Jump to content

metasploit pivoting


Recommended Posts

Does pivoting still work?  I did an online class recently and it seemed like everything was ok but I could not get a reverse shell using psexec.  Anyone have luck with that?  I was using kali 2019.2 and .3.  Psexec worked on the first network, it saw the second network but refused a reverse connection.  I was using meterpreter reverse tcp.  The two boxes I were using were Win10 boxes in which I knew the usernames and passwords. 

Just as a proof of concept I tried the same thing but used two xp boxes with the same setup.  Kali had the same issues using MS08-067.  It would connect to the first box but refused to pivot.  I ended up trying parrot which i think was 4.7 and it worked fine however I had to use a reverse tcp bind.  Went back to win10 and couldn't get parrot to work psexec.  So just wondering if I'm missing anything with pivoting?  I'm adding the route, it shows it's added, I can ping it.  Just can't get a reverse shell.  Any help would be great.  I have the VMs powered down at the moment but can bring them back up to give exact answers to any questions.


Link to comment
Share on other sites

I heard something about empty pipes? Secret code, come on in...


I've always wanted to cover this topic. Pipes!


Sometimes its best to practice with tools like netcat. You should simulate this pipe work or pivit with basic pipes and hello world examples to make sure you can get a proper tcp 3way handshake.


Kali~> Ssh -R 4444:localhist:4444 admin@victim.ip

This is a basic pivit like command. It will pivit port 4444. Its just a example of what metasploit is basicly doing. 


When i was doing my testing with metasploit and reverse tcp pivit. I had to change the exploit code to generate the payload with a public ip address.


LHOST is used when generating the payload but also used by the multihandler. So you cant just change lhost in msfconsole because your multihandler will fail with unknown local ip.


Multihandler has to listen on

The payload has to generate with the public reverse address...


Maybe im wrong or things have changed since my testing.


I thought about adding my own var to metasploit payload generation. LHOST/PHOST

I think the metasploit team intentionally left this option unavailable. because its intended use is very powerful. Or maybe provided by the paid version lol



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...