10

The general consensus seems to be that one sets up a listener on a server accessible by a public IP and some port forwarding. For anonymity this should be a throw-away server or a hacked box.

I've been trying to make a reverse connection over tor (hidden service serves the listener) with a simple client-side exploit. This is nothing new but requires some custom scripting to set up tor and make the meterpreter-instance call back over it's socks proxy. Doing this all in memory with no admin-rights makes it even harder.

Making the listener a hidden service solves anonymity, NAT issues and the setup on server side can be more dynamic. I was then looking in to making the victim setup easier by using the Tor2web proxies. Retrieving the meterpreter (web delivery/http meterpreter) is no problem but I only get a session 10% of the time, and when I interact with it and type 'help' it shows barely any commands. It seems that the staging does not work (my guess) The session always ends 10 seconds after it starts, regardless if I interact with it... "The session is not valid" is the error it exits with.

Does anyone have experience with reverse connections over tor2web? This article seems to make it work with Empire; http://secureallthethings.blogspot.be/2016_11_01_archive.html

Polarsbear
  • 111
  • 1
  • 7

1 Answers1

0

You may want to consider the following:

  • Tor exit nodes might only allow a small set of outbound ports; perhaps move your listener to 443/tcp
  • Are you using SSL?
  • Have you tried simplifying it to the bone, for example using a basic https egress from your exploit via tor2web and see what is the success rate on the listener end. Then add complexity by using meterpreter (staged/stageless) and measuring what happens? It could be that your exploit simply drops the connection.

Basically, reduce the variables until you can pinpoint the problem..

lorenzog
  • 1,911
  • 11
  • 18