Security

How do I configure my firewall to let Metasploitable VM forward to my host windows machine?

tweilersec
New Member

I am looking to play with some backdoors and exploits for research purposes, so I have a Metasploitable VM set up. I've installed the Splunk Forwarder on that VM and have confirmed that it is running. I have set it up to index on my host machine (Windows 10).

I know everything is pointing to the right place because when I disable my Windows Firewall completely (yikes), I can see all the logs I generated from the VM, even from events that happened before I disabled the firewall. For instance, I sent many whoami requests through a backdoor in the VM and Splunk Search had no logs documenting it, however when I turned off my firewall (on host machine), all the logs from the last 15 minutes of activity were suddenly there.

I've tried fixing this problem for awhile and have tried opening, inbound and outbound, every port Splunk would feasibly use. They were open on Metasploitable's UFW as well. (ie 8000, 8089, 9997, 389, 3268, plus a custom port I used instead of 9997).

Not sure what other information I might need to provide, but if someone would try and lend me a hand I would really appreciate it.

0 Karma

damien_chillet
Builder

Could you run the following search your host machine:

index=_internal metrics "group=tcpin_connections"

That will let you know with ports are being used to forward data.

0 Karma

tweilersec
New Member
0 Karma

damien_chillet
Builder

Okay, can you confirm you opened TCP port (not UDP)?
Can you check for "connection refused" or something similar under the _internal index while the firewall is turned on?

0 Karma

tweilersec
New Member

I'm trying to put a screenshot in the comment but it doesn't appear to be working.

0 Karma

tweilersec
New Member

It looks like there's data coming from the /bin/metrics.log, sent on 42144 and coming in on the forwarding port I used instead of 9997, I opened both of those on the VM as well as the host machine but I'm still not seeing any real-time logs when I query from the VM.

alt text

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!