MATCHPORT

The MATCHPORT command inspects network traffic for activity on the specified ports. The payload will be paused until matching traffic is found.

Options

The MATCHPORT command expects several options:

MATCHPORT [interface] [protocol] [connection type] [port] ... [portN]

Interface

MATCHPORT requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.

Protocol

MATCHPORT requires a protocol to match: TCP and UDP match only connections on those protocols, while ANY matches both.

Connection type

A connection type of NEW causes MATCHPORT to only find connections which have started while it has been running. A connection type of ANY will match connections already in progress.

Ports

MATCHPORT can match any number of ports.

Return values

MATCHPORT will exit when a packet is seen on the monitored ports.

MATCHPORT will print the port pairs which caused the match (source and destination of the packet).

Experimenting

You can experiment using the MATCHPORT command live, either in the Web Shell in the web UI, or via ssh!

Examples

The most basic use of the MATCHPORT command is to halt execution of a payload until traffic is seen. This demonstration payload will disconnect the Target device if it is seen to connect to a specific port.

#!/bin/bash 

# Title: Matchport example
#
# Description: Disconnect the Target device if there is traffic to the meterpreter default port

# Set bridge mode
NETMODE BRIDGE

# Wait for any connections on port 4444
MATCHPORT br-lan TCP ANY 4444

# Jail the target
NETMODE JAIL

# Set the LED
LED R VERYFAST

Last updated 1 year ago