshare
- post/multi/manage/hsts_eraser
- post/multi/manage/multi_post
- post/multi/manage/open
- post/multi/manage/play_youtube
- post/multi/manage/record_mic
- post/multi/manage/screensaver
- post/multi/manage/screenshare
- post/multi/manage/set_wallpaper
- post/multi/manage/shell_to_meterpreter
- post/multi/manage/sudo
- post/multi/manage/system_session
- post/multi/manage/upload_exec
- post/multi/manage/zip
Authors
- todb
- Josh Hale "sn0wfa11" <jhale85446[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.