h1

Reverse Meterpreter Connect-backs through a Compromised Host

November 26, 2013

<update 03:30pm> I’ve had some feedback that this post describes a concept that is too basic to put into blog form. I can see where this confusion may occur. Most literature that describes pivoting through Meterpreter, shows how to setup a payload connection that goes through Meterpreter (e.g., a bind payload). What isn’t well known or documented, is the Metasploit Framework’s ability to setup a connection that calls home to you through a Meterpreter pivot (e.g., a reverse payload bounced through a pivot host). This nuance is important.

Let’s say I have admin user credentials for a server that can’t egress out of the network and connect to me. This server has a host-based firewall as well. Only port 445 is allowed in. If I try to deliver a bind payload, my attempt to connect to the host to establish the session will get stopped. If I try to setup a reverse connection, directly to my host on the internet, this will fail too–because the host can’t egress and connect to me. What else do I do? I could try to schedule a task to drop the firewall on the server (with psexec_command). I’ve done this. In some cases though, this might generate an alert that draws unwanted attention to my activity. The desirable solution is to compromise the server (172.16.48.3) and send the reverse connection through an already compromised host (172.16.48.81), before it reaches me. This is what I describe how to do in this blog post.</update>

reversecallback

Here’s how to do it:

First, you need to compromise a system and get Windows Meterpreter onto the system. However you do it is fine with me.

Next, you need to setup a pivot into the target network. Here’s how to do it:

20.57.17 Console

Notice that 172.16.48.81 is my initial compromise and pivot host.

Last, you need to exploit another system and setup the reverse connect back accordingly. Ask yourself: how would I do this? Do you have an answer? Let’s see if you’ve arrived at the correct one.

Setup the exploit as you would normally. Next, set LHOST to the IP address of the compromised system that is also your pivot point. Change LPORT as well. Now, fire the exploit.

reverseconnectpivot

Notice that the Metasploit Framework recognizes the situation and sets up a reverse port forward for you. This is indicated by the string “Started reverse handler on [compromised host] via the meterpreter on session [pivot session]”. If your exploit fired correctly, you will have a session reverse connected through your compromised system.

Here’s the output of netstat on the compromised system:

20.59.30 cmd_exe_2624_2

Pretty neat.

7 comments

  1. Hey, I’m glad you pointed this out. I was actually just thinking about this scenario the other day and wondering if I had to setup my own port forwarders on the pivot box for the reverse connection. Pivoting with bind_tcp has always been obvious since the early releases of Metasploit using the route command, but pivoting with reverse connections hasn’t really been talked about much. Kind of cool how the framework automatically creates the reverse port forwarder based on the route and LHOST pivot. I never knew about that one detail until now. Thanks!


    • Thank you for the kind words.


  2. Unfortunatelly this conect back works only through some remote exploit (e.g. ms08_067). It doesn’t work in case payload is executed by some other means on compromised hosts (e.g. veil obfuscated meterpreter executed from shell cmdline, etc.).


    • This concept is the foundation for Cobalt Strike’s pivot listeners feature. If you setup a handler, independent of an exploit with ExitOnSession set to false–then you can reference this forwarded handler with whatever attack you like–including a Veil obfuscated executable [CS has workflow for this].


      • Sorry I think I wasn’t clear enough in my prev post…

        The question is: How can one configure meterpreter exe on the second compromised host (the “blocked” one) to connect (or be conected to, in case of bind payload) to already running meterpreter pivot on the first compromised host in order to tunnel all that to the attacker host (which is supposed to run multi/handler) ? I don’t think this can be done in Metasploit alone except from using some exploit (e.g. ms08_067) through pivot meterpreter as you described. Cobalt Strike is another story (it can do all this, which is great).
        So, please tell me is it possible to do this in metasploit alone ? (and how exactly?)

        Thanks


      • This post describes the answer to your question. Set LHOST to a system that a pivot is setup through. Metasploit will recognize this situation and create a reverse port forward for you. You can reference this handler via the proper LHOST, LPORT, PAYLOAD values when you configure other attacks.


      • I already tried that and it failed. Taking into consideration it was a while ago and in very hastly engagement I probably made a mistake. Will try it again.

        Thank you for prompt answer.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s