Metasploitable 3: Meterpreter Port forwarding

In this Metasploitable 3 Meterpreter Port forwarding hacking tutorial we will learn how to forward local ports that cannot be accessed remotely. It is very common and good practice to run specific services on a local machine and make them available to that local machine only instead of the full network. On a local network, these services are typically administration panels used to configure hardware or software on a single machine that doesn’t need to expose these services to the full network, just like you would not want to expose a local FTP or SMB server to the internet.

A good example of a service that doesn’t allow external access by default is the MySQL server. MySQL server disables remote access by default upon installation for security reasons and requires the system administrator to explicitly enable remote access in order to allow remote connections. In this tutorial, we will be using the Meterpreter port forward to tunnel connections to services that cannot be accessed remotely.
To follow this Port forwarding tutorial we assume that you’ve properly installed the Metasploitable 3 machine and have shell access to it. If not please follow these tutorials first:

• How to setup Metasploitable 3 on Windows 10
• Metasploitable 3: Exploiting ManageEngine Desktop Central 9
• Metasploitable 3: Exploiting HTTP PUT

The starting point of this tutorial is where the last tutorial has ended: a Meterpreter shell that was gained through exploiting HTTP PUT that allowed us to upload malicious files to the web root directory.

The starting point of this tutorial is a Meterpreter shell.

When we run ipconfig on the Metasploitable 3 machine we can see there’s a second NIC present with IP 10.0.2.15 as we can see on the following screenshot.

The only problem is that this network is currently not routable from our Kali Linux attack machine. To access this network we would have to set up a socks4 proxy with proxychains to forward all connections to this subnet. The same technique would also allow us to scan the target network from the perspective of the Metasploitable 3 machine. This would reveal open ports and services that can be accessed locally but not remotely. One example of such a service is the MySQL service that is running on port 3306. The initial Nmap scans didn’t reveal this port as it is firewalled because it’s not meant to be accessed remotely. When we run netstat on the Metasploitable 3 machine we can verify that port 3306 is used on the machine and has the service with PID 2224 attached:

Netstat output on Metasploitable 3.
By running tasklist we can verify that MySQL.exe is running on PID 2224:

Now that we know MySQL is running on port 3306 and cannot be accessed remotely, we need to set up the Meterpreter shell in a way that we can tunnel connections over the shell. Since the Meterpreter shell runs locally and is able to access port 3306, we need to forward a local port to the Metasploitable 3 machine over the Meterpreter shell. The easiest way to do this is to use the Meterpreter portfwd module. Before we forward the local port to Metasploitable 3, let’s have a look at the port forwarding functionality in general first to get a better understanding of what it exactly does.

The port forward functionality in Meterpreter can be used as a pivoting technique to access networks and

machines through the compromised machines that are otherwise inaccessible. The portfwd command will

relay TCP connections to and from the connected machines. In the following steps, we’ll be making the MySQL

server port 3306 is available on the local attack machine and forward the traffic on this port to Metasploitable

3. When all is set up we will be connecting to the localhost on port 3306 with the mysql command line client.

The connection to these ports will be forwarded to Metasploitable 3.
We can create the tunnels using the following commands:

portfwd add -l 3306 -p 3306 -r 172.28.128.3

• -l [port]is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used by another service.
• -p [port]is the destination port on our targeting host.
• -r [target host]is our targeted system’s IP or hostname.

When we’ve successfully run the commands on the Meterpreter sessions the output saying both ports have been forwarded should look as follows:

Forwarding local port 3306 to port 3306 on 172.28.128.3
We can verify that local port 3306 is open on our local machine by running netstat as following:

Port 3306 available on the local attack box.
Next we can access the MySQL service on Metasploitable 3 by having the MySQL client connect to the localhost as following:

mysql -u root 127.0.0.1

Connecting to the MySQL server also revealed a commonly seen security issue; we did not supply a password in the connection command and we were not prompted to enter one either. As we can see in the screenshot we are able to list all databases present on the MySQL server, including the WordPress database. Just because a service can be accessed locally only, it doesn’t mean that a password protection layer becomes obsolete. As we can see connections and ports can easily be forwarded when an attacker has shell access to the machine.
Now that we’ve access to the WordPress database, we might as well extract the user password hashes using the following SQL query:

select user_login, user_pass from wp_users;

WordPress password hashes
Running a dictionary attack on the admin hash with john reveals the password for the WordPress admin user:

john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts

In this tutorial, we’ve learned about port forwarding with Meterpreter. We’ve forwarded connections from

a local port on our attack box, over Meterpreter to a local port on the Metasploitable 2 machine. This

allowed us to access port 3306 on Metasploitable 3 from a remote machine. In the next and last Metasploitable

3 hacking tutorial we will be attacking the WordPress installation using a few different attack vectors.