Support Pivoted SSL Connections (Server Edition)

[zeroSteiner]

This is the other half of #15721 which added SSL support for pivoted client connections. This adds the same support for pivoted server connections as used by capture modules and listeners. The support works for both Meterpreter sessions and SSH sessions (which just got server channel support landed today).

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Establish a Meterpreter session (I tested with Python but any that support server channels should work)
• Establish an SSH session (use the auxiliary/scanner/ssh/ssh_login module)
• For both sessions
  • Route all traffic through the session route add 0 0 #
  • Start a listening TCP with server channel
    • Use the auxiliary/server/capture/http_basic module
    • Run set SSL true
    • Run set URI targeturi (this isn't technically necessary but makes testing a little easier)
    • Run the module
    • Use curl or something else to verify that the remote capture server is listening with SSL
      • curl -vvvv --user hello:world -k http://192.168.159.31:8443/targeturi
      • This will show that TLS is established and then send the credentials to the capture server which should then be displayed within msfconsole

[gwillcox-r7]

Had one question on this but otherwise looks good. Approved.

[gwillcox-r7]

msf6 auxiliary(scanner/ssh/ssh_login) > sessions 

Active sessions
===============

  Id  Name  Type                      Information               Connection
  --  ----  ----                      -----------               ----------
  1         meterpreter python/linux  gwillcox @ gwillcox-Virt  127.0.0.1:41957 -> 127.0.
                                      ual-Machine               0.1:4444  (127.0.0.1)
  2         shell linux               SSH  127.0.0.1:42529 -> 127.0.
                                       (127.0.0.1:22)   0.1:22  (127.0.0.1)

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > route add 0 0 #
[-] Invalid IP Address
meterpreter > back
[-] Unknown command: back
meterpreter > background
[*] Backgrounding session 1...
msf6 auxiliary(scanner/ssh/ssh_login) > route add 0 0 1
[*] Route added
msf6 auxiliary(scanner/ssh/ssh_login) > use auxiliary/server/capture/http_basic
msf6 auxiliary(server/capture/http_basic) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(server/capture/http_basic) > set URI targeturi
URI => targeturi
msf6 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/http_basic) > 
[-] Auxiliary failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: Unknown error
[-] Call stack:
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb:72:in `open'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:107:in `create_tcp_server_channel'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:91:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:577:in `create'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.33/lib/rex/socket.rb:51:in `create_param'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.33/lib/rex/socket/tcp_server.rb:39:in `create_param'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.33/lib/rex/socket/tcp_server.rb:29:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/proto/http/server.rb:145:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/service_manager.rb:80:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/service_manager.rb:24:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/http_server.rb:136:in `start_service'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:40:in `exploit'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/server/capture/http_basic.rb:54:in `run'
Interrupt: use the 'exit' command to quit
msf6 auxiliary(server/capture/http_basic) > set URI https://www.google.com
URI => https://www.google.com
msf6 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/capture/http_basic) > 
[-] Auxiliary failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: Unknown error
[-] Call stack:
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb:72:in `open'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:107:in `create_tcp_server_channel'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:91:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:577:in `create'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.33/lib/rex/socket.rb:51:in `create_param'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.33/lib/rex/socket/tcp_server.rb:39:in `create_param'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.33/lib/rex/socket/tcp_server.rb:29:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/proto/http/server.rb:145:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/service_manager.rb:80:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/service_manager.rb:24:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/http_server.rb:136:in `start_service'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:40:in `exploit'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/server/capture/http_basic.rb:54:in `run'

Not sure if I'm doing something wrong here but this seems to be throwing stack traces.

[zeroSteiner]

I don't know how that snuck in but you definitely found a bug. I resolved the issue in 40a4d09 which also makes the code more similar to the SSH counterpart. I also rebased to pull in the changes that bump metasploit-payloads to v2.0.60 which fixed an unrelated issue in the Python Meterpreter that was coming up while I was reproducing your results.

[gwillcox-r7]

Still getting errors:

msf6 auxiliary(scanner/ssh/ssh_login) > route add 0 0 3
[*] Route added
msf6 auxiliary(scanner/ssh/ssh_login) > use auxiliary/server/capture/http_basic
msf6 auxiliary(server/capture/http_basic) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(server/capture/http_basic) > set URI https://www.google.com
URI => https://www.google.com
msf6 auxiliary(server/capture/http_basic) > show options

Module options (auxiliary/server/capture/http_basic):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   REALM        Secure Site      yes       The authentication realm you'd like to present
                                           .
   RedirectURL                   no        The page to redirect users to after they enter
                                            basic auth creds
   SRVHOST      0.0.0.0          yes       The local host or network interface to listen
                                           on. This must be an address on the local machi
                                           ne or 0.0.0.0 to listen on all addresses.
   SRVPORT      80               yes       The local port to listen on.
   SSL          true             no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is r
                                           andomly generated)
   URIPATH                       no        The URI to use for this exploit (default is ra
                                           ndom)


Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run capture web server


msf6 auxiliary(server/capture/http_basic) > set URI
set URI      set URIHOST  set URIPATH  set URIPORT  
msf6 auxiliary(server/capture/http_basic) > set SRVPORT 443
SRVPORT => 443
msf6 auxiliary(server/capture/http_basic) > set URIPATH /
URIPATH => /
msf6 auxiliary(server/capture/http_basic) > 
msf6 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/http_basic) > 
[-] Auxiliary failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: Unknown error
[-] Call stack:
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb:72:in `open'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:107:in `create_tcp_server_channel'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:91:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:577:in `create'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.34/lib/rex/socket.rb:51:in `create_param'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.34/lib/rex/socket/tcp_server.rb:39:in `create_param'
[-]   /home/gwillcox/.rvm/gems/ruby-2.7.2@metasploit-framework/gems/rex-socket-0.1.34/lib/rex/socket/tcp_server.rb:29:in `create'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/proto/http/server.rb:145:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/service_manager.rb:80:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/rex/service_manager.rb:24:in `start'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/http_server.rb:136:in `start_service'
[-]   /home/gwillcox/git/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:40:in `exploit'
[-]   /home/gwillcox/git/metasploit-framework/modules/auxiliary/server/capture/http_basic.rb:54:in `run'
msf6 auxiliary(server/capture/http_basic) > sessions

Active sessions
===============

  Id  Name  Type                      Information               Connection
  --  ----  ----                      -----------               ----------
  3         meterpreter python/linux  gwillcox @ gwillcox-Virt  127.0.0.1:41171 -> 127.0.
                                      ual-Machine               0.1:4444  (127.0.0.1)
  4         shell linux               SSH gwillcox:  127.0.0.1:35563 -> 127.0.
                                       (127.0.0.1:22)   0.1:22  (127.0.0.1)

msf6 auxiliary(server/capture/http_basic) > 

[gwillcox-r7]

Looks like this is related to a permissions error, changing this to a higher numbered port that nothing was listening on worked and prevents this stack trace, although we likely should be handling this error to prevent user confusion.

[gwillcox-r7]

Curl Side:

 ~/git/metasploit-framework │ land-pr15796:pr/15796 *2 ?24  curl -vvvv --user hello:world -k https://172.20.223.94:9933/         
*   Trying 172.20.223.94:9933...
* TCP_NODELAY set
* Connected to 172.20.223.94 (172.20.223.94) port 9933 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=ME; O=Prohaska LLC; OU=haptic; CN=prohaska.llc.net; emailAddress=haptic@prohaska.llc.net
*  start date: Aug  2 23:01:16 2020 GMT
*  expire date: Jul 31 23:01:16 2028 GMT
*  issuer: C=US; ST=ME; O=Prohaska LLC; OU=haptic; CN=prohaska.llc.net; emailAddress=haptic@prohaska.llc.net
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Server auth using Basic with user 'hello'
> GET / HTTP/1.1
> Host: 172.20.223.94:9933
> Authorization: Basic aGVsbG86d29ybGQ=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Empty reply from server
* Connection #0 to host 172.20.223.94 left intact
curl: (52) Empty reply from server
 ~/git/metasploit-framework │ land-pr15796:pr/15796 *2 ?24   

Server Side:

msf6 auxiliary(server/capture/http_basic) > set SRVPORT 9933
SRVPORT => 9933
msf6 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/capture/http_basic) > 
[*] Using URL: https://0.0.0.0:9933/
[*] Local IP: https://172.20.223.94:9933/
[*] Server started.
[+] HTTP Basic Auth LOGIN 172.20.223.94 "hello:world" / /

msf6 auxiliary(server/capture/http_basic) > routes
[-] Unknown command: routes
msf6 auxiliary(server/capture/http_basic) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   0                  0.0.0.0            Session 3

[*] There are currently no IPv6 routes defined.
msf6 auxiliary(server/capture/http_basic) > sessions

Active sessions
===============

  Id  Name  Type                      Information               Connection
  --  ----  ----                      -----------               ----------
  3         meterpreter python/linux  gwillcox @ gwillcox-Virt  127.0.0.1:41171 -> 127.0.
                                      ual-Machine               0.1:4444  (127.0.0.1)

[gwillcox-r7]

Getting connection errors with the regular command shell version:

msf6 > use auxiliary/server/capture/http_basic
msf6 auxiliary(server/capture/http_basic) > set SSL true
SSL => true
msf6 auxiliary(server/capture/http_basic) > set URIPATH /testing
URIPATH => /testing
msf6 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 2.
msf6 auxiliary(server/capture/http_basic) > 
[*] Using URL: https://0.0.0.0:9933/testing
[*] Local IP: https://172.20.223.94:9933/testing
[*] Server started.

msf6 auxiliary(server/capture/http_basic) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   0                  0.0.0.0            Session 4

[*] There are currently no IPv6 routes defined.
msf6 auxiliary(server/capture/http_basic) > sessions

Active sessions
===============

  Id  Name  Type                      Information                                   Connection
  --  ----  ----                      -----------                                   ----------
  3         meterpreter python/linux  gwillcox @ gwillcox-Virtual-Machine           127.0.0.1:41171 -> 127.0.0.1:4444  (127.0.0.1
                                                                                    )
  4         shell linux               SSH *removed*:*removed* (127.0.0.1:  127.0.0.1:35563 -> 127.0.0.1:22  (127.0.0.1)
                                      22)

msf6 auxiliary(server/capture/http_basic) > 

On Curl:

 ~/git/metasploit-framework │ land-pr15796:pr/15796 *2 ?24  curl -vvvv --user hello:world -k https://172.20.223.94:9933/testing
*   Trying 172.20.223.94:9933...
* TCP_NODELAY set
* connect to 172.20.223.94 port 9933 failed: Connection refused
* Failed to connect to 172.20.223.94 port 9933: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 172.20.223.94 port 9933: Connection refused
 ~/git/metasploit-framework │ land-pr15796:pr/15796 *2 ?24       

[gwillcox-r7]

 ~/git/metasploit-framework │ land-pr15796:pr/15796 *2 ?24  curl -vvvv --user hello:world -k https://172.20.223.94:8833/asdf
*   Trying 172.20.223.94:8833...
* TCP_NODELAY set
* Connected to 172.20.223.94 (172.20.223.94) port 8833 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=VT; O=Abshire Inc; OU=interface; CN=abshire.inc.biz; emailAddress=interface@abshire.inc.biz
*  start date: Feb 11 19:31:05 2020 GMT
*  expire date: Feb 10 19:31:05 2024 GMT
*  issuer: C=US; ST=VT; O=Abshire Inc; OU=interface; CN=abshire.inc.biz; emailAddress=interface@abshire.inc.biz
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Server auth using Basic with user 'hello'
> GET /asdf HTTP/1.1
> Host: 172.20.223.94:8833
> Authorization: Basic aGVsbG86d29ybGQ=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Empty reply from server
* Connection #0 to host 172.20.223.94 left intact
curl: (52) Empty reply from server
 ~/git/metasploit-framework │ land-pr15796:pr/15796 *2 ?24  

And Metasploit:

msf6 auxiliary(server/capture/http_basic) > jobs -K
Stopping all jobs...
se
[*] Server stopped.
[*] Server stopped.
msf6 auxiliary(server/capture/http_basic) > set URIPATH /asdf
URIPATH => /asdf
msf6 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 4.
msf6 auxiliary(server/capture/http_basic) > 
[*] Using URL: https://0.0.0.0:8833/asdf
[*] Local IP: https://172.20.223.94:8833/asdf
[*] Server started.
[+] HTTP Basic Auth LOGIN 172.20.223.94 "hello:world" / /asdf

msf6 auxiliary(server/capture/http_basic) > sessions

Active sessions
===============

  Id  Name  Type         Information                                      Connection
  --  ----  ----         -----------                                      ----------
  1         shell linux  SSH                                                 (127.0.0.1:22)  127.0.0.1:38399 -> 127.0.0.1:22  (127.0.0.1)

msf6 auxiliary(server/capture/http_basic) > route

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   0                  0.0.0.0            Session 1

[*] There are currently no IPv6 routes defined.
msf6 auxiliary(server/capture/http_basic) > 

[gwillcox-r7]

Release Notes

Support for pivoted SSL server connections as used by capture modules and listeners has been added to Metasploit. The support works for both Meterpreter sessions and SSH sessions.

[gwillcox-r7]

Heads up had to enable GatewayPorts on Ubuntu, may be named AllowGatewayPorts or similar on other distros, for this to work with SSH sessions.