topic Re: How do I configure my firewall to let Metasploitable VM forward to my host windows machine? in Security

How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec — Tue, 17 Apr 2018 04:53:13 GMT

I am looking to play with some backdoors and exploits for research purposes, so I have a Metasploitable VM set up. I've installed the Splunk Forwarder on that VM and have confirmed that it is running. I have set it up to index on my host machine (Windows 10).

I know everything is pointing to the right place because when I disable my Windows Firewall completely (yikes), I can see all the logs I generated from the VM, even from events that happened before I disabled the firewall. For instance, I sent many whoami requests through a backdoor in the VM and Splunk Search had no logs documenting it, however when I turned off my firewall (on host machine), all the logs from the last 15 minutes of activity were suddenly there.

I've tried fixing this problem for awhile and have tried opening, inbound and outbound, every port Splunk would feasibly use. They were open on Metasploitable's UFW as well. (ie 8000, 8089, 9997, 389, 3268, plus a custom port I used instead of 9997).

Not sure what other information I might need to provide, but if someone would try and lend me a hand I would really appreciate it.

Re: How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

damien_chillet — Tue, 17 Apr 2018 10:17:58 GMT

Could you run the following search your host machine:

index=_internal metrics "group=tcpin_connections"

That will let you know with ports are being used to forward data.

Re: How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec — Tue, 17 Apr 2018 19:03:48 GMT

It looks like there's data coming from the /bin/metrics.log, sent on 42144 and coming in on the forwarding port I used instead of 9997, I opened both of those on the VM as well as the host machine but I'm still not seeing any real-time logs when I query from the VM.

Re: How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec — Tue, 17 Apr 2018 19:05:12 GMT

I'm trying to put a screenshot in the comment but it doesn't appear to be working.

Re: How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec — Tue, 17 Apr 2018 19:05:35 GMT

https://imgur.com/a/2Z8yH

Re: How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

damien_chillet — Wed, 18 Apr 2018 10:38:06 GMT

Okay, can you confirm you opened TCP port (not UDP)?
Can you check for "connection refused" or something similar under the _internal index while the firewall is turned on?