- Joined
- Jun 28, 2020
- Messages
- 6,308
- Reaction score
- 710
- Points
- 212
- Awards
- 2
Port forwarding: Accessing local ports remotely
The starting point of this tutorial is where the last tutorial has ended: a Meterpreter shell that was gained through exploiting HTTP PUT that allowed us to uploads malicious files to the web root directory.
The starting point of this tutorial is a Meterpreter shell.
When we run ipconfig on the Metasploitable 3 machine we can see there’s a second NIC present with IP 10.0.2.15 as we can see on the following screenshot.
Multiple NICs on Metasploitable 3.
The only problem is that this network is currently not routable from our Kali Linux attack machine. To access this network we would have to setup a socks4 proxy with proxychains to forward all connections to this subnet. The same technique would also allow us to scan the target network from the perspective of the Metasploitable 3 machine. This would reveal open ports and services that can be accessed locally but not remotely. One example of such service is the MySQL service that is running on port 3306. The initial Nmap scans didn’t reveal this port as it is firewalled because it’s not meant to be accessed remotely. When we run netstat on the Metasploitable 3 machine we can verify that port 3306 is used on the machine and has the service with PID 2224 attached:
Netstat output on Metasploitable 3.
By running tasklist we can verify that MySQL.exe is running on PID 2224:
PID for MySQL.
Now that we know MySQL is running on port 3306 and cannot be accessed remotely, we need to setup the Meterpreter shell in a way that we can tunnel connections over the shell. Since the Meterpreter shell runs locally and is able to access port 3306, we need to forward a local port to the Metasploitable 3 machine over the Meterpreter shell. The easiest way to do this is to use the Meterpreter portfwd module. Before we forward the local port to Metasploitable 3, let’s have a look at the port forwarding functionality in general first to get a better understanding of what it exactly does.
Meterpreter port forwarding
The portforward fucntionality in Meterpreter can be used as a pivoting technique to access networks and machines through the compromised machines that are otherwise inaccessible. The portfwd command will relay TCP connections to and from the connected machines. In the following steps we’ll be making the mySQL server port 3306 available on the local attack machine and forward the traffic on this port to Metasploitable 3. When all is setup we will be connecting to the localhost on port 3306 with the mysql command line client. The connection to these ports will be forwarded to Metasploitable 3.
We can create the tunnels using the following commands:
portfwd add -l 3306 -p 3306 -r 172.28.128.3
Let’s explain the parameters we’ve used in the command:
Forwarding local port 3306 to port 3306 on 172.28.128.3
We can verify that local port 3306 is open on our local machine by running netstat as following:
Port 3306 available on the local attack box.
Next we can access the MySQL service on Metasploitable 3 by having the MySQL client connect to the localhost as following:
mysql -u root 127.0.0.1
Successful connection to the MySQL server.
Connecting to the MySQL server also revealed a commonly seen security issue; we did not supply a password in the connection command and we were not prompted to enter one either. As we can see in the screenshot we are able to list all databases present on the MySQL server, including the WordPress database. Just because a service can be accessed locally only, it doesn’t mean that a password protection layer becomes obsolete. As we can see connections and ports can easily be forwarded when an attacker has shell access to the machine.
Now that we’ve access to the WordPress database, we might as well extract the user password hashes using the following SQL query:
select user_login, user_pass from wp_users;
WordPress password hashes
Running a dictionary attack on the admin hash with john reveals the password for the WordPress admin user:
john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts
The password for the admin account is sploit.
In this tutorial we’ve learned about port forwarding with Meterpreter. We’ve forwarded connections from a local port on our attack box, over Meterpreter to a local port on the Metasploitable 2 machine. This allowed us to access port 3306 on Metasploitable 3 from a remote machine. In the next and last Metasploitable 3 hacking tutorial we will be attacking the WordPress installation using a few different attack vectors.
The starting point of this tutorial is where the last tutorial has ended: a Meterpreter shell that was gained through exploiting HTTP PUT that allowed us to uploads malicious files to the web root directory.
The starting point of this tutorial is a Meterpreter shell.
When we run ipconfig on the Metasploitable 3 machine we can see there’s a second NIC present with IP 10.0.2.15 as we can see on the following screenshot.
Multiple NICs on Metasploitable 3.
The only problem is that this network is currently not routable from our Kali Linux attack machine. To access this network we would have to setup a socks4 proxy with proxychains to forward all connections to this subnet. The same technique would also allow us to scan the target network from the perspective of the Metasploitable 3 machine. This would reveal open ports and services that can be accessed locally but not remotely. One example of such service is the MySQL service that is running on port 3306. The initial Nmap scans didn’t reveal this port as it is firewalled because it’s not meant to be accessed remotely. When we run netstat on the Metasploitable 3 machine we can verify that port 3306 is used on the machine and has the service with PID 2224 attached:
Netstat output on Metasploitable 3.
By running tasklist we can verify that MySQL.exe is running on PID 2224:
PID for MySQL.
Now that we know MySQL is running on port 3306 and cannot be accessed remotely, we need to setup the Meterpreter shell in a way that we can tunnel connections over the shell. Since the Meterpreter shell runs locally and is able to access port 3306, we need to forward a local port to the Metasploitable 3 machine over the Meterpreter shell. The easiest way to do this is to use the Meterpreter portfwd module. Before we forward the local port to Metasploitable 3, let’s have a look at the port forwarding functionality in general first to get a better understanding of what it exactly does.
Meterpreter port forwarding
The portforward fucntionality in Meterpreter can be used as a pivoting technique to access networks and machines through the compromised machines that are otherwise inaccessible. The portfwd command will relay TCP connections to and from the connected machines. In the following steps we’ll be making the mySQL server port 3306 available on the local attack machine and forward the traffic on this port to Metasploitable 3. When all is setup we will be connecting to the localhost on port 3306 with the mysql command line client. The connection to these ports will be forwarded to Metasploitable 3.
We can create the tunnels using the following commands:
portfwd add -l 3306 -p 3306 -r 172.28.128.3
Let’s explain the parameters we’ve used in the command:
- -l [port]is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used by another service.
- -p [port]is the destination port on our targeting host.
- -r [target host]is the our targeted system’s IP or hostname.
Forwarding local port 3306 to port 3306 on 172.28.128.3
We can verify that local port 3306 is open on our local machine by running netstat as following:
Port 3306 available on the local attack box.
Next we can access the MySQL service on Metasploitable 3 by having the MySQL client connect to the localhost as following:
mysql -u root 127.0.0.1
Successful connection to the MySQL server.
Connecting to the MySQL server also revealed a commonly seen security issue; we did not supply a password in the connection command and we were not prompted to enter one either. As we can see in the screenshot we are able to list all databases present on the MySQL server, including the WordPress database. Just because a service can be accessed locally only, it doesn’t mean that a password protection layer becomes obsolete. As we can see connections and ports can easily be forwarded when an attacker has shell access to the machine.
Now that we’ve access to the WordPress database, we might as well extract the user password hashes using the following SQL query:
select user_login, user_pass from wp_users;
WordPress password hashes
Running a dictionary attack on the admin hash with john reveals the password for the WordPress admin user:
john –wordlist=/usr/share/wordlists/rockyou.txt wpaccounts
The password for the admin account is sploit.
In this tutorial we’ve learned about port forwarding with Meterpreter. We’ve forwarded connections from a local port on our attack box, over Meterpreter to a local port on the Metasploitable 2 machine. This allowed us to access port 3306 on Metasploitable 3 from a remote machine. In the next and last Metasploitable 3 hacking tutorial we will be attacking the WordPress installation using a few different attack vectors.