Reverse Port Forward

Reverse Port Forwarding allows a machine to redirect inbound traffic on a specific port to another IP and port. A useful implementation of this allows machines to bypass firewall and other network segmentation restrictions, to talk to nodes they wouldn't normally be able to.

Check if can communicate to Kali

Can't? -> check for internal compromised machine that it CAN access.

Setup

In our scenario here, have compromised a machine called WS05 and have SYSTEM on it. We will run the following meterpreter commands:

Port 90: this is our local port that is running a python web-server Port 7777: this is the port on WS05 that will be opened, it will forward to local port 90

Port 8888: this is our local port that is running multi/handler listener to catch shell Port 80: this is the port on WS05 that will be opened, it will forward to local port 8888

Port 888: this is our local port that is running a multi/handler listener to catch shell Port 443: this is the port on WS05 that will be opened, it will forward to local port 888

We will also have to add Firewall rules to WS05 to actually open them:

So now, we can utilize the open ports 80 and 443 on WS05 for meterpreter shells and port 7777 to retrieve files from our Kali box.

Retrieving a file from our web-server would like like this:

Shell example

So now our meterpreter shell should be setup as follows:

LHOST: IP address of WS05 that has port 80 opened LPORT: Port of WS05 that is open and will forward to Kali

Our multi/handler will be setup as follows:

Note that LHOST is still set to Kali IP but LPORT has been set to the local port that we used for the reverse port forward.

Overview

So, we use WS04 as initial pivot to access the internal network, we have the reverse port forward setup on WS05. To get shell on SQL01, SQL01 will call to port 80 of WS05, which will forward it to local port 8888 on Kali (pivoting back through WS04).