-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Pivoted SSL Connections #15721
Conversation
dlog("new direct-tcpip channel opened to #{Rex::Socket.is_ipv6?(params.peerhost) ? '[' + params.peerhost + ']' : params.peerhost}:#{params.peerport}") | ||
msf_channel = TcpClientChannel.new(self, @channel_ticker += 1, new_channel, params) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes move the TcpClientChannel
instance creation outside of this handler which appears to be necessary in order to read and write to the SSH channel which is required to negotiate the SSL connection.
This prevents the socket from being closed while negotiating SSL
c1f66e2
to
aee113b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't reviewed the code for edgecases, but works perfectly for me - thanks for fixing! 👍
First part of tests seem to be correct, though not sure if we were meant to get a response upon redirection or not:
|
No the redirects are handled by the HTTP client which isn't affected by this PR. I think there's an option that would need to be set by the Request plugin for that. It looks like it's working as intended though since you do get the HTTP response back over plaintext showing the connection, request and response all worked correctly. |
|
Will land this now :) |
Release NotesSupport has been added in to Metasploit for negotating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted. |
This adds the necessary functionality to negotiate SSL connections that are pivoted over supported session types including Meterpreter and SSH. This is necessary to make HTTPS requests over pivoted sessions.
Without this functionality the
Rex::Socket::Parameters#ssl
setting is silently ignored, causing data to be sent in plaintext.Requires rapid7/rex-core#16
Demo
This demonstrates making an HTTPS over an established Meterpreter session using the
request
plugin. The second request fails with an SSL error as expected because it's making an HTTPS request to TCP port 80.Without these changes, the correct HTTPS request fails, and the HTTPS request that should fail succeeds since it's actually HTTP.
Verification
List the steps needed to make sure this thing works
load request
)route add 0 0 -1
from the Metasploit prompt, not Meterpreter)request https://ifconfig.me/all.json
)request http://ifconfig.me/all.json
)request https://ifconfig.me:80/all.json
)auxiliary/scanner/ssh/ssh_login
module)route add 0 0 -1
from the Metasploit prompt, not Meterpreter)request https://ifconfig.me/all.json
)request http://ifconfig.me/all.json
)request https://ifconfig.me:80/all.json
)