0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Metasploit Reverse Session Takeover Vulnerability
[# Exploit Title: Metasploit Reverse Session Takeover
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Software Link: https://www.metasploit.com/download
# Version: Metasploit Pro v4.17.67-dev
# Tested on: Linux & Windows
Metasploit Reverse Session Takeover by Social Engineering Neo.
Affected Platforms: - Windows & Linux
Tested On: - Metasploit Pro v4.17.67-dev
Summary: - Reverse Sessions "by-design" Beacon out from the Victim Machine therefore Potentially Leaking the IP Address & Port being used by the Attacker.
Short Description: - Another attacker with the knowledge of the reverse session taking place may have the ability to discover the local/remote IP address & port being used for the reverse connection.
: - This can be done by performing a MiTM attack and monitoring the traffic between the host and attacker.
: - This is a method of attack, not a vulnerability.
Proof of Concept: -
####
Setup 3 VMs.
'Attacker1' = Attacker Windows - 192.168.66.130
'Attacker2' = Attacker Linux - 192.168.66.135
'Victim' = Windows x86 - 192.168.66.154
'Attacker1' and 'Victim' session started.
Upon post-exploitation 'Attacker2' discovers 'Attacker1' on the network.
'Attacker2' successfully takes 'Attacker1' offline, then 'Attacker2' masks their IP address with the IP address of 'Attacker1' to view incoming traffic destined for 'Attacker1'.
From inspecting the network traffic 'Attacker2' discovers the port being used during the session between 'Attacker1' and 'Victim'.
'Attacker2' then listens for both IP & Port of 'Attacker1' reverse session to take over the previous session.
'Attacker2' and 'Victim' session started.
####
VIDEO: - https://youtu.be/BiaBkd34otY
Expected Result: - Session between 'Attacker1' and 'Victim' cannot be taken over by 'Attacker2'.
Observed Result: - Session between 'Attacker1' and 'Victim' is easily taken over by 'Attacker2'.
Our Recommendation: - Use reverse connections less often.
Useful scenarios: - Gaining knowledge of the IP address & Port of the attacker machine, theoretically you can create a reverse payload and execute inside a honeypot. If the attacker is actively listening for connections, they will automatically open a session, you are able to mess around with them as much as you like;)
: - When a local machine in the network is infected with a reverse payload, it would be possible to modify local network routes so you are the remote machine and opening a session where it wouldn't otherwise be possible.
: - BotNets, Information Gathering, BlueTeams & Law Enforcement.
: - Stealing other sessions.
NOTE: - We are using Metasploit as an example because it's one of the most popular pentesting tools.
: - Yes, there are reasons why reverse connections are preferred over many other connection methods.
# 0day.today [2024-07-02] #