Re: PassiveX is dead?

[Richard Miles <richard.k.miles () googlemail com>]

Hi Sherif El-Deeb,

On Mon, Jun 20, 2011 at 11:04 AM, Sherif El-Deeb <archeldeeb () gmail com> wrote:
> If the proxy uses NTLM authentication and you have no valid
> credentials, I found no reliable way to get a meterpreter connection
> through that configuration, period. "as always, if I'm that sure then
> I'm most probably wrong...".

See previous message from HD Moore, it really support authentication.
Also, on the blog you suggested there is a post about it:

http://grey-corner.blogspot.com/2010/08/bypassing-restrictive-proxies-part-2.html

"PassiveX, and its restrictive proxy problems

In Metasploit, the method by which command channels are tunneled via
HTTP is the use of a PassiveX based payload.  These essentially make
use of an ActiveX browser plugin, implemented in the passivex.dll
file, which is installed into your victim systems Internet Explorer
browser when the victim visits a special webpage hosted using
Metasploit.  This browser plugin allows Internet Explorer to be used
as a transport mechanism for traffic generated from some other
Metasploit payload, such as a Windows shell, Meterpreter or VNC.  The
fact that Internet Explorer is being used to transport the payload
session means that the browsers proxy settings are automatically used,
and if the proxy uses NTLM authentication and the browser is
configured to support it, Integrated Windows Authentication will also
be used to logon to the proxy.  It's all a very cool setup and if you
want to read some more you can check here and here."

Sadly, passiveX just work with older versions of IE.

> If the proxy uses IP address based filters "i.e 10.10.10.5 is allowed
> but 10.10.10.6 is not" and does not apply protocol inspection then it
> is way easier to bypass the proxy by using the HTTP CONNECT method
> "works flawlessly if combined with proxytunnel and some dos-fu".

It's not my case. My main issue here is NTLM auth integrated with
proxy, if I'm able to auth (or use the auth from the browser, then I'm
good to use CONNECT, GET, POST or whatever I want).

> I had that issue in a test before and I had very difficult time going
> through that "ISA with NTLM auth.", and ended up getting the shell
> using a modified dnscat "added self-copy-on-execution-and-autostart
> methods".

Very interesting. This idea is nice. BTW, can you give me an example
of how did you used DNScat on Windows to force for example
meterpreter_bind_tcp connections over it?

Also, have you found a way to use a kind of "portable" java to use
DNScat even in Windows without Java installed?

> take a look at ratte "part of SET", it's buggy, it's unstable but
> works sometimes if it's only a PoC that you are after.

Interesting. I heard about that, but never checked. I was reading the
documentation, but it's not very clear to me. It inject into IE or
Firefox, but does it works with non admin privs?

Also, it just use proxy settings from browser (host and port), but
it's unable to use the NTLM credentials, right?

> and while we're on the topic, take a look here -->
> "http://grey-corner.blogspot.com/2010/06/bypassing-restrictive-proxies-part-1.html";

Very nice blog. Thanks.

> Till metasploit finds a way to go properly through proxies in the
> mentioned configurations, you might want to find another way to have
> your shell connected back to you...

Sure.


> Sherif Eldeeb.
>
> On Mon, Jun 20, 2011 at 6:00 PM, Richard Miles
> <richard.k.miles () googlemail com> wrote:
> > Hey HD Moore
> >
> > I see. But reverse_https is not able to reuse the same connection from
> > IE, right? Sor for example, if the IE browser uses a proxy and the
> > proxy require authentication (integrated on the DC) it will fail,
> > right?
> >
> > Thanks
> >
> > On Sun, Jun 19, 2011 at 12:51 PM, HD Moore <hdm () metasploit com> wrote:
> > > On 6/19/2011 10:43 AM, Richard Miles wrote:
> > > > Hi
> > > >
> > > > I tested passiveX against my Windows Vista and IE8 and it doesn't
> > > > work, I also tested against an Windows XP SP3 and IE7 and it also
> > > > failed, shell never returned.
> > > >
> > > > In my opinion passiveX was one of the best payloads in metasploit. Is
> > > > it really broken? Any prevision to fix it?
> > > >
> > > > Is it broken even in Metasploit Professional? There are better
> > > > payloads (more robust, hard to detect and better to find their way to
> > > > the internet on the Metasploit Professional)?
> > >
> > > This payload has been broken off and on for years; the original version
> > > only worked with IE6, Natron did a ton of work to make it work on IE7,
> > > but we will probably not be bringing it into IE8/IE9 compatibility, in
> > > favor of a different implementation altogether based on the
> > > reverse_https stager.
> > >
> > > -HD
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework