Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec
New Member
‎04-16-2018 09:53 PM

I am looking to play with some backdoors and exploits for research purposes, so I have a Metasploitable VM set up. I've installed the Splunk Forwarder on that VM and have confirmed that it is running. I have set it up to index on my host machine (Windows 10).

I know everything is pointing to the right place because when I disable my Windows Firewall completely (yikes), I can see all the logs I generated from the VM, even from events that happened before I disabled the firewall. For instance, I sent many whoami requests through a backdoor in the VM and Splunk Search had no logs documenting it, however when I turned off my firewall (on host machine), all the logs from the last 15 minutes of activity were suddenly there.

I've tried fixing this problem for awhile and have tried opening, inbound and outbound, every port Splunk would feasibly use. They were open on Metasploitable's UFW as well. (ie 8000, 8089, 9997, 389, 3268, plus a custom port I used instead of 9997).

Not sure what other information I might need to provide, but if someone would try and lend me a hand I would really appreciate it.

0 Karma
Reply

damien_chillet
Builder
‎04-17-2018 03:17 AM

Could you run the following search your host machine:

index=_internal metrics "group=tcpin_connections"

That will let you know with ports are being used to forward data.

0 Karma
Reply

tweilersec
New Member
‎04-17-2018 12:05 PM

https://imgur.com/a/2Z8yH

0 Karma
Reply

damien_chillet
Builder
‎04-18-2018 03:38 AM

Okay, can you confirm you opened TCP port (not UDP)?
Can you check for "connection refused" or something similar under the _internal index while the firewall is turned on?

0 Karma
Reply

tweilersec
New Member
‎04-17-2018 12:05 PM

I'm trying to put a screenshot in the comment but it doesn't appear to be working.

0 Karma
Reply

tweilersec
New Member
‎04-17-2018 12:03 PM

It looks like there's data coming from the /bin/metrics.log, sent on 42144 and coming in on the forwarding port I used instead of 9997, I opened both of those on the VM as well as the host machine but I'm still not seeing any real-time logs when I query from the VM.

alt text

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...