Metasploit mailing list archives
Pentesting through FW, advice needed
From: natron at invisibledenizen.org (natron)
Date: Tue, 29 Jul 2008 09:35:18 -0500
He wrote "unprivileged PHP shell", which makes me assume he does not have the ability to compile software on the remote host. One thing I have done before is bounced connections (for nessus, nmap -sC, and msf) through HTTP and/or SOCKS proxies using SOCAT ( http://www.dest-unreach.org/socat/). I've never tried this, but if you could get a PHP-based proxy up and working, you could then use tools like SOCAT to bounce through the proxy. Unfortunately, the proxy has to support HTTP CONNECT; I was unable to find a PHP-based proxy supporting it in my two minutes of googling. Good luck, N On Tue, Jul 29, 2008 at 8:15 AM, Ron <ron at skullsecurity.net> wrote:
Depending on how their firewall is configured, and what kind of payload you want, you can likely use a couple of netcat relays to bounce through host B. Start up a netcat relay (listener) on your attack machine (and poke a hole in your own firewall to let it through). Then start up a netcat relay on the host, connecting one end to the host/port you want to attempt to exploit and the other back to your own relay. Then do the same thing for the payload (might be able to get around that requirement by using the 'ord' payload, but I'm not sure?). Run the exploit through the relay, and there you go. This assumes, of course, that you either have or can compile netcat on the target machine. Your mileage may vary on that. :) Giorgio Casali wrote:Hi all, during a pentest I managed to shovel an unprivileged php reverse shell on a nated host (host B) behind a checkpoint FW-1. I then noticed there are several potential targets reachable only from host B. I was wondering if there was a method to exploit them from my pc (behind another FW that I manage) directly, without the need of uploading metasploit on host B and exploiting the targets from there. I was thinking about creating custom payload with a correct handler, but don't know well how-to use the payload generated by msfpayload. Thank in advance, G.C. _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080729/2041e761/attachment.htm>
Current thread:
- Pentesting through FW, advice needed Giorgio Casali (Jul 29)
- Pentesting through FW, advice needed Ron (Jul 29)
- Pentesting through FW, advice needed natron (Jul 29)
- Message not available
- Pentesting through FW, advice needed Giorgio Casali (Jul 29)
- Pentesting through FW, advice needed natron (Jul 29)
- Pentesting through FW, advice needed Ron (Jul 29)