In this Metasploitable three Meterpreter Port forwarding hacking tutorial we’ll discover ways to ahead native ports that can not be accessed remotely. It is quite common and good follow to run particular providers on an area machine and make them accessible to that native machine solely as a substitute of the complete community. On an area community these providers are sometimes administration panels used to configure or software program on a single machine which doesn’t want to show these providers to the complete community, similar to you wouldn’t wish to expose an area FTP or SMB server to the web. instance of a service that doesn’t enable exterior entry by default is MySQL server. MySQL server disables distant entry by default upon set up for security causes and requires the system administrator to explicitly allow distant entry with a purpose to enable distant connections. In this tutorial we will probably be utilizing Meterpreter port ahead to tunnel connections to providers that can not be accessed remotely.
To observe this Port forwarding tutorial we assume that you just’ve correctly put in the Metasploitable three machine and have shell entry to it. If not please observe these tutorials first:
Port forwarding: Accessing native ports remotely
The place to begin of this tutorial is the place the final tutorial has ended: a Meterpreter shell that was gained by way of exploiting HTTP PUT that allowed us to uploads malicious information to the web root listing.
The place to begin of this tutorial is a Meterpreter shell.
When we run ipconfig on the Metasploitable three machine we will see there’s a second NIC current with IP 10.zero.2.15 as we will see on the next screenshot.
Multiple NICs on Metasploitable three.
The solely downside is that this community is at the moment not routable from our Kali Linux assault machine. To entry this community we must setup a socks4 proxy with proxychains to ahead all connections to this subnet. The similar method would additionally enable us to scan the goal community from the attitude of the Metasploitable three machine. This would reveal open ports and providers that may be accessed domestically however not remotely. One instance of such service is the MySQL service that’s operating on port 3306. The preliminary Nmap scans didn’t reveal this port as it’s firewalled as a result of it’s not meant to be accessed remotely. When we run netstat on the Metasploitable three machine we will confirm that port 3306 is used on the machine and has the service with PID 2224 connected:
Netstat output on Metasploitable three.
By operating tasklist we will confirm that MySQL.exe is operating on PID 2224:
PID for MySQL.
Now that we all know MySQL is operating on port 3306 and can’t be accessed remotely, we have to setup the Meterpreter shell in a manner that we will tunnel connections over the shell. Since the Meterpreter shell runs domestically and is ready to entry port 3306, we have to ahead an area port to the Metasploitable three machine over the Meterpreter shell. The easiest method to do that is to make use of the Meterpreter portfwd module. Before we ahead the native port to Metasploitable three, let’s take a look on the port forwarding performance typically first to get a greater understanding of what it precisely does.
Meterpreter port forwarding
The portforward fucntionality in Meterpreter can be utilized as a pivoting method to entry networks and machines by way of the compromised machines which can be in any other case inaccessible. The portfwd command will relay TCP connections to and from the related machines. In the next steps we’ll be making the mySQL server port 3306 accessible on the native assault machine and ahead the visitors on this port to Metasploitable three. When all is setup we will probably be connecting to the localhost on port 3306 with the mysql command line shopper. The connection to those ports will probably be forwarded to Metasploitable three.
We can create the tunnels utilizing the next instructions:
portfwd add -l 3306 -p 3306 -r 172.28.128.three
Let’s clarify the parameters we’ve used within the command:
-l [port]is the native port that will probably be listening and forwarded to our goal. This might be any port in your machine, so long as it’s not already being utilized by one other service.
-p [port]is the vacation spot port on our focusing on host.
-r [target host]is the our focused system’s IP or hostname.
When we’ve efficiently ran the instructions on the Meterpreter periods the output saying each ports have been forwarded ought to look as following:
Forwarding native port 3306 to port 3306 on 172.28.128.three
We can confirm that native port 3306 is open on our native machine by operating netstat as following:
Port 3306 accessible on the native assault field.
Next we will entry the MySQL service on Metasploitable three by having the MySQL shopper connect with the localhost as following:
mysql -u root 127.zero.zero.1
Successful connection to the MySQL server.
Connecting to the MySQL server additionally revealed a generally seen security concern; we didn’t provide a password within the connection command and we weren’t prompted to enter one both. As we will see within the screenshot we’re capable of record all databases current on the MySQL server, together with the WordPress database. Just as a result of a service might be accessed domestically solely, it doesn’t imply password safety layer turns into out of date. As we will see connections and ports can simply be forwarded when an attacker has shell entry to the machine.
Now that we’ve entry to the WordPress database, we’d as effectively extract the person password hashes utilizing the next SQL question:
choose user_login, user_pass from wp_users;
WordPress password hashes
Running a dictionary assault on the admin hash with john reveals the password for the WordPress admin person:
john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts
The password for the admin account is sploit.
In this tutorial we’ve discovered about port forwarding with Meterpreter. We’ve forwarded connections from an area port on our assault field, over Meterpreter to an area port on the Metasploitable 2 machine. This allowed us to entry port 3306 on Metasploitable three from a distant machine. In the subsequent and final Metasploitable three hacking tutorial we will probably be attacking the WordPress set up utilizing just a few completely different assault vectors.