Closed n1ngod closed 3 years ago
Shell sessions are, for the most part, raw l4 sockets. You'd need a magic string or something sent first by the session to perform such validations. The udp shells have to send a byte because they're stateless, but the magic bytes would also flag every ids like an eicar string. Basically, only advanced sessions which have their own transport metadata can do this properly, shell sessions are just sockets.
It means i can't solve the problem if it's shell sessions. I can not control the listener so i have no way to verify the magic bytes. if I want to avoid it,i can only use meterpreter sessions. It's right?Do you consider adding magic bytes settings to shell sessions to avoid similar problems?
Framework is open source, you can fix anything, but it may not be suitable for upstream. That said, this is nontrivial work with questionable benefit as I wrote above - plus, you'd have to add the magic byte senders to all of the relevant payload constructs. Alternatively, you may be able to auto-unregister any session which fails sysinfo, but that could have false positive disconnect side effects. If you're running long-term handlers, shell sessions as they are will register any connection. If a meterp is available for your use case, definitely use that as it has encrypted comms and a hell of a lot more functionality.
Your suggestion is very useful,maybe i can try it. Thanks!
@n1ngod: we are actually currently implementing some related functions, actually its all @zerosteiner doing the implementing and I'm just riding his coat-tails, but you'll soon see a good placeholder for magic data in shells
I found that not only the shell listener,meterpreter listener also has this problem,payload is “windows/x64/meterpreter/reverse_http”,it also treats scanning features as sessions. : (
@n1ngod With meterpreter you have the choice of paranoid mode to check the TLS certificate fingerprint and UUID before establishing a session. You can find the details at https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Paranoid-Mode
@void-in It seems that it only works for https,not http?
@n1ngod That is right.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
I found that the listener will think of any data received as being transmitted by the payload,So i did the following tests. First, i create a shell listener and it works normally.
Now i use another computer to telnet 10.91.4.101 4444,I will get the following information from msfconsole
It can't execute any commands and get any result,obviously it is wrong. Worse, it also treats nmap scanning features as sessions.When i execute 'nmap -Pn -sS -sV -p 4444 10.91.4.101',it will always generate new session.Finally I got more than 100 invalid sessions.
I need to deploy the listener to the public network, but it will inevitably be scanned by others, I will get a lot of invalid sessions.Do I have any way to solve this problem? Sorry my poor English,thanks.
Version
metasploit v5.0.10-dev