Re: [framework] PassiveX is dead?

From: Sherif El-Deeb <archeldeeb_at_nospam>
Date: Mon Jun 20 2011 - 16:04:05 GMT
To: Richard Miles <richard.k.miles@googlemail.com>

If the proxy uses NTLM authentication and you have no valid
credentials, I found no reliable way to get a meterpreter connection
through that configuration, period. "as always, if I'm that sure then
I'm most probably wrong...".

If the proxy uses IP address based filters "i.e 10.10.10.5 is allowed
but 10.10.10.6 is not" and does not apply protocol inspection then it
is way easier to bypass the proxy by using the HTTP CONNECT method
"works flawlessly if combined with proxytunnel and some dos-fu".

I had that issue in a test before and I had very difficult time going
through that "ISA with NTLM auth.", and ended up getting the shell
using a modified dnscat "added self-copy-on-execution-and-autostart
methods".

take a look at ratte "part of SET", it's buggy, it's unstable but
works sometimes if it's only a PoC that you are after.

and while we're on the topic, take a look here -->
"http://grey-corner.blogspot.com/2010/06/bypassing-restrictive-proxies-part-1.html"

Till metasploit finds a way to go properly through proxies in the
mentioned configurations, you might want to find another way to have
your shell connected back to you...

Sherif Eldeeb.

On Mon, Jun 20, 2011 at 6:00 PM, Richard Miles
<richard.k.miles@googlemail.com> wrote:
>
> Hey HD Moore
>
> I see. But reverse_https is not able to reuse the same connection from
> IE, right? Sor for example, if the IE browser uses a proxy and the
> proxy require authentication (integrated on the DC) it will fail,
> right?
>
> Thanks
>
> On Sun, Jun 19, 2011 at 12:51 PM, HD Moore <hdm@metasploit.com> wrote:
> > On 6/19/2011 10:43 AM, Richard Miles wrote:
> >> Hi
> >>
> >> I tested passiveX against my Windows Vista and IE8 and it doesn't
> >> work, I also tested against an Windows XP SP3 and IE7 and it also
> >> failed, shell never returned.
> >>
> >> In my opinion passiveX was one of the best payloads in metasploit. Is
> >> it really broken? Any prevision to fix it?
> >>
> >> Is it broken even in Metasploit Professional? There are better
> >> payloads (more robust, hard to detect and better to find their way to
> >> the internet on the Metasploit Professional)?
> >
> > This payload has been broken off and on for years; the original version
> > only worked with IE6, Natron did a ton of work to make it work on IE7,
> > but we will probably not be bringing it into IE8/IE9 compatibility, in
> > favor of a different implementation altogether based on the
> > reverse_https stager.
> >
> > -HD
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> >
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

This message: [ Message body ]
Next message: Rick Zhong: "[framework] Fuzzer with integrated debugger"
Previous message: HD Moore: "Re: [framework] PassiveX is dead?"
In reply to: Richard Miles: "Re: [framework] PassiveX is dead?"
Next in thread: Richard Miles: "Re: [framework] PassiveX is dead?"
Reply: Richard Miles: "Re: [framework] PassiveX is dead?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]