Metasploit mailing list archives
Client side attacks - reverse connection through HTTP proxy
From: tyronmiller at gmail.com (Ty Miller)
Date: Tue, 23 Dec 2008 11:23:45 +1100
Hey guys, Thought this might be relevant for this discussion. This isn't included in Metasploit yet, but at Blackhat this year I released "Reverse DNS Tunneling Shellcode" that will connect out via DNS and bypasses all authenticated proxies and firewalls. The only thing that will stop it is if the organization has a Split DNS architecture implemented. This was why earlier in the year I was asking whether DNS support had been implemented into Metasploit yet. I have only released the initial version (v0.3) at http://www.projectshellcode.com so far, which was a little buggy, but have been working on it since then to fix bugs and make the shellcode much more stable. I am now up to v0.11, which is stable and works great, but has an output limitation. I will be releasing v1.0 in the near future, which will have no limitations and is stable. Check it out at http://www.projectshellcode.com, and if you want the latest version then drop me an email and i'll either release v0.11 or shoot it to you directly. Cheers, Ty On Tue, Dec 23, 2008 at 9:24 AM, natron <natron at invisibledenizen.org> wrote:
Additionally, downloadexec works in that environment too. You can combine the two to make passivex work with IE7/IE8. The reason passivex doesn't work anymore is because of some new permissions that have to be set. So, if you make a little .vbs script or similar that will nuke the right registry entries, passivex will load and all will work correctly. I've used a .vbs file that: 1) modifies the registry entries correctly for IE7/IE8 2) launches IE7 pointed towards your passivex handler FYI, in my testing of this payload, I realized that the current stage1 loader completely nukes the security settings for IE6 for the Internet zone. That's bad, bad, bad. If you use it in real PT environment, realize that you have to come back later and clean up those registry settings or that computer is likely to get infected all day on the internet. It will accept arbitrary activex from anyone and and automatically run it. Track down the uninformed article on passivex for the details. But anyway, currently, the .vbs file has to be put into a self-extracting archive to get it to work correctly, which is stupid. I haven't had time to get the bugs ironed out so that you can do it all within msf. Once I get that done, I'll send it out to the group. n 2008/12/22 Taras P. Ivashchenko <naplanetu at gmail.com>:On Mon, 22 Dec 2008 16:50:09 -0500 ArcSighter Elite <arcsighter at gmail.com> wrote: At this moment IE6 is the most popular on win corporate desktops as Ithink and it's only one capability in Metasploit to by passtarget's firewall through HTTP proxy using IE proxy settings. By the way it will interesting to try it :)-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taras P. Ivashchenko wrote:ArcSighter Elite, thanks! I will try it.If PassiveX stager would work on IE7/8 that would be awesome. It'sallyou need. It's basically IE connecting. And only uses POST/GET.Hey, hey! I just said that if it would work in IE7/8. Currently, it only works against IE6 as far as I know. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJUAszH+KgkfcIQ8cRAoqVAKDHSu69MroNHuN6/WkNAYryeZu7vgCgpLdx /WaiO4BF/4DcZXhq4PMGWDs= =uOmM -----END PGP SIGNATURE------- ????? ???????? (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081223/c22262b8/attachment.htm>
Current thread:
- Client side attacks - reverse connection through HTTP proxy Taras P. Ivashchenko (Dec 22)
- Client side attacks - reverse connection through HTTP proxy ArcSighter Elite (Dec 22)
- Client side attacks - reverse connection through HTTP proxy Taras P. Ivashchenko (Dec 22)
- Client side attacks - reverse connection through HTTP proxy ArcSighter Elite (Dec 22)
- Client side attacks - reverse connection through HTTP proxy Taras P. Ivashchenko (Dec 22)
- Client side attacks - reverse connection through HTTP proxy H D Moore (Dec 22)
- Client side attacks - reverse connection through HTTP proxy natron (Dec 22)
- Client side attacks - reverse connection through HTTP proxy Ty Miller (Dec 22)
- Client side attacks - reverse connection through HTTP proxy Taras P. Ivashchenko (Dec 22)
- Client side attacks - reverse connection through HTTP proxy ArcSighter Elite (Dec 22)