Portfwd

From Metasploit Unleashed
Jump to: navigation, search

The portfwd command from within the Meterpreter shell is most commonly used as a pivoting technique. Allowing direct access to machines otherwise inaccessible from the attacking system. Running this command on a compromised host with access to both the attacker and destination network (or system), we can essentially forward TCP connections through this machine. Effectively making it a pivot point. Much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.


Help

From an active Meterpreter session, typing portfwd –h will display the command’s various options and arguments.

Left
Figure 1 Help banner

Options

-L: Use to specify the listening host. Unless you need the forwarding to occur on a specific network adapter you can omit this option.If none is entered 0.0.0.0 will be used.
-h: Displays the above information.
-l: This is a local port which will listen on the attacking machine.Connections to this port will be forwarded to the remote system.
-p: The port to which TCP connections will be forward to.
-r: The IP address the connections are relayed to (target).


Arguments

Add: This argument is used to create the forwarding.
Delete: This will delete a previous entry from our list of forwarded ports.
List: This will list all ports currently forwarded.
Flush: This will delete all ports from our forwarding list.

Syntax

Add

From the Meterpreter shell the command is used in the following manner:

meterpreter > portfwd add –l 3389 –p 3389 –r < target host >

“add” will add the port forwarding to the list, and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console. Making it available to any terminal session.

“-l 3389” is the local port that will be listening and forwarded to our target.
This can be any port on your machine, as long as it’s not already being used.

“-p 3389” is the destination port on our targeting host.

“-r <target host>” is the our targeted system’s IP or hostname.

Left
Figure 2 Adding a port

Delete

Entries are deleted very much like the previous command. Once again from an active meterpreter session we would type the following:

meterpreter > portfwd delete –l 3389 –p 3389 –r < target host >

Left
Figure 3 Deleting a port

LIST:
This argument needs no options and provides us with a list of currently listening and forwarded ports.
meterpreter > portfwd list

Left
Figure 4 List command

FLUSH:
This argument will allow us to remove all the local port forward at once.
meterpreter > portfwd flush

Left
Figure 5 Flush command

Example Usage:

In this example, we will open a port on our local machine and have our meterpreter session forward a connection to our victim on that same port. We’ll be using port 3389, which is the Window’s default port for Remote Desktop connections.

Here are the players involved:

Left
Figure 6 Victim machine


Left
Figure 7 Our Pivot machine


Left
Figure 8 Attacker's machine


First we setup the port forwarding on our pivot using the following command:

meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141

We verify that port 3389 is listening by issuing the “netstat” command from another terminal.

Left
Figure 9 Local machine's listening ports

We can see 0.0.0.0 is listening on port 3389, as well as the connection to our pivot machine on port 4444.

From here we can initiate a remote desktop connection to our local 3389 port. Which will be forwarded to our victim machine on the corresponding port.

Left
Figure 10 Remote Desktop connection using local port

Another example of “portfwd” usage is using it to forward exploit modules such as “MS08-067”.
Using the same technique as show previously, it’s just a matter of forwarding the correct ports for the
desired exploit.

Here we forwarded port 445, which is the port associated with Window’s Small Message Block or SMB.
Configuring our module target host and port to our forwarded socket. The exploit is sent via our pivot to the victim machine.

Left
Figure 11 MS08-067 via Pivot



Portfwd