Closed Crypto-Cat closed 1 year ago
From the debug output it looks like you've set the global rhosts value to 10.10.10.10
, but you've also set the module's local datastore value to 192.168.177.195
.
The module will only fallback to using the global setg
datastore value if the module's local datastore hasn't been set
Solution: Either run set rhosts 10.10.10.10
to update the local module datastore to a new rhost value, or run unset rhosts
to remove the unexpected module datastore value - letting the module fall back to using the global datastore value
OK, so I just need to initially do setg lhost 10.10.10.10
and set lhost 10.10.10.10
. Seems to work, thanks!
edit: Actually that doesn't work; still have to run unset LHOST
every time I select a new exploit in order for it to use the global variable, which isn't particularly useful (just as quick to set LHOST each time) 😕
If you initially do setg lhost 10.10.10.10
you should never need to call set lhost
manually for each module.
I'll keep this open for a few more cycles until I confirm if there's an issue here :+1:
Here's another example:
msfconsole
setg lhost 10.10.15.116
unset lhost
unset lhost
to get back to the 10.10.x.x addressunset lhost
to correct itThe following global/module datastore, and database setup was configured before the issue occurred:
The database contains the following information:
The following commands were ran during the session and before this issue occurred:
The following framework errors occurred before the issue occurred:
The following web service errors occurred before the issue occurred:
The following framework logs were recorded before the issue occurred:
The following web service logs were recorded before the issue occurred:
The versions and install method of your Metasploit setup:
Ah, so it looks like the logic for choosing the default payload for an exploit attempts to set the best LHOST based on the configured RHOST:
The above logic completely ignores any existing globally set option for LHOST, and instead chooses the best routable IP for the set RHOST, or whatever ip it takes to route to 50.50.50.50
I think most folk globally run setg rhost ...
, and let lhost resolve itself automagically - so I've never run into this issue before either
Hmmmm OK, that would be an equally good solution for me tbh but doesn't seem to be how it's working atm. When I set RHOST to 10.10.15.12, my LHOST still stays as 192.168.x.x, even though there is a tun0 adapter on the 10.10.15.x network 🤔
I just ran through this when on a vpn with a tun0 adapter with a 10.10.0.0/16 network
Running setg rhosts 10.10.10.100
:
msf6 > setg rhosts 10.10.10.100
rhosts => 10.10.10.100
Verifying:
msf6 > setg
Global
======
Name Value
---- -----
loglevel 3
rhosts 10.10.10.100
Using a module I've not previously used to see lhost and rhost correctly set:
msf6 exploit(windows/http/netgear_nms_rce) > options
Module options (exploit/windows/http/netgear_nms_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.100 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Application path
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.9.1.147 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 NETGEAR ProSafe Network Management System 300 / Windows
And I can verify the logic that it choose to pick the default lhost from within msfconsole:
msf6 exploit(windows/http/netgear_nms_rce) > irb -e "puts active_module.datastore['RHOSTS']"
10.10.10.100
msf6 exploit(windows/http/netgear_nms_rce) > irb -e "puts Rex::Socket.source_address('10.10.10.100')"
10.9.1.147
You can also set options inline which is handy for jumping around modules too, since you can use ctrl+r to search the history for your last run command, or use the up arrow a few times to get the previously run command:
run rhost=x.x.x.x lhost=x.x.x.x
That aside, i'll keep this issue open as it looks like a bug that should be fixed in the future :+1:
Ah, the mistake I made was using set rhosts 10.10.x.x
and expecting the LHOST to automatically switch to tun0.
I guess I need to do setg rhosts 10.10.x.x
in order to ensure auto-selection of the correct adapter.
It would be good to have the setg lhost
work when dealing with multiple RHOSTS but for my purposes (HTB), using setg rhosts
will suffice.
Thanks 💜
Steps to reproduce
How'd you do it?
setg LHOST 10.10.10.10
options
This section should also tell us any relevant information about the environment; for example, if an exploit that used to work is failing, tell us the victim operating system and service versions.
Were you following a specific guide/tutorial or reading documentation?
Following the setg instructions here: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
Expected behavior
Global variables should be set to the value provided, e.g. LHOST=10.10.10.10
Current behavior
Variables are set at their default values, e.g. LHOST=eth0-IP
Metasploit version
6.2.13-dev
Additional Information
Parrot OS 5.1 (Electro Ara) - tried multiple VMs (personal and HackTheBox PwnBox, both Parrot)
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
``` [framework/core] LogLevel=3 LHOST=10.10.10.10 LPORT=1337 [framework/ui/console] ActiveModule=exploit/windows/smb/ms17_010_eternalblue [windows/smb/ms17_010_eternalblue] CheckModule=auxiliary/scanner/smb/smb_ms17_010 EXITFUNC=thread WfsDelay=5 WORKSPACE= VERBOSE=false EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS= RPORT=445 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 SMBUser= SMBPass= SMBDomain= VERIFY_TARGET=true VERIFY_ARCH=true ProcessName=spoolsv.exe GroomAllocations=12 MaxExploitAttempts=3 GroomDelta=5 PAYLOAD=windows/x64/meterpreter/reverse_tcp LHOST=192.168.177.195 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging= ```Database Configuration
The database contains the following information:
Collapse
``` Session Type: postgresql selected, no connection ```History
The following commands were ran during the session and before this issue occurred:
Collapse
``` 0 set LogLevel 3 1 setg LHOST 10.10.10.10 2 search eternal 3 use 0 4 options 5 setg LHOST 10.10.10.10 6 options 7 setg LPORT 1337 8 options 9 search eternal 10 use 0 11 options 12 debug ```Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
``` [10/04/2022 12:21:32] [e(0)] core: Failed to connect to the database: No database YAML file [10/04/2022 12:21:33] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [10/04/2022 12:21:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [10/04/2022 12:21:35] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [10/04/2022 12:21:36] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
``` msf-ws.log does not exist. ```Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
``` [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_rc4 with windows/smb/ms17_010_eternalblue]: tunnel to bind [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/bind_tcp_rc4 is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: reverse to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: bind to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: noconn to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: none to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: tunnel to bind [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/bind_tcp_uuid is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_http is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_https is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: reverse to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: bind to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: noconn to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: none to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: tunnel to reverse [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: reverse to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: bind to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: noconn to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: none to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: tunnel to reverse [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_rc4 is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: reverse to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: bind to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: noconn to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: none to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: tunnel to reverse [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/smb/ms17_010_eternalblue ```Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
``` msf-ws.log does not exist. ```Version/Install
The versions and install method of your Metasploit setup:
Collapse
``` Framework: 6.2.13-dev Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu] OpenSSL: OpenSSL 1.1.1k 25 Mar 2021 Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```