If you are running an external penetration test and are working from a NATed network behind a wireless router, for example from home, you will need to adjust your router's port forwarding settings so the payload can connect back to Metasploit. The best option would be to eliminate the router and connect directly to the Internet, but that would make me unpopular with the other folks sharing the Internet connection, so it wasn't an option in my case. Setting up the port forwarding is not too difficult, but verifying that it works can be a little tricky. This blog post walks you through the steps to ensure that your network is set up correctly.

You won't need to go through these steps if the computer running Metasploit has a public IP address. Once you're done with the penetration test, you should remove the port forwarding to avoid this or a different machine being exposed on the Internet.

In this example, the machine running Metasploit Pro has the IP address We'll choose 4444 as the listener port, both internally and externally, to reduce confusion. This is an Asus router, so your router configuration may look different.

My router doesn't support ranges for the local port, otherwise I could have entered the range of 1024-65535 for both the external Port Range and the internal Local Port. This would give the payload a larger number of ports to connect back on, which increases the number of concurrent exploits you can run. Feel free to experiment with this if your router supports this - it will make your penetration test faster and more likely to succeed. Another option for me would have been to enter more than one line of port forwards, but one seemed enough to demonstrate the point.

Next, we'll set up a listener to test the port forwarding. Go to the modules tab and search "Generic Payload Handler".

Select the module. We'll now need your public IP address. You can either get it from your router settings, or go to http://www.whatismyip.com/. Enter it in the field for Listener Host, leave the listener ports in their default configuration of 4444-4444. You need to use a range, not a value, otherwise the module will not work. Run the module. We now have an active listener running on the Metasploit machine, and the port 4444 is forwarded to the Metasploit machine.

Now let's test that the forwarding is working as expected. Go to www.canyouseeme.org, enter port 4444 in the box, and hit the Can You See Me button. If your configuration is set up correctly, you'll see a success message like this:

Congratulations, you've done it! If you're getting a message that the port is not accessible, it may be because higher ports may be blocked by your ISP in some cases.

Before you start with your penetration test, you should stop the Generic Payload Handler task. Choose the exploit task, and set the Listener Port to 4444. When you're done, don't forget to switch off the port forwarding. You can get your Metasploit Pro trial on the Rapid7 website. Good luck!