use of meterpreter (copy for the list )

[mmiller at hick.org (mmiller at hick.org)]

On Thu, Apr 14, 2005 at 10:14:56AM +0200, Thomas Werth wrote:
> Lets see if i understand correctly :
> Exploiting another host and using meterpreter is first i do.
> Now the portfwd of meterpreter isn't running on victims host, instead it
> is running on "my" host, correct ?

Sort of.  The "listener" is running on your local machine.  When you
connect to the local port, the meterpreter client that is running on
your machine talks to the meterpreter server that is running on the
machine you exploited and asks it to open a TCP connection to the remote
host and port that you specified with your port forward on your behalf.
The result acts just like a normal port forward.  I'll describe the
packet flow at the end of this message [1].

> Now i setup portforwading using localhost and next desired target-ip.
> When now running attack based on proxy protforwading does it job and
> exploit should work , correct ?

Yep -- it should be entirely transparent.

> Now my question for better understanding :
> As portforwading is running on my host and target ip is different from
> "proxy Host" why do i need to exploit the proxy host as it seems to me
> this host isn't needed when using localhost and next target ip for
> "proxy attack " ? How is the "flow of packets" ?

I think there's a disconnect here.  While there is a "listener" running
on your machine, it is not your machine that actually establishes the
connection to the target machine.  Instead, the meterpreter server
instance that is running on the machine you exploited is what is
responsible for actually establishing the connection to the target
machine.  This is what allows you to pivot onto other networks that you
would otherwise not be able to access directly.

> In case of logging on "next target host" which attacker ip will be logged ?

The address of the 'ProxyHost' from your previous example is what will
be seen as the requestor address by the 'next target host'.

[1] If you're familiar with SSH tunnels then this should make sense.
This step-by-step demonstrates establishing a connection from your machine
(123.0.0.1) through a firewall (10.0.0.1) to an internal machine
(10.0.0.254) on port 22:

1. A listener is set up on 127.0.0.1:4444 on your client machine.
2. You telnet to 127.0.0.1:4444, causing the meterpreter client on your
   machine to send a message (network_open_tcp_channel) with the target
   information of 10.0.0.254:22
3. The firewall (10.0.0.1) then establishes a TCP connection to
   10.0.0.254 on port 22.  Once the connection is established, the
        meterpreter server running on the firewall sends a response with a
        unique channel identifier to the meterpreter client running on your
        machine.
4. When you send data through telnet, the meterpreter client reads it in
   and encapsulates it in a message (core_channel_write) that is sent 
        using the unique channel identifier that the client and server agreed
        on.
5. When the server receives the core_channel_write request, it
   decapsulates the data and transmits it to the TCP connection that is
        established with 10.0.0.254 on port 22.

Steps 4 and 5 are exactly the same when it comes to data originating on
the server side that needs to be sent to the client.

6. When you close telnet, a message (core_channel_close) is sent from
   the meterpreter client to the server which causes the server to close
        the TCP connection with 10.0.0.254:22.

Hope that helps!