Once a meterpreter shell is obtained on a system a larger range of options is available to the Penetration Tester for accessing the system. In a hypothetical scenario the victim is running a vulnerable mail server on port 25, and we have a remote exploit we wish to use against it. Unfortunately for us it’s behind a firewall. After getting a meterpreter shell via a client side attack we want to somehow bypass the firewall and get access to port 25. Meterpreters portfwd can do this.

Tool
portfwd

Basic Syntax

portfwd add -l <local port on the attacking machine (yours)> -p <victim port we want to access> -r <victim IP address>
Breakdown
add : this is telling portfwd to add the following path to it’s routing table. You can also delete portfwds, etc.
-l : local port on the attacking machine. This is essentially what “becomes” the target port we are trying to access.
-p : victim port we are trying to access. In the above hypothetical that would be port 25.
-r : the victim IP address, also in Metasploit terminology this would be the RHOST value.

Example – Given the Victims IP is 192.168.1.99

portfwd add -l 1234 -p 25 -r 192.168.1.99
./super_remote_mail_exploit --target: 127.0.0.1:1234 # This would actually attack the victim's port 25.
Advanced Reading
There is certainly a lot more to port forwarding that the portfwd module in Metasploit, but it’s certainly handy in terms of being able to bypass firewall restrictions in certain situations and access previously protected ports.