Vulners
Lucene search
Metasploit Reverse Session Takeover Vulnerability
# Exploit Title: Metasploit Reverse Session Takeover
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Software Link: https://www.metasploit.com/download
# Version: Metasploit Pro v4.17.67-dev
# Tested on: Linux & Windows
Metasploit Reverse Session Takeover by Social Engineering Neo.
Affected Platforms: - Windows & Linux
Tested On: - Metasploit Pro v4.17.67-dev
Summary: - Reverse Sessions "by-design" Beacon out from the Victim Machine therefore Potentially Leaking the IP Address & Port being used by the Attacker.
Short Description: - Another attacker with the knowledge of the reverse session taking place may have the ability to discover the local/remote IP address & port being used for the reverse connection.
: - This can be done by performing a MiTM attack and monitoring the traffic between the host and attacker.
: - This is a method of attack, not a vulnerability.
Proof of Concept: -
####
Setup 3 VMs.
'Attacker1' = Attacker Windows - 192.168.66.130
'Attacker2' = Attacker Linux - 192.168.66.135
'Victim' = Windows x86 - 192.168.66.154
'Attacker1' and 'Victim' session started.
Upon post-exploitation 'Attacker2' discovers 'Attacker1' on the network.
'Attacker2' successfully takes 'Attacker1' offline, then 'Attacker2' masks their IP address with the IP address of 'Attacker1' to view incoming traffic destined for 'Attacker1'.
From inspecting the network traffic 'Attacker2' discovers the port being used during the session between 'Attacker1' and 'Victim'.
'Attacker2' then listens for both IP & Port of 'Attacker1' reverse session to take over the previous session.
'Attacker2' and 'Victim' session started.
####
VIDEO: - https://youtu.be/BiaBkd34otY
Expected Result: - Session between 'Attacker1' and 'Victim' cannot be taken over by 'Attacker2'.
Observed Result: - Session between 'Attacker1' and 'Victim' is easily taken over by 'Attacker2'.
Our Recommendation: - Use reverse connections less often.
Useful scenarios: - Gaining knowledge of the IP address & Port of the attacker machine, theoretically you can create a reverse payload and execute inside a honeypot. If the attacker is actively listening for connections, they will automatically open a session, you are able to mess around with them as much as you like;)
: - When a local machine in the network is infected with a reverse payload, it would be possible to modify local network routes so you are the remote machine and opening a session where it wouldn't otherwise be possible.
: - BotNets, Information Gathering, BlueTeams & Law Enforcement.
: - Stealing other sessions.
NOTE: - We are using Metasploit as an example because it's one of the most popular pentesting tools.
: - Yes, there are reasons why reverse connections are preferred over many other connection methods.
# 0day.today [2019-12-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jul 2019 00:00Current
7.2High risk
Vulners AI Score7.2