Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds support for resolving multiple host ips #18499

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

cgranleese-r7
Copy link
Contributor

@cgranleese-r7 cgranleese-r7 commented Nov 1, 2023

Note

Ensure the following PR has been landed before landing this one. This PR will also require a rebase before landing.
Remove hardcoded branches and repos before merging.

This PR is in conjunction with a PR in metasploit-payloads.

This PR updates the resolve_host and resolve_hosts to now support resolving multiple host IPs.

The changes support backwards compatibility for old Meterpreter sessions by checking for TLV types off TLV_TYPE_IP that follows the existing logic, as well as the new TLV_TYPE_RESOLVE_HOST_ENTRY TLV.

Verification

Needs to be tested in tandem with the metasploit-payloads PR.

resolve_host

  • Start msfconsole
  • use php/meterpreter/reverse_tcp
  • Get a Meterpreter session
  • Run the following command irb -e "framework.sessions.values.last.net.resolve.resolve_host 'rapid7.com'"
  • Add a breakpoint and verify you get multiple IPs being resolved
  • Verify you see the following outputs
{:hostname=>"rapid7.com", :ip=>"108.156.39.19", :ips=>["108.156.39.19", "108.156.39.105", "108.156.39.48", "108.156.39.8"]}

resolve_hosts

  • Start msfconsole
  • use php/meterpreter/reverse_tcp
  • Get a Meterpreter session
  • Run the following command irb -e "framework.sessions.values.last.net.resolve.resolve_hosts ['rapid7.com', 'google.com']"
  • Add a breakpoint and verify you get multiple IPs being resolved
  • Verify you see the following output:
[{:hostname=>"rapid7.com", :ip=>"108.156.39.19", :ips=>["108.156.39.19", "108.156.39.105", "108.156.39.48", "108.156.39.8"]}, {:hostname=>"google.com", :ip=>"216.58.201.110", :ips=>["216.58.201.110"]}]

@cgranleese-r7 cgranleese-r7 added enhancement rn-enhancement release notes enhancement labels Nov 1, 2023
@cgranleese-r7 cgranleese-r7 added blocked Blocked by one or more additional tasks and removed blocked Blocked by one or more additional tasks labels Nov 2, 2023
@adfoster-r7
Copy link
Contributor

It'd be good to update the test notes to verify that an ipv6 target works as expected

@adfoster-r7
Copy link
Contributor

Will attic for now until we can pick this up again in the new year when we've got the other priorities out for this year 👍

Copy link

Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it attic and closed it for now.

What does this generally mean? It could be one or more of several things:

  • It doesn't look like there has been any activity on this pull request in a while
  • We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
  • Sometimes the implementation isn't quite right and a different approach is necessary.

We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!

@github-actions github-actions bot closed this Nov 15, 2024
@cgranleese-r7 cgranleese-r7 reopened this Jan 9, 2025
@cgranleese-r7 cgranleese-r7 added payload-testing-branch Runs framework and custom payloads PRs - https://github.com/rapid7/metasploit-framework/pull/19390 and removed attic Older submissions that we still want to work on again labels Jan 9, 2025
@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch 4 times, most recently from 22529d6 to 5a005b2 Compare January 9, 2025 12:16
@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch 8 times, most recently from fc42a9e to 5379488 Compare January 21, 2025 15:29
@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch 14 times, most recently from 7073d52 to aa77455 Compare January 29, 2025 12:08
@cgranleese-r7 cgranleese-r7 mentioned this pull request Feb 3, 2025
5 tasks
@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch 2 times, most recently from f89ae86 to 02b2435 Compare February 7, 2025 13:24
@adfoster-r7
Copy link
Contributor

If we throw in this code to enhance the resolve meterpreter command it'll expose the functionality to the user more cleanly, and it's easier to test too 😄

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
index 01818ae2d7..573fc2f8cf 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
@@ -654,10 +654,13 @@ class Console::CommandDispatcher::Stdapi::Net
     )
 
     response.each do |result|
-      if result[:ip].nil?
+      if result[:ips].empty?
         table << [result[:hostname], '[Failed To Resolve]']
       else
-        table << [result[:hostname], result[:ip]]
+        require 'pry-byebug'; binding.pry
+        result[:ips].each do |ip|
+          table << [result[:hostname], ip]
+        end
       end
     end

Usage:

msf6 payload(php/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 6...

meterpreter > resolve example.com

Host resolutions
================

    Hostname     IP Address
    --------     ----------
    example.com  23.215.0.136
    example.com  23.215.0.138
    example.com  96.7.128.175
    example.com  96.7.128.198
    example.com  23.192.228.80
    example.com  23.192.228.84

meterpreter > 

@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch from 02b2435 to 9bad611 Compare February 11, 2025 14:52
@adfoster-r7
Copy link
Contributor

It'd be great to rebase against master, and have a run through of the test suite pointing towards your payload PR(s) since the test suite is failing

@adfoster-r7
Copy link
Contributor

I'm not sure if it's your PR or not, but looks like it fails against unresolved hosts with a python exception which I don't think is expected

meterpreter > resolve foo
[-] stdapi_net_resolve_hosts: Operation failed: Python exception: KeyError

Whilst with php:

Host resolutions
================

    Hostname  IP Address
    --------  ----------
    foo       [Failed To Resolve]

@cgranleese-r7 cgranleese-r7 added the payload-testing-mettle-branch Runs framework and custom mettle PRs - https://github.com/rapid7/metasploit-framework/pull/19390 label Feb 11, 2025
@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch 2 times, most recently from 79891fb to 1b783ad Compare February 13, 2025 14:33
@cgranleese-r7 cgranleese-r7 force-pushed the meterpreter-resolve-multiple-hosts branch from 1b783ad to 94dadf4 Compare February 13, 2025 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement payload-testing-branch Runs framework and custom payloads PRs - https://github.com/rapid7/metasploit-framework/pull/19390 payload-testing-mettle-branch Runs framework and custom mettle PRs - https://github.com/rapid7/metasploit-framework/pull/19390 rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants