Support Pivoted SSL Connections

[zeroSteiner]

This adds the necessary functionality to negotiate SSL connections that are pivoted over supported session types including Meterpreter and SSH. This is necessary to make HTTPS requests over pivoted sessions.

Without this functionality the Rex::Socket::Parameters#ssl setting is silently ignored, causing data to be sent in plaintext.

Requires rapid7/rex-core#16

Demo

This demonstrates making an HTTPS over an established Meterpreter session using the request plugin. The second request fails with an SSL error as expected because it's making an HTTPS request to TCP port 80.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type                      Information                        Connection
  --  ----  ----                      -----------                        ----------
  1         meterpreter python/linux  smcintyre @ localhost.localdomain  192.168.159.128:4444 -> 192.168.159.128:35928 (192.168.159.128)

msf6 auxiliary(scanner/ssh/ssh_login) > route
[*] There are currently no routes defined.
msf6 auxiliary(scanner/ssh/ssh_login) > route add 0 0 -1
[*] Route added
msf6 auxiliary(scanner/ssh/ssh_login) > request https://ifconfig.me/all.json
{
  "ip_addr": "###",
  "remote_host": "unavailable",
  "user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
  "port": 56072,
  "method": "GET",
  "via": "1.1 google",
  "forwarded": "###"
}
msf6 auxiliary(scanner/ssh/ssh_login) > request https://ifconfig.me:80/all.json
[-] Encountered an SSL error
msf6 auxiliary(scanner/ssh/ssh_login) >

Without these changes, the correct HTTPS request fails, and the HTTPS request that should fail succeeds since it's actually HTTP.

msf6 payload(python/meterpreter/reverse_tcp) > sessions

Active sessions
===============

  Id  Name  Type                      Information                        Connection
  --  ----  ----                      -----------                        ----------
  1         meterpreter python/linux  smcintyre @ localhost.localdomain  192.168.159.128:4444 -> 192.168.159.128:35930 (192.168.159.128)

msf6 payload(python/meterpreter/reverse_tcp) > route
[*] There are currently no routes defined.
msf6 payload(python/meterpreter/reverse_tcp) > route add 0 0 -1
[*] Route added
msf6 payload(python/meterpreter/reverse_tcp) > request https://ifconfig.me/all.json

msf6 payload(python/meterpreter/reverse_tcp) > request https://ifconfig.me:80/all.json
Found. Redirecting to https://ifconfig.me/all.json
msf6 payload(python/meterpreter/reverse_tcp) >

Verification

List the steps needed to make sure this thing works

• Load the changes from Make the synchronization functions public rex-core#16 for the synchronization access
• Load the Request plugin (run: load request)
• Establish a Meterpreter session
  • Route all traffic through it (run: route add 0 0 -1 from the Metasploit prompt, not Meterpreter)
  • Make an HTTPS request, see it succeed (run: request https://ifconfig.me/all.json)
  • Make an HTTP request, see it succeed (run: request http://ifconfig.me/all.json)
  • Make an HTTPS request to a TCP port, see it fail with an SSL error (run: request https://ifconfig.me:80/all.json)
• Establish an SSH session (use the auxiliary/scanner/ssh/ssh_login module)
  • Route all traffic through it (run: route add 0 0 -1 from the Metasploit prompt, not Meterpreter)
  • Make an HTTPS request, see it succeed (run: request https://ifconfig.me/all.json)
  • Make an HTTP request, see it succeed (run: request http://ifconfig.me/all.json)
  • Make an HTTPS request to a TCP port, see it fail with an SSL error (run: request https://ifconfig.me:80/all.json)

[zeroSteiner]

These changes move the TcpClientChannel instance creation outside of this handler which appears to be necessary in order to read and write to the SSH channel which is required to negotiate the SSL connection.

[adfoster-r7]

Haven't reviewed the code for edgecases, but works perfectly for me - thanks for fixing! 👍

[gwillcox-r7]

First part of tests seem to be correct, though not sure if we were meant to get a response upon redirection or not:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > back
msf6 > load request
[*] Successfully loaded plugin: Request
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 127.0.0.1:4444
[*] Sending stage (3012548 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:44595 -> 127.0.0.1:4444) at 2021-09-29 15:11:33 -0500

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > route add 0 0 -1
[*] Route added
msf6 exploit(multi/handler) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   0                  0.0.0.0            Session 1

[*] There are currently no IPv6 routes defined.
msf6 exploit(multi/handler) > request https://ifconfig.me/all.json
{
  "ip_addr": "*redacted for privacy*",
  "remote_host": "unavailable",
  "user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
  "port": 42566,
  "method": "GET",
  "via": "1.1 google",
  "forwarded": "*redacted for privacy*"
}
msf6 exploit(multi/handler) > request http://ifconfig.me/all.json
Found. Redirecting to https://ifconfig.me/all.json
msf6 exploit(multi/handler) > request https://ifconfig.me:80/all.json
[-] Encountered an SSL error
msf6 exploit(multi/handler) > 

[zeroSteiner]

No the redirects are handled by the HTTP client which isn't affected by this PR. I think there's an option that would need to be set by the Request plugin for that. It looks like it's working as intended though since you do get the HTTP response back over plaintext showing the connection, request and response all worked correctly.

[gwillcox-r7]

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME *redacted*
USERNAME => *redacted*
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD *redacted*
PASSWORD => *redacted*
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 127.0.0.1:22 - Starting bruteforce
[+] 127.0.0.1:22 - Success: '*redacted*:*redacted*' 'uid=1000(*redacted*) gid=1000(*redacted*) groups=1000(*redacted*),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1001(rvm) Linux *redacted*-Virtual-Machine 5.11.0-37-generic #41~20.04.2-Ubuntu SMP Fri Sep 24 09:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 2 opened (127.0.0.1:40631 -> 127.0.0.1:22) at 2021-09-29 16:31:21 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > history -c
[+] Command history and history file cleared
msf6 auxiliary(scanner/ssh/ssh_login) > history
1  history
msf6 auxiliary(scanner/ssh/ssh_login) > route add 0 0 -1
[*] Route added
msf6 auxiliary(scanner/ssh/ssh_login) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   0                  0.0.0.0            Session 2

[*] There are currently no IPv6 routes defined.
msf6 auxiliary(scanner/ssh/ssh_login) > request https://ifconfig.me/all.json
{
  "ip_addr": "*redacted*",
  "remote_host": "unavailable",
  "user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
  "port": 55034,
  "method": "GET",
  "via": "1.1 google",
  "forwarded": "*redacted*"
}
msf6 auxiliary(scanner/ssh/ssh_login) > request http://ifconfig.me/all.json
Found. Redirecting to https://ifconfig.me/all.json
msf6 auxiliary(scanner/ssh/ssh_login) > request https://ifconfig.me:80/all.json
[-] Encountered an SSL error
msf6 auxiliary(scanner/ssh/ssh_login) > 

[gwillcox-r7]

Will land this now :)

[gwillcox-r7]

Release Notes

Support has been added in to Metasploit for negotating SSL connections over multiple connections types including Meterpreter and SSH. As a result, users can now make HTTPS requests over pivoted sessions. Previously, if users tried to make such connections, they would be sent via plaintext instead of being SSL encrypted.