Windows Manage Proxy Setting Cloner - Metasploit


This page contains detailed information about how to use the post/windows/manage/clone_proxy_settings metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Windows Manage Proxy Setting Cloner
Module: post/windows/manage/clone_proxy_settings
Source code: modules/post/windows/manage/clone_proxy_settings.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module copies the proxy settings from the current user to the targeted user SID, supports remote hosts as well if remote registry is allowed.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/manage/clone_proxy_settings

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/manage/clone_proxy_settings
msf post(clone_proxy_settings) > show options
    ... show and set options ...
msf post(clone_proxy_settings) > set SESSION session-id
msf post(clone_proxy_settings) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/manage/clone_proxy_settings")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Go back to menu.

Msfconsole Usage

Here is how the windows/manage/clone_proxy_settings post exploitation module looks in the msfconsole:

msf6 > use post/windows/manage/clone_proxy_settings

msf6 post(windows/manage/clone_proxy_settings) > show info

       Name: Windows Manage Proxy Setting Cloner
     Module: post/windows/manage/clone_proxy_settings
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  mubix <[email protected]>

Compatible session types:
  Meterpreter

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST                     no        Remote host to clone settings to, defaults to local
  SESSION                   yes       The session to run this module on.
  SID      S-1-5-18         no        SID of user to clone settings to, defaults to SYSTEM

Description:
  This module copies the proxy settings from the current user to the 
  targeted user SID, supports remote hosts as well if remote registry 
  is allowed.

Module Options

This is a complete list of options available in the windows/manage/clone_proxy_settings post exploitation module:

msf6 post(windows/manage/clone_proxy_settings) > show options

Module options (post/windows/manage/clone_proxy_settings):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     no        Remote host to clone settings to, defaults to local
   SESSION                   yes       The session to run this module on.
   SID      S-1-5-18         no        SID of user to clone settings to, defaults to SYSTEM

Advanced Options

Here is a complete list of advanced options supported by the windows/manage/clone_proxy_settings post exploitation module:

msf6 post(windows/manage/clone_proxy_settings) > show advanced

Module advanced options (post/windows/manage/clone_proxy_settings):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/manage/clone_proxy_settings module can do:

msf6 post(windows/manage/clone_proxy_settings) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/manage/clone_proxy_settings post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(windows/manage/clone_proxy_settings) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Setting: No proxy settings

Here is a relevant code snippet related to the "Setting: No proxy settings" error message:

30:	
31:	  def parse_settings(data)
32:	    print_status "\tProxy Counter = #{(data[4, 1].unpack('C*'))[0]}"
33:	    case (data[8, 1].unpack('C*'))[0]
34:	    when 1
35:	      print_status "\tSetting: No proxy settings"
36:	    when 3
37:	      print_status "\tSetting: Proxy server"
38:	    when 5
39:	      print_status "\tSetting: Set proxy via AutoConfigure script"
40:	    when 7

Unable to contact remote registry service on <RHOST>

Here is a relevant code snippet related to the "Unable to contact remote registry service on <RHOST>" error message:

67:	  def target_settings(dst_root_key, dst_base_key)
68:	    if datastore['RHOST']
69:	      begin
70:	        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
71:	      rescue ::Rex::Post::Meterpreter::RequestError
72:	        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
73:	        print_status("Attempting to start service remotely...")
74:	        begin
75:	          service_start('RemoteRegistry', datastore['RHOST'])
76:	        rescue
77:	          print_error('Unable to read registry or start the service, exiting...')

Unable to read registry or start the service, exiting...

Here is a relevant code snippet related to the "Unable to read registry or start the service, exiting..." error message:

72:	        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
73:	        print_status("Attempting to start service remotely...")
74:	        begin
75:	          service_start('RemoteRegistry', datastore['RHOST'])
76:	        rescue
77:	          print_error('Unable to read registry or start the service, exiting...')
78:	          return
79:	        end
80:	        startedreg = true
81:	        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
82:	      end

No reason to copy the settings on top of themselves, please set a SID or/and RHOST

Here is a relevant code snippet related to the "No reason to copy the settings on top of themselves, please set a SID or/and RHOST" error message:

96:	    parse_settings(dst_data)
97:	  end
98:	
99:	  def run
100:	    if datastore['SID'] == "" and !datastore['RHOST']
101:	      print_error('No reason to copy the settings on top of themselves, please set a SID or/and RHOST')
102:	      return
103:	    end
104:	
105:	    # Pull current user's settings
106:	    src_root_key, src_base_key = session.sys.registry.splitkey("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections")

Unable to contact remote registry service on <RHOST>

Here is a relevant code snippet related to the "Unable to contact remote registry service on <RHOST>" error message:

124:	
125:	    if datastore['RHOST']
126:	      begin
127:	        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
128:	      rescue ::Rex::Post::Meterpreter::RequestError
129:	        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
130:	        print_status("Attempting to start service remotely...")
131:	        begin
132:	          service_start('RemoteRegistry', datastore['RHOST'])
133:	        rescue
134:	          print_error('Unable to read registry or start the service, exiting...')

Unable to read registry or start the service, exiting...

Here is a relevant code snippet related to the "Unable to read registry or start the service, exiting..." error message:

129:	        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
130:	        print_status("Attempting to start service remotely...")
131:	        begin
132:	          service_start('RemoteRegistry', datastore['RHOST'])
133:	        rescue
134:	          print_error('Unable to read registry or start the service, exiting...')
135:	          return
136:	        end
137:	        startedreg2 = true
138:	        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
139:	      end

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • mubix

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.