Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Proxies support to creating a session with postgres_login #18847

Merged
merged 1 commit into from Feb 19, 2024
Merged

Add Proxies support to creating a session with postgres_login #18847

merged 1 commit into from Feb 19, 2024

Conversation

sjanusz-r7
Copy link
Contributor

@sjanusz-r7 sjanusz-r7 commented Feb 16, 2024
edited by cgranleese-r7

This PR allows the postgres_login module to work with proxies.
This was tested using MacOS host and an Ubuntu VM running Docker.
The MacOS host was running two framework consoles. One for setting up a meterpreter session on the Ubuntu VM and the socks proxy job, and the second instance was using the socks proxy to connect to the internal Docker IP.

Before

msf6 auxiliary(scanner/postgres/postgres_login) > run proxies=socks5:192.168.112.1:1080 rhost=172.17.0.3 rport=5432 stop_on_success=true CreateSession=true username=postgres password=password verbose=true

[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: :password@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: :@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: :password@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: :admin@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
[-] 172.17.0.3:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: The connection with (172.17.0.3:5432) timed out.)
...
You get the point
...
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed

After

msf6 auxiliary(scanner/postgres/postgres_login) > run proxies=socks5:192.168.112.1:1080 rhost=172.17.0.3 rport=5432 stop_on_success=true CreateSession=true username=postgres password=password verbose=true

[+] 172.17.0.3:5432 - Login Successful: postgres:password@template1
[*] PostgreSQL session 1 opened (192.168.112.1:52583 -> 192.168.112.1:1080) at 2024-02-17 01:11:24 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/postgres/postgres_login) > sessions

Active sessions
===============

  Id  Name  Type        Information                               Connection
  --  ----  ----        -----------                               ----------
  1         postgresql  PostgreSQL postgres @ 192.168.112.1:1080  192.168.112.1:52583 -> 192.168.112.1:1080 (172.17.0.3)

msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i -1
[*] Starting interaction with 1...

PostgreSQL @ 192.168.112.1:1080 (template1) > query select version()
[*] SELECT 1

Query
=====

    #  version
    -  -------
    0  PostgreSQL 16.1 (Debian 16.1-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit

Wireshark

image

This shows us that the PostgreSQL session is routed through the Ubuntu VM (192.168.112.132), and the host is isolated from that VM's Docker IP address range.

image

The above screenshot shows the query select version() being executed. This TCP stream is encrypted, and we are routing it correctly 馃憤

Verification

You might want to ensure that on your host, you have no Docker containers running so that false positives with the same IP on the host and VM are avoided.

  • Start msfconsole on your host
  • Have Docker installed on your Ubuntu VM
  • Set up a Postgres container
  • Get a meterpreter x64 session on your Ubuntu VM
  • in the Framework Console, do route add to add the internal Docker IP from Ubuntu to the routing table (you may be able to call route add 172.17.0.1/24 -1)
  • Set up a socks proxy on the first instance using use socks_proxy
  • Run a second framework instance on your host
  • use postgres_login
  • pass in the proxies= option pointing to your IP and port used by the socks_proxy
  • run proxies=socks5:your_ip:1080 rhost=ubuntu_vm_internal_docker_ip rport=5432 stop_on_success=true CreateSession=true username=postgres password=whatever_password_you_picked verbose=true

@cgranleese-r7 cgranleese-r7 added the rn-enhancement release notes enhancement label Feb 19, 2024
@cgranleese-r7 cgranleese-r7 self-assigned this Feb 19, 2024
@cgranleese-r7
Copy link
Contributor

Before

image

After

image

cgranleese-r7
cgranleese-r7 approved these changes Feb 19, 2024
View reviewed changes
Copy link
Contributor

@cgranleese-r7 cgranleese-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 馃憤

@cgranleese-r7 cgranleese-r7 merged commit e66f6c1 into rapid7:master Feb 19, 2024
51 checks passed
@cgranleese-r7
Copy link
Contributor

Release Notes

This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgranleese-r7 cgranleese-r7 cgranleese-r7 approved these changes

Assignees

@cgranleese-r7 cgranleese-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sjanusz-r7 @cgranleese-r7