6

I am pentesting a windows box to which I have gained system privileges. This box has two network interfaces. I have been able to reach machines on the second interface via the below netsh command. However this is quite inefficient as it is one port at a time. And each remote host requires its own local listening port.

I have tried to research other ways to use netsh in a more dynamic fashion however I have not found anything.

What is the most simplistic way to achieve dynamic port forwarding on a remote windows box?

netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

If using metasploit is the best option I'm open to that. However if this can be done with powershell that is preferable.

KDEx
  • 4,981
  • 2
  • 20
  • 34
  • I would suggest using a [Network Bridge](https://technet.microsoft.com/en-us/library/cc783728(v=ws.10).aspx) but for some reason you can't set those up using `netsh` even though it actually has a command for doing so: [The install and uninstall commands are not supported in the netsh bridge context](https://technet.microsoft.com/en-us/library/cc781877(v=ws.10).aspx). – CBHacking Sep 30 '15 at 04:19

3 Answers3

1

So deploying metasploit would be one option as you've mentioned however if you want a more Powershell route could look at using nishang which provides modules like powerpreter to help with pivoting on a network once you've compromised a single host.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
0

If you have this sort of connectivity, it would definitely help all of your efforts (including port forwarding or pivoting) to get a Meterpreter session running. If you have the money, it is worth a look at Cobalt Strike as well, which has PowerShell Web Delivery, sending a Beacon implant over the network. If not, then the metasploit-framework project (MSF) is your best bet as it will provide many features including reliable network communication, transport control, timeout control (e.g., SessionCommunicationTimeout and SessionExpirationTimeout for HTTP/TLS sessions and ReverseConnectRetries for TCP sessions), stageless mode, etc.

There are many ways to get a Meterpreter session running including via Powershell (similar to the PowerShell Web Delivery technique in Cobalt Strike mentioned above, MSF has exploit/windows/smb/psexec_psh which can even be executed in DryRun mode which will just give the command necessary to run on the target host in order to feed it to MSF's exploit/multi/handler with whichever payload is desired, which can then also be upgraded to a metepreter payload using the MSF sessions command).

Once a meterpreter session is available, you can use the portfwd or autoroute directives, which are well-documented in many places. A basic example:

portfwd add -l 8080 -r 10.0.0.1 -p 443

You could also use tools such as FPipe or WinRelay to perform similar, but any of these (including meterpreter itself) could be flagged by anti-virus or IPS software or appliances running on the target network. Know your limitations.

For a port-forwarding solution in Powershell, the blog that Rory McCune referenced in his answer does provide examples in the entry called Pillage the Village.

atdre
  • 18,885
  • 6
  • 58
  • 107
0

Have you tried netcat for windows? You will still need to change the parameters, but at least you have a smaller syntax. It also allows you to RDP if port 3389 is locally open (therefore making your work easier) and to execute port scans.

Combining with psexec might give you better options to further your control.

DarkLighting
  • 1,523
  • 11
  • 16