Exploit for multiple platform in category local exploits
# Exploit Title: Metasploit Reverse Session Takeover
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Software Link: https://www.metasploit.com/download
# Version: Metasploit Pro v4.17.67-dev
# Tested on: Linux & Windows
Metasploit Reverse Session Takeover by Social Engineering Neo.
Affected Platforms: - Windows & Linux
Tested On: - Metasploit Pro v4.17.67-dev
Summary: - Reverse Sessions "by-design" Beacon out from the Victim Machine therefore Potentially Leaking the IP Address & Port being used by the Attacker.
Short Description: - Another attacker with the knowledge of the reverse session taking place may have the ability to discover the local/remote IP address & port being used for the reverse connection.
: - This can be done by performing a MiTM attack and monitoring the traffic between the host and attacker.
: - This is a method of attack, not a vulnerability.
Proof of Concept: -
####
Setup 3 VMs.
'Attacker1' = Attacker Windows - 192.168.66.130
'Attacker2' = Attacker Linux - 192.168.66.135
'Victim' = Windows x86 - 192.168.66.154
'Attacker1' and 'Victim' session started.
Upon post-exploitation 'Attacker2' discovers 'Attacker1' on the network.
'Attacker2' successfully takes 'Attacker1' offline, then 'Attacker2' masks their IP address with the IP address of 'Attacker1' to view incoming traffic destined for 'Attacker1'.
From inspecting the network traffic 'Attacker2' discovers the port being used during the session between 'Attacker1' and 'Victim'.
'Attacker2' then listens for both IP & Port of 'Attacker1' reverse session to take over the previous session.
'Attacker2' and 'Victim' session started.
####
VIDEO: - https://youtu.be/BiaBkd34otY
Expected Result: - Session between 'Attacker1' and 'Victim' cannot be taken over by 'Attacker2'.
Observed Result: - Session between 'Attacker1' and 'Victim' is easily taken over by 'Attacker2'.
Our Recommendation: - Use reverse connections less often.
Useful scenarios: - Gaining knowledge of the IP address & Port of the attacker machine, theoretically you can create a reverse payload and execute inside a honeypot. If the attacker is actively listening for connections, they will automatically open a session, you are able to mess around with them as much as you like;)
: - When a local machine in the network is infected with a reverse payload, it would be possible to modify local network routes so you are the remote machine and opening a session where it wouldn't otherwise be possible.
: - BotNets, Information Gathering, BlueTeams & Law Enforcement.
: - Stealing other sessions.
NOTE: - We are using Metasploit as an example because it's one of the most popular pentesting tools.
: - Yes, there are reasons why reverse connections are preferred over many other connection methods.
# 0day.today [2019-12-04] #