How can I trace/detect active meterpreter session?

**kazalku** · 02-21-2009, 10:43 AM

Well, it is very possible that a box can be exploited even from the other side of the world by using BT's power, few simple steps & with a proper brain (if you like to find out more about this, please look for the thread "Metasploiting for BT3 - Reverse TCP" by phoenix910).

I know that, to prevent this from happening to my box, I have to keep my OS up-to-date, get a decent firewall, avoid clicking untrusted exe files etc etc etc......

So, that's prevention, but is there any 'cure action’ for this? That means from an IT security personnel's point of view:
1) Is it possible to trace/detect that 'Box XP/2000/Vista' has already been compromised and is NOW connected to another box having an IP of xx:xx:xxx:xxx?
2a) If the answer is 'Yes', then can anyone please mention few of the tools that can be used to do the job.
2b) And how the malicious (?) file can be detached from the system file & remove?
3) If the answer is 'No' (which I think most unlikely), is it possible to detect the attack before migrating the reverse connector exe file?

Hope that my query is clear. Thank you very much for your time. Any idea is appreciated.

**thorin** · 02-23-2009, 02:39 PM

Originally Posted by kazalku

Well, it is very possible that a box can be exploited even from the other side of the world by using BT's power, few simple steps & with a proper brain (if you like to find out more about this, please look for the thread "Metasploiting for BT3 - Reverse TCP" by phoenix910).

I know that, to prevent this from happening to my box, I have to keep my OS up-to-date, get a decent firewall, avoid clicking untrusted exe files etc etc etc......

So, that's prevention, but is there any 'cure action’ for this? That means from an IT security personnel's point of view:
1) Is it possible to trace/detect that 'Box XP/2000/Vista' has already been compromised and is NOW connected to another box having an IP of xx:xx:xxx:xxx?
2a) If the answer is 'Yes', then can anyone please mention few of the tools that can be used to do the job.

netstat.

2b) And how the malicious (?) file can be detached from the system file & remove?

Using netstat you can list the PID or process which is controlling the connection and then go remove the executable. You could also check the registry, or msconfig (startup items), services.msc, etc.

The biggest problem would be identifying the vulnerability which was exploited to gain access to/control over the box. However, in general lacking OS updates are usually the culprit.

**kazalku** · 02-23-2009, 11:25 PM

Thank you so much thorin. Now I have something to start with.

I'll get back to you if I get stuck...

**kazalku** · 02-25-2009, 07:50 PM

Netstat is great..working perfectly... no problem at all
Thanks a lot

**samer** · 03-08-2009, 02:07 PM

hi every one
if i have used netstat and detect that i am connecting to a port 5555
their is any method to stop that port from use (disable that port ;cut the connection with it) using the command line in xp/vista and the console with linux ??

**KMDave** · 03-08-2009, 02:26 PM

Originally Posted by samer

hi every one
if i have used netstat and detect that i am connecting to a port 5555
their is any method to stop that port from use (disable that port ;cut the connection with it) using the command line in xp/vista and the console with linux ??

Check out iptables on Linux

**kazalku** · 03-08-2009, 02:52 PM

Originally Posted by samer

hi every one
if i have used netstat and detect that i am connecting to a port 5555
their is any method to stop that port from use (disable that port ;cut the connection with it) using the command line in xp/vista and the console with linux ??

For XP/Vista I'm using Netstat Agent that has GUI... So, it's simply right click on that connection & select 'Terminate the connection'.... I'll have a look at linux konsole command.......

**BadKarmaPR** · 03-09-2009, 05:56 AM

I would also suggest running:

Code:

tasklist /m

this will show you the dll's loaded in each process and look for the meterpreter dll. Another good tool are the pstools from Microsoft/Winternals and ProcessExplorer from Microsoft/Winternals to see the dll's loaded by the processes and for performing searches.

**thorin** · 03-10-2009, 03:24 PM

Originally Posted by BadKarmaPR

I would also suggest running:

Code:

tasklist /m

this will show you the dll's loaded in each process and look for the meterpreter dll. Another good tool are the pstools from Microsoft/Winternals and ProcessExplorer from Microsoft/Winternals to see the dll's loaded by the processes and for performing searches.

Or checkout ProcessExplorer it can show you all the DLLs, all open files, all hooks, reg keys, etc

**BadKarmaPR** · 03-10-2009, 10:16 PM

Originally Posted by thorin

Or checkout ProcessExplorer it can show you all the DLLs, all open files, all hooks, reg keys, etc

as you can see in the quote I did mention procesexplorer

I'm more of a command shell guy my self, pstools also has tools for looking at the dll's loaded and can be scripted to run against several machines.

BackTrack Linux - Penetration Testing Distribution

Thread: How can I trace/detect active meterpreter session?

Thread Tools

Search Thread

Display

How can I trace/detect active meterpreter session?

Posting Permissions