In this Metasploitable 3 Meterpreter Port forwarding hacking tutorial we will learn how to forward local ports that cannot be accessed remotely. It is very common and good practice to run specific services on a local machine and make them available to that local machine only instead of the full network. On a local network these services are typically administration panels used to configure hardware or software on a single machine which doesn’t need to expose these services to the full network, just like you would not want to expose a local FTP or SMB server to the internet. A good example of a service that doesn’t allow external access by default is MySQL server. MySQL server disables remote access by default upon installation for security reasons and requires the system administrator to explicitly enable remote access in order to allow remote connections. In this tutorial we will be using Meterpreter port forward to tunnel connections to services that cannot be accessed remotely.
Port forwarding: Accessing local ports remotely
The starting point of this tutorial is where the last tutorial has ended: a Meterpreter shell that was gained through exploiting HTTP PUT that allowed us to uploads malicious files to the web root directory.
When we run ipconfig on the Metasploitable 3 machine we can see there’s a second NIC present with IP 10.0.2.15 as we can see on the following screenshot.
The only problem is that this network is currently not routable from our Kali Linux attack machine. To access this network we would have to setup a socks4 proxy with proxychains to forward all connections to this subnet. The same technique would also allow us to scan the target network from the perspective of the Metasploitable 3 machine. This would reveal open ports and services that can be accessed locally but not remotely. One example of such service is the MySQL service that is running on port 3306. The initial Nmap scans didn’t reveal this port as it is firewalled because it’s not meant to be accessed remotely. When we run netstat on the Metasploitable 3 machine we can verify that port 3306 is used on the machine and has the service with PID 2224 attached:
By running tasklist we can verify that MySQL.exe is running on PID 2224:
Now that we know MySQL is running on port 3306 and cannot be accessed remotely, we need to setup the Meterpreter shell in a way that we can tunnel connections over the shell. Since the Meterpreter shell runs locally and is able to access port 3306, we need to forward a local port to the Metasploitable 3 machine over the Meterpreter shell. The easiest way to do this is to use the Meterpreter portfwd module. Before we forward the local port to Metasploitable 3, let’s have a look at the port forwarding functionality in general first to get a better understanding of what it exactly does.
Meterpreter port forwarding
The portforward fucntionality in Meterpreter can be used as a pivoting technique to access networks and machines through the compromised machines that are otherwise inaccessible. The portfwd command will relay TCP connections to and from the connected machines. In the following steps we’ll be making the mySQL server port 3306 available on the local attack machine and forward the traffic on this port to Metasploitable 3. When all is setup we will be connecting to the localhost on port 3306 with the mysql command line client. The connection to these ports will be forwarded to Metasploitable 3.
We can create the tunnels using the following commands:
portfwd add -l 3306 -p 3306 -r 172.28.128.3
Let’s explain the parameters we’ve used in the command:
- -l [port]is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used by another service.
- -p [port]is the destination port on our targeting host.
- -r [target host]is the our targeted system’s IP or hostname.
When we’ve successfully ran the commands on the Meterpreter sessions the output saying both ports have been forwarded should look as following:
We can verify that local port 3306 is open on our local machine by running netstat as following:
Next we can access the MySQL service on Metasploitable 3 by having the MySQL client connect to the localhost as following:
mysql -u root 127.0.0.1
Connecting to the MySQL server also revealed a commonly seen security issue; we did not supply a password in the connection command and we were not prompted to enter one either. As we can see in the screenshot we are able to list all databases present on the MySQL server, including the WordPress database. Just because a service can be accessed locally only, it doesn’t mean that a password protection layer becomes obsolete. As we can see connections and ports can easily be forwarded when an attacker has shell access to the machine.
Now that we’ve access to the WordPress database, we might as well extract the user password hashes using the following SQL query:
select user_login, user_pass from wp_users;
Running a dictionary attack on the admin hash with john reveals the password for the WordPress admin user:
john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts
In this tutorial we’ve learned about port forwarding with Meterpreter. We’ve forwarded connections from a local port on our attack box, over Meterpreter to a local port on the Metasploitable 2 machine. This allowed us to access port 3306 on Metasploitable 3 from a remote machine. In the next and last Metasploitable 3 hacking tutorial we will be attacking the WordPress installation using a few different attack vectors.