Pentesting through FW, advice needed

[ron at skullsecurity.net (Ron)]

Depending on how their firewall is configured, and what kind of payload 
you want, you can likely use a couple of netcat relays to bounce through 
host B.

Start up a netcat relay (listener) on your attack machine (and poke a 
hole in your own firewall to let it through). Then start up a netcat 
relay on the host, connecting one end to the host/port you want to 
attempt to exploit and the other back to your own relay.

Then do the same thing for the payload (might be able to get around that 
requirement by using the 'ord' payload, but I'm not sure?).

Run the exploit through the relay, and there you go.

This assumes, of course, that you either have or can compile netcat on 
the target machine. Your mileage may vary on that. :)

Giorgio Casali wrote:
> Hi all, during a pentest I managed to shovel an unprivileged php
> reverse shell on a nated host (host B) behind a checkpoint FW-1.
>
> I then noticed there are several potential targets reachable only from
> host B. I was wondering if there was a method to exploit them from my
> pc (behind another FW that I manage) directly, without the need of
> uploading metasploit on host B and exploiting the targets from there.
>
> I was thinking about creating custom payload with a correct handler,
> but don't know well how-to use the payload generated by msfpayload.
>
> Thank in advance,
>
> G.C.
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework