Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec
New Member
‎04-16-2018 09:53 PM

I am looking to play with some backdoors and exploits for research purposes, so I have a Metasploitable VM set up. I've installed the Splunk Forwarder on that VM and have confirmed that it is running. I have set it up to index on my host machine (Windows 10).

I know everything is pointing to the right place because when I disable my Windows Firewall completely (yikes), I can see all the logs I generated from the VM, even from events that happened before I disabled the firewall. For instance, I sent many whoami requests through a backdoor in the VM and Splunk Search had no logs documenting it, however when I turned off my firewall (on host machine), all the logs from the last 15 minutes of activity were suddenly there.

I've tried fixing this problem for awhile and have tried opening, inbound and outbound, every port Splunk would feasibly use. They were open on Metasploitable's UFW as well. (ie 8000, 8089, 9997, 389, 3268, plus a custom port I used instead of 9997).

Not sure what other information I might need to provide, but if someone would try and lend me a hand I would really appreciate it.

0 Karma
Reply

damien_chillet
Builder
‎04-17-2018 03:17 AM

Could you run the following search your host machine:

index=_internal metrics "group=tcpin_connections"

That will let you know with ports are being used to forward data.

0 Karma
Reply

tweilersec
New Member
‎04-17-2018 12:05 PM

https://imgur.com/a/2Z8yH

0 Karma
Reply

damien_chillet
Builder
‎04-18-2018 03:38 AM

Okay, can you confirm you opened TCP port (not UDP)?
Can you check for "connection refused" or something similar under the _internal index while the firewall is turned on?

0 Karma
Reply

tweilersec
New Member
‎04-17-2018 12:05 PM

I'm trying to put a screenshot in the comment but it doesn't appear to be working.

0 Karma
Reply

tweilersec
New Member
‎04-17-2018 12:03 PM

It looks like there's data coming from the /bin/metrics.log, sent on 42144 and coming in on the forwarding port I used instead of 9997, I opened both of those on the VM as well as the host machine but I'm still not seeing any real-time logs when I query from the VM.

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...