Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: How can I trace/detect active meterpreter session?

  1. #1
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default How can I trace/detect active meterpreter session?

    Well, it is very possible that a box can be exploited even from the other side of the world by using BT's power, few simple steps & with a proper brain (if you like to find out more about this, please look for the thread "Metasploiting for BT3 - Reverse TCP" by phoenix910).

    I know that, to prevent this from happening to my box, I have to keep my OS up-to-date, get a decent firewall, avoid clicking untrusted exe files etc etc etc......

    So, that's prevention, but is there any 'cure action’ for this? That means from an IT security personnel's point of view:
    1) Is it possible to trace/detect that 'Box XP/2000/Vista' has already been compromised and is NOW connected to another box having an IP of xx:xx:xxx:xxx?
    2a) If the answer is 'Yes', then can anyone please mention few of the tools that can be used to do the job.
    2b) And how the malicious (?) file can be detached from the system file & remove?
    3) If the answer is 'No' (which I think most unlikely), is it possible to detect the attack before migrating the reverse connector exe file?

    Hope that my query is clear. Thank you very much for your time. Any idea is appreciated.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by kazalku View Post
    Well, it is very possible that a box can be exploited even from the other side of the world by using BT's power, few simple steps & with a proper brain (if you like to find out more about this, please look for the thread "Metasploiting for BT3 - Reverse TCP" by phoenix910).

    I know that, to prevent this from happening to my box, I have to keep my OS up-to-date, get a decent firewall, avoid clicking untrusted exe files etc etc etc......

    So, that's prevention, but is there any 'cure action’ for this? That means from an IT security personnel's point of view:
    1) Is it possible to trace/detect that 'Box XP/2000/Vista' has already been compromised and is NOW connected to another box having an IP of xx:xx:xxx:xxx?
    2a) If the answer is 'Yes', then can anyone please mention few of the tools that can be used to do the job.
    netstat.
    2b) And how the malicious (?) file can be detached from the system file & remove?
    Using netstat you can list the PID or process which is controlling the connection and then go remove the executable. You could also check the registry, or msconfig (startup items), services.msc, etc.

    The biggest problem would be identifying the vulnerability which was exploited to gain access to/control over the box. However, in general lacking OS updates are usually the culprit.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Thank you so much thorin. Now I have something to start with.
    I'll get back to you if I get stuck...

  4. #4
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Netstat is great..working perfectly... no problem at all
    Thanks a lot

  5. #5
    Member
    Join Date
    Jun 2008
    Posts
    56

    Default

    hi every one
    if i have used netstat and detect that i am connecting to a port 5555
    their is any method to stop that port from use (disable that port ;cut the connection with it) using the command line in xp/vista and the console with linux ??

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Quote Originally Posted by samer View Post
    hi every one
    if i have used netstat and detect that i am connecting to a port 5555
    their is any method to stop that port from use (disable that port ;cut the connection with it) using the command line in xp/vista and the console with linux ??
    Check out iptables on Linux
    Tiocfaidh ár lá

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by samer View Post
    hi every one
    if i have used netstat and detect that i am connecting to a port 5555
    their is any method to stop that port from use (disable that port ;cut the connection with it) using the command line in xp/vista and the console with linux ??
    For XP/Vista I'm using Netstat Agent that has GUI... So, it's simply right click on that connection & select 'Terminate the connection'.... I'll have a look at linux konsole command.......

  8. #8

    Default

    I would also suggest running:
    Code:
    tasklist /m
    this will show you the dll's loaded in each process and look for the meterpreter dll. Another good tool are the pstools from Microsoft/Winternals and ProcessExplorer from Microsoft/Winternals to see the dll's loaded by the processes and for performing searches.

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by BadKarmaPR View Post
    I would also suggest running:
    Code:
    tasklist /m
    this will show you the dll's loaded in each process and look for the meterpreter dll. Another good tool are the pstools from Microsoft/Winternals and ProcessExplorer from Microsoft/Winternals to see the dll's loaded by the processes and for performing searches.
    Or checkout ProcessExplorer it can show you all the DLLs, all open files, all hooks, reg keys, etc
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10

    Default

    Quote Originally Posted by thorin View Post
    Or checkout ProcessExplorer it can show you all the DLLs, all open files, all hooks, reg keys, etc
    as you can see in the quote I did mention procesexplorer

    I'm more of a command shell guy my self, pstools also has tools for looking at the dll's loaded and can be scripted to run against several machines.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •