-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session is not displaying target IP’s address when using MSF6, for MSF5 it did #16684
Comments
This appears to be the same problem as reported #15048 ((Sessions don't show correct victim IP addresses when using http and https payloads.)) Unfortunately, there wasn't a solution provided. |
Doing a little digging, in the RB file /usr/share/metasploit/lib/msf/base/session/meterpreter.rb, if the database was disconnected (db_disconnet) the correct value of the NATed target was being displayed. So self.session_host was being correctly set to nhost (which is 172.16.99.5 in my case) This codes was being correctly executed: However, when the db was connected the self.session_host was not being set to nhost. A little debugging, (unfortunately I am not a developer, and especially not a ruby developer) it looked like "self.db_record" was not defined. So the if statement on line 488, "if nhost and self.db_record" was not being entered (I put a print_status line in there, which wasn't being executed) and hence the nhost value was not being correctly applied to self.session_host. This worked in MSF5, so I started comparing RB files between MSF5 and MSF6, and after some time doing some file compares, came across, lib/msf/core/session_manager.rb.
After adding it to the MSF6 version:
After I did this, all worked as it had when using MSF5. As mentioned, I am not a developer, but hopefully when one is able to look at this they can figure out why this works and the consequences of adding it? |
@jmbuk Thanks for taking a look 👍 It'd be great if you threw up a PR with your fix and replication steps - and we could see about getting your fixed merged in, or we could spot if there's any code changes to make |
Hello @adfoster-r7 ,
|
Thanks for digging into this 👍 I'm not sure when we'd have the cycles to patch this up correctly and ensure that there's no edgecases involved in fixing this issue. Let me know if you think this would be a high priority bug that should be fixed and I'll see if it can get fixed sooner rather than later 👍 |
If I didn't have the work around, I would say it is high priority. However I have noticed other bugs entered, for example #15048, which have the same root cause. This will only happen when metasploit is behind a device doing NATing. |
Hi! This issue has been left open with no activity for a while now. We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. |
Hi! This issue has been left open with no activity for a while now. We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. |
This will fail though if #rstream has already been closed which can be the case when the socket is serving an HTTP request. This attempts to proactively cache the information and store it for later use.
This will fail though if #rstream has already been closed which can be the case when the socket is serving an HTTP request. This attempts to proactively cache the information and store it for later use.
Steps to reproduce
In my lab environment, a target machine is behind a firewall, the outbound gateway for the target environment is 100.64.1.254, and the target IP is 172.16.99.5. The KALI host IP is 100.64.1.200.
When using MSF5 (Framework: 5.0.63-dev Console : 5.0.63-dev) a session is created from the target, using a backdoor created with msfvenom, the session correctly indicates the source and destination IPs and the target HOST real IP. (see image)
However when doing the exact same steps with MSF6 (note: a new backdoor is created with MSF6's msfvenom), the GW/FW IP is wrong and the target IP is missing (see screenshot).
Also, if I change the backdoor and the handler to use windows/x64/meterpreter/reverse_tcp instead of reverse_http. The GW/FW IP is correctly populated, but the target IP is still wrong. It is no longer missing, but instead of being 172.16.99.5, it is 100.65.1.254 which is the GW/FW IP. It should be 172.16.99.5. (See screenshot).
To see issue, create a backdoor (1 for each framework version) using using msfvenom:
This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.
Were you following a specific guide/tutorial or reading documentation?
No.
Expected behavior
The Target IP should correctly populate with the IP of the target machine. The GW/FW IP should also not be the local loopback, but the actually IP of the incoming connection.
Current behavior
With MSF5 everything works as it should, with MSF6 the target IP is either not populated, or populated incorrectly depending on what payload is used. Also the incoming IP address of the connection is wrong when using the reverse_http handler, but it is correct when using the reverse_tcp handler.
Metasploit version
Framework: 6.2.2-dev
Console : 6.2.2-dev
Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
Database Configuration
The database contains the following information:
Collapse
History
The following commands were ran during the session and before this issue occurred:
Collapse
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
Version/Install
The versions and install method of your Metasploit setup:
Collapse
The text was updated successfully, but these errors were encountered: