Lubricy / armitage

Automatically exported from code.google.com/p/armitage
0 stars 0 forks source link

Incorrect payload type and port in Jobs #123

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Launch team server in BackTrack
2. Connect Armitage client from Windows
3. Start a reverse_https handler for the payload on a port. 

What is the expected output? What do you see instead?
Once the meterpreter connection is established, select the Jobs option from the 
View menu. It shows a handler for reverse_tcp even though the handler is for 
reverse_https and the port is 4127 which is the msfrpcd port. 

What version of Metasploit are you using (type: svn info)? On which
operating system?
MSF 4.5 svn revision 16164

Which database are you using?
Default Postgresql

Please provide any additional information below.

Original issue reported on code.google.com by pwdphis...@gmail.com on 9 Dec 2012 at 4:58

Attachments:

GoogleCodeExporter commented 9 years ago
I think you failed to start a multi/handler for reverse https correctly. 
Armitage creates a multi/handler for a random port for reverse_tcp on startup. 
4127 is likely it. 4127 is NOT the msfrpcd or teamserver port.

I'm not closing this because I have yet to walk through the steps and try to 
reproduce the problem. Once I try them, I'll report here.

Original comment by rsmu...@gmail.com on 9 Dec 2012 at 10:59

GoogleCodeExporter commented 9 years ago
Thank you for your comment. You are right. The handler shown in the image I 
attached above is the one for the default handler. I launched my own handler 
for the reverse_https one from the console (View->Console). I typed the usual 
msf commands for launching the handler i.e.
msf> use exploit/multi/handler
msf> set payload 
msf> set port
msf> set lhost
msf> exploit

The handler is launched and it is able to receive the session as well. One 
thing I am just curios about is why the handler launched through the console is 
not visible in the Jobs while the one launched through the GUI is. Is this the 
default behavior?

Nevertheless, thank you for pointing out what I was missing.

Original comment by pwdphis...@gmail.com on 10 Dec 2012 at 5:44

GoogleCodeExporter commented 9 years ago
When you run a module in a console, with exploit or run, it is not a job by 
default. It just runs and you have no control over it. Armitage runs all 
modules as jobs (appending the -j option to exploit or run) so that you have 
control to stop them if you need to.

Original comment by rsmu...@gmail.com on 10 Dec 2012 at 6:02

GoogleCodeExporter commented 9 years ago
Raphael Mudge, you are indeed awesome. And though this issue is done now, just 
if you have the time, please check the following scenario. Launch the handler 
from the console and append a -j. The Jobs menu won't pick either payload or 
port. I have attached the images.

Original comment by pwdphis...@gmail.com on 10 Dec 2012 at 6:42

Attachments:

GoogleCodeExporter commented 9 years ago
msf > use exploit/multi/handler
msf  exploit(handler) > set LHOST 192.168.95.128
LHOST => 192.168.95.128
msf  exploit(handler) > set Iterations 3
Iterations => 3
msf  exploit(handler) > set LPORT 8443
LPORT => 8443
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  exploit(handler) > set Encoder x86/shikata_ga_nai
Encoder => x86/shikata_ga_nai
msf  exploit(handler) > set EXITFUNC process
EXITFUNC => process
msf  exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.95.128:8443/
[*] Starting the payload handler...

I popped open the jobs tab and I see the multi/handler. Here's the jobs output 
(I'm too lazy to take an SS of the tab and upload it here, but it's showing):

msf > jobs -v

Jobs
====

  Id  Name                    Payload                            LPORT  URIPATH  Start Time
  --  ----                    -------                            -----  -------  ----------
  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp    27762           2012-12-11 16:40:47 -0500
  1   Exploit: multi/handler  windows/meterpreter/reverse_https  8443            2012-12-11 16:43:12 -0500

Original comment by rsmu...@gmail.com on 11 Dec 2012 at 9:45

GoogleCodeExporter commented 9 years ago
Thanks mudge. I guess there is some problem with my Armitage client. I am going 
to download the latest one available on your website and will give it a try. 
Thanks for your time. And keep up the brilliant work.

Original comment by pwdphis...@gmail.com on 12 Dec 2012 at 9:54