In this Metasploitable 3 Meterpreter Port forwarding hacking instructional exercise we will figure out how to forward local ports that can’t be gotten to remotely. It is normal and great practice to run particular services on a local machine and make them accessible to that local machine rather than the full network. On a local network these services are normally control panels used to set hardware or software on a solitary machine which doesn’t have to open these services to the full network, much the same as you would not have any desire to uncover a local FTP or SMB server to the web. A decent example of a service that doesn’t permit outside access of course is MySQL server. MySQL server stops remote access as a matter of course upon setup for security reasons and requires the system admin to purposefully enable remote access with a specific end goal to permit remote connections. In this instructional exercise we will utilize Meterpreter port forward to tunnel connections with services that can’t be gotten to remotely.
To follow this Port forwarding tutorial we assume that you’ve properly installed the Metasploitable 3 machine and have shell access to it.
Port forwarding: Accessing local ports remotely
The starting point of this tutorial is where the last tutorial has ended: a Meterpreter shell that was gained through exploiting HTTP PUT that allowed us to uploads malicious files to the web root directory.
When we run ipconfig on the Metasploitable 3 machine we can see there’s a second NIC present with IP 10.0.2.15 as we can see on the following screenshot.
The main issue is that this network is at present not routable from our Kali Linux assault machine. To get to this network we would need to setup a socks4 intermediary with proxychains to forward all connections to this subnet. A similar technique would likewise enable us to scan the target network from the point of view of the Metasploitable 3 machine. This would uncover open ports and services that can be gotten to locally yet not remotely. One case of such service is the MySQL service that is running on port 3306. The initial Nmap checks didn’t uncover this port as it is firewalled because it’s not intended to be gotten to remotely. When we run netstat on the Metasploitable 3 machine we can check that port 3306 is utilized on the machine and has the service with PID 2224 connected:
By running tasklist we can verify that MySQL.exe is running on PID 2224:
Since we know MySQL is running on port 3306 and can’t be gotten to remotely, we have to setup the Meterpreter shell in a way that we can tunnel connections over the shell. Since the Meterpreter shell runs locally and can get to port 3306, we have to forward a local port to the Metasploitable 3 machine over the Meterpreter shell. The most straightforward approach to do this is to utilize the Meterpreter portfwd module. Before we forward the local port to Metasploitable 3, we should observe the port forwarding functions overview to improve comprehension of what it precisely does.
Meterpreter port forwarding
The portforward functionality in Meterpreter can be utilized as a pivoting technique to get to networks and machines through the compromised machines that are otherwise not accessible. The portfwd command will hand-off TCP connections to and from the associated machines. In the next steps we’ll be making the mySQL server port 3306 accessible on the local assault machine and forward the traffic on this port to Metasploitable 3. At the point when all is setup, we will interface with the localhost on port 3306 with the mysql command line client. The connection to these ports will be forwarded to Metasploitable 3.
We can create the tunnels using the following commands:
portfwd add -l 3306 -p 3306 -r 172.28.128.3
Let’s explain the parameters we’ve used in the command:
- -l [port] is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used by another service.
- -p [port] is the destination port on our targeting host.
- -r [target host] is the our targeted system’s IP or hostname.
When we’ve successfully ran the commands on the Meterpreter sessions the output saying both ports have been forwarded should look as following:
We can verify that local port 3306 is open on our local machine by running netstat as following:
Next we can access the MySQL service on Metasploitable 3 by having the MySQL client connect to the localhost as following:
mysql -u root 127.0.0.1
Interfacing with the MySQL server additionally uncovered a commonly observed security issue; we didn’t supply a password in the connection command and we were not prompted to enter one either. As should be obvious in the screenshot we can list all databases available on the MySQL server, including the WordPress database. Because a service can only be gotten to locally, it doesn’t imply that a password protection layer is not needed. As should be obvious connections and ports can undoubtedly be forwarded when an aggressor has shell access to the machine.
Now that we’ve access to the WordPress database, we might as well extract the user password hashes using the following SQL query:
select user_login, user_pass from wp_users;
Running a dictionary attack on the admin hash with john reveals the password for the WordPress admin user:
john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts
In this instructional exercise we’ve found out about port forwarding with Meterpreter. We’ve forwarded connections from a local port on our assault box, over Meterpreter to a local port on the Metasploitable 2 machine. This enabled us to get to port 3306 on Metasploitable 3 from a remote machine.