METASPLOIT - PORT FORWARDING
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiqB9rluBivdWpaSdeS1_E-M7aBzX4YnGJi9MVCjvgTATEXBCIBaOvV_e8Z_zzSzrGA65pPaMydSQ1iMjNx2UHH7Eon7gr8zmtxCqqJbstULa88Odpr0x-v3McbIBmeqpOpcEWiiZqPZ3m/s640/screenshot.15.jpg)
- In this attack Kali wants to access a web server on the Linux victim machine, using XP system as a pivot..
- First of all, a meterpreter session is achieved by exploiting the XP machine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_8QM9NesFmlfUiv2Seyy_sLd3o9w6azUcG2yBkjNi_ZJQdnA4m74LLQmNsxRou-mzkyhW9Oe8L7QxZtWBTDSh1uPVWnD215jrgk3nOQIo8OZ6V9QyhOYx763XRFDbYbBgv0CFD6PzAPvp/s1600/screenshot.1.jpg)
- We learn that XP has got two interfaces. The second interface is connected to the inner network 10.0.0.0/24:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3odI9lyy9wOUyuGn9xXi_QiIQPujtKbOxVYVk6zLJJMwUEHp-kplSgCNm_plccHQUC8JyjbaeDvGxfKfquXFH4PSaPspgjgEvBUan03W0uxIOlOgN925-AzTbl14jDcU-MPYucMRxgxEQ/s400/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj85IqaV8bpixnM4gm1Etbq24-z5x7TR3_M78BVpG3X8d0luZmrjPeE48sW5kHJ_f2MO9lgAdQ889sb0DyLhr2O-CME62Ou-_rRoyzGoVRFz4_TyUrKcuvziCj-KmpjmuuRAmVOInaNQ2IE/s1600/screenshot.3.jpg)
- The active meterpreter session is number 1:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqwEWm6r1epgJ_X3yP-2WYz4cT_LtONpIhMJCVirEK6OfneeKSzS1jqE2alY-XqmSNPek6gmM_o8OgDv98IuLLeJ9Za-GmnNWh4xjPr_w57jLwtL9YLu0Re1c__IAk1c-pI6_iMaAT4dD0/s1600/screenshot.8.jpg)
- Using session 1 to add a route to 10.0.0.0/24:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpD46Dg_D8cggmlsdWYNZD6Da6uOcbAmQcCSutQJk3lqlP6VojAZzq2V8vb7wHIeUjj2UftncyOhO5Nw64SFaa4ITHUZuTJPbHlA4KGW8oIecUc6n7pPs303_tVHZNk2H0m8gTewVPOGS9/s1600/screenshot.4.jpg)
- Printing the route:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHUNwnz256iIX-TwfL93hxuXbrqfFkP69Jc_e6VguUDJMz2lfTgK3N3itdXkXfwOvus6VwiGUy6qdQktSmY0ZBWcJ4kpMbF3v-xmHHZE-AzTmr7Hg0W4QXrlmjkvJPTFMLjyaF1UiG7LZq/s1600/screenshot.5.jpg)
- Scanning 10.0.0.0/24 from the active meterpreter session 1:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgifdWQOk7_GJG5TabVPL9uAiKf4RQg36TUwE0Yt168sqPf7gQ1duRov4_dP74juN1E-CX8PxP_UPQUzK63aU1bZeopxNnBkhbXoJXWTL57p5tlx0FU123oROgeis48GGYqtUmOo9Tl6s1H/s1600/screenshot.6.jpg)
- Once discovered 10.0.0.2 a TCP port scanning is performed, from port 1 to 500:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-81i8xVbhQPudJyDgIp50MSI-9Wunv9o3YPzCj64kNkU9jLUTprArpnxiX0poukty5SuBUo7G5p0Cwir-hMPm9fKZc0I5aM8afCH6hmBVBmIGEtEhW2H3jNN7FB7UfGu5-nA-YdDYmpSW/s1600/screenshot.16.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRh6MvKQejCWosqM1AH6ef-dE27Sh4jfpB8JrH5aEZdLFkihXsGo5g97iDa_F2SlxL6iZDpxAUGNfpnvP1bFzXn9ToP-zl8V2h4m_ZoGom1tLx0wdc5E051bYiq49WUp317W5rjdNF7kha/s1600/screenshot.7.jpg)
- Now, portforwarding is enabled to access the victim (IP 10.0.0.2 on port 80) from local port 9999. In this way the attacker would receive on localhost:9999 the web service from 10.0.0.2:80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf1-SiKybQliyY_W6_31uEC5s6eWJWcWEChlJaxQta-91W6ok1PF-ephpD1ht-SfenmXo0rpGnOham575kmhNIZkPkl8giFsRm6BRdyXhixe8hDFfmsnLg_feZXWaiMcLIMElW4OSMtv0H/s1600/screenshot.10.jpg)
- Actually, a local listening port has been created on 9999. The forwarding connection will forward web services from 10.0.0.2:80 to localhost:9999, although attacker and victim are not directly connected because they are in different networks. The meterpreter session performs the connection in the background:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVHdSNeF35g3c9IpzD3e82vCkTkRnNEEWUc0_n3qtt4FmRIWS4GdqB4mhjTrhCJHThC1EiIsvw53w1vd5kF7zBTHfZ0g534ksIMZlUg-amXIugvU89V7JE7Crg0txntX4K4_Cfj21oWdUa/s400/screenshot.11.jpg)
- The attack is successful when connecting the attacker's browser to localhost:9999:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1bxXuncTGgmlhcG-fFVlyqTyewLEfYorIn4Zr0aoRPMVZo_Ke5f8DfO6PcE1ZwpSeF87-Qo7YTBHgsrp2Ml5G9PIDWkjLei6zaeO1vxpYu2iWYS9bmnzBZjiY3wXh-MdbC0ab3iWM0PeP/s640/screenshot.12.jpg)