The portfwd command from within the Meterpreter shell is most commonly used as a pivoting technique, allowing direct access to machines otherwise inaccessible from the attacking system. Running this command on a compromised host with access to both the attacker and destination network (or system), we can essentially forward TCP connections through this machine. Effectively making it a pivot point. Much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.
From an active Meterpreter session, typing portfwd –h will display the command’s various options and arguments.
Figure 1 Help banner
-L: Use to specify the listening host. Unless you need the forwarding to occur on a specific network adapter you can omit this option.If none is entered 0.0.0.0 will be used.
-h: Displays the above information.
-l: This is a local port which will listen on the attacking machine.Connections to this port will be forwarded to the remote system.
-p: The port to which TCP connections will be forward to.
-r: The IP address the connections are relayed to (target).
Add: This argument is used to create the forwarding.
Delete: This will delete a previous entry from our list of forwarded ports.
List: This will list all ports currently forwarded.
Flush: This will delete all ports from our forwarding list.
From the Meterpreter shell the command is used in the following manner:
meterpreter > portfwd add –l 3389 –p 3389 –r < target host >
“add” will add the port forwarding to the list, and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console. Making it available to any terminal session.
“-l 3389” is the local port that will be listening and forwarded to our target.
This can be any port on your machine, as long as it’s not already being used.
“-p 3389” is the destination port on our targeting host.
“-r <target host>” is the our targeted system’s IP or hostname.
Figure 2 Adding a port
Entries are deleted very much like the previous command. Once again from an active meterpreter session we would type the following:
meterpreter > portfwd delete –l 3389 –p 3389 –r < target host >
Figure 3 Deleting a port
This argument needs no options and provides us with a list of currently listening and forwarded ports.
meterpreter > portfwd list
Figure 4 List command
This argument will allow us to remove all the local port forward at once.
meterpreter > portfwd flush
Figure 5 Flush command
In this example, we will open a port on our local machine and have our meterpreter session forward a connection to our victim on that same port. We’ll be using port 3389, which is the Window’s default port for Remote Desktop connections.
Here are the players involved:
Figure 6 Victim machine
Figure 7 Our Pivot machine
Figure 8 Attacker’s machine
First we setup the port forwarding on our pivot using the following command:
meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141
We verify that port 3389 is listening by issuing the “netstat” command from another terminal.
Figure 9 Local machine’s listening ports
We can see 0.0.0.0 is listening on port 3389, as well as the connection to our pivot machine on port 4444.
From here we can initiate a remote desktop connection to our local 3389 port. Which will be forwarded to our victim machine on the corresponding port.
Figure 10 Remote Desktop connection using local port
Another example of “portfwd” usage is using it to forward exploit modules such as “MS08-067”.
Using the same technique as show previously, it’s just a matter of forwarding the correct ports for the
Here we forwarded port 445, which is the port associated with Window’s Small Message Block or SMB.
Configuring our module target host and port to our forwarded socket. The exploit is sent via our pivot to the victim machine.
Figure 11 MS08-067 via Pivot