metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

meterpreter doesn't display ipv6 routes

Open noraj opened this issue 2 years ago • 4 comments

I want to bring back #11688.

One a Windows 10 target with many IPv6 routes, the meterpreter route command shows no IPv6 routes.

rout print -6 on the target shows many routes while route list on the meterpreter session shows none.

Steps to reproduce

  1. Get a windows/x64/meterpreter/reverse_tcp meterpreter on a Win10 target
  2. In meterpreter run route or route list

It shows the IPV4 routes but it shows No IPv6 routes were found. instead of the IPv6 routes.

Expected behavior

Displays IPv6 routes.

Current behavior

Displays No IPv6 routes were found..

Metasploit version

Framework: 6.2.0-dev
Console  : 6.2.0-dev

Additional Information

Target OS: Windows 10 (10.0 Build 19044) x86_64

noraj avatar Jun 18 '22 23:06 noraj

It looks like the windows Meterpreter only looks up the ipv4 routing information: https://github.com/rapid7/metasploit-payloads/blob/6e08d1f9812aa4d7a76b451fd5e0bae03975bb91/c/meterpreter/source/extensions/stdapi/server/net/config/route.c#L30-L35

Which from the docs is ipv4 only:

GetIpForwardTable function (iphlpapi.h) The GetIpForwardTable function retrieves the IPv4 routing table. https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getipforwardtable

I believe this could be updated to support ipv6 for Windows Server 2008 and above with:

GetIpForwardTable2 function (netioapi.h) The GetIpForwardTable2 function retrieves the IP route entries on the local computer. The values currently supported are AF_INET, AF_INET6, and AF_UNSPEC. https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-getipforwardtable2

adfoster-r7 avatar Jun 19 '22 22:06 adfoster-r7

Hello! Is anyone working on this? I would like to take this issue

rdrck47 avatar Jul 07 '22 05:07 rdrck47

Hello! Is anyone working on this? I would like to take this issue

As far as I'm aware no-one is working on this. Assigned.

bcoles avatar Jul 07 '22 05:07 bcoles

If this issue is still open, I would like to contribute to it.

JustAnda7 avatar Oct 08 '22 05:10 JustAnda7

Unassigning people since I have not seen any development on this. Anyone is free to take on this issue @JustAnda7. I'll assign you in the meantime.

gwillcox-r7 avatar Feb 07 '23 23:02 gwillcox-r7

The changes are to be done in rapid7/metasploit-payloads repo right? And how to test the changes?

JustAnda7 avatar Feb 09 '23 13:02 JustAnda7

@JustAnda7 @adfoster-r7 Already did an explanation of the problem above, which is likely where you should start. I'd recommend reading through that and using https://sourcegraph.com/search?q=repo:%5Egithub%5C.com/rapid7/.*&patternType=regexp&sm=0 to filter through all of Rapid7's code to find what you are after.

And to answer your question, yes this will most likely require a change to the code inside rapid7/metasploit-payloads.

gwillcox-r7 avatar Feb 09 '23 18:02 gwillcox-r7

@JustAnda7 As for testing the changes, look up at the user's problem. They mentioned that they can't get IPv6 routes to display when running route or route list inside a Meterpreter session. Therefore whatever solution is created should allow you to run route or route list inside a Meterpreter session and should return a full list of both the IPv4 and IPv6 routing tables for the target that the Meterpreter session is on.

gwillcox-r7 avatar Feb 09 '23 18:02 gwillcox-r7

The changes are to be done in rapid7/metasploit-payloads repo right? And how to test the changes?

Sorry @gwillcox-r7 , by this I meant if I made changes on a branch in the forked repo how will those be detected on a meterpreter session

JustAnda7 avatar Feb 10 '23 16:02 JustAnda7

@JustAnda7 Depends which one you are modifying. If your doing Java/Python Meterpreters for instance it would be https://github.com/rapid7/metasploit-payloads/blob/master/java/README.md for how to build and test those payloads.

For Windows Meterpreter you'd want to use https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/README.md.

Given this problem was reported on Windows 10 I'd use the Windows link I mentioned above and follow the instructions there. Note that all of these instructions are also linked from the main README.md file for the Metasploit Payloads repo over at https://github.com/rapid7/metasploit-payloads.

In terms of how they'd be detected, I'd imagine that a proper fix would update the existing implementation of the route function in a meterpreter session on Windows in the manner I described at https://github.com/rapid7/metasploit-framework/issues/16693#issuecomment-1424671484. A broken down version of those steps might be something like this:

Current steps:

  1. Get a Windows Meterpreter session
  2. Interact with said session via session -i <session number>
  3. Run route.
  4. See only the IPv4 routing table. No IPv6 routing table is shown even if the host supports IPv6.

Ideal situation:

  1. Get a Windows Meterpreter session
  2. Interact with said session via session -i <session number>
  3. Run route.
  4. See the host's IPv6 and IPv4 routing table.

gwillcox-r7 avatar Feb 10 '23 18:02 gwillcox-r7

I have opened a PR in the payloads repo regarding the changes to be made. @zeroSteiner Please inspect the changes.

JustAnda7 avatar Feb 25 '23 11:02 JustAnda7

Just for a paper trail:

  • Windows Meterpreter has this functionality now https://github.com/rapid7/metasploit-payloads/pull/614

Will need to check the other meterpreters

adfoster-r7 avatar Oct 02 '23 14:10 adfoster-r7