# Port Forwarding ## Pivoting with Metasploit Four steps, after a shell on a remote host has been obtained: 1. autoroute from meterpreter 2. socks proxy from msfconsole 3. modify /etc/proxychains.conf 4. proxychains #### Step 1 From a meterpreter session on compromised machine: ``` meterpreter > run autoroute -s 172.16.2.0/24 [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Adding a route to 172.16.2.0/255.255.255.0... [+] Added route to 172.16.2.0/255.255.255.0 via 10.10.110.3 [*] Use the -p option to list all active routes meterpreter > run autoroute -p [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 172.16.2.0 255.255.255.0 Session 4 ``` In the above instance, the compromised machine is 172.16.1.20. We are trying to navigate to the 172.16.2.0/24 subnet. Note that the compromised machine is in the 172.16.1.0/24 subnet. #### Step 2 Background the meterpreter session and use module: ``` use auxiliary/server/socks4a ``` Set SVCHost to your (attacking) IP address ``` meterpreter > background [*] Backgrounding session 4... msf5 exploit(windows/smb/psexec) > use auxiliary/server/socks4a msf5 auxiliary(server/socks4a) > show options Module options (auxiliary/server/socks4a): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The address to listen on SRVPORT 1080 yes The port to listen on. Auxiliary action: Name Description ---- ----------- Proxy Run SOCKS4a proxy msf5 auxiliary(server/socks4a) > set SRVHOST 10.10.14.6 SRVHOST => 10.10.14.6 msf5 auxiliary(server/socks4a) > run ``` #### Step 3 Modify /etc/proxychains.conf so that socks4 points to your IP address, as specified by the SVCHost in metasploit. ``` #socks4 127.0.0.1 9050 socks4 10.10.14.6 1080 # In this example, 10.10.14.6 is the IP of the Kali machine. ``` #### Step 4 Run nmap (or other tools) with proxychains ``` proxychains nmap 172.16.2.101 ``` ## Pivoting with SShuttle SShuttle creates an easy-to-use vpn-like connection for pivoting across networks. Our format is like this: ``` # sshuttle -vr USER@PIVOT_IP_ADDRESS NETWORK/CIDR sshuttle -vr user@10.10.110.162 172.16.3.0/24 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://arfarmsec.gitbook.io/cheat-sheets/windows-privilege-escalation/port-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.