Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Metasploit exploration question

  1. #1

    Default Metasploit exploration question

    Hey guys, just the other day I decided to do a bit of exploration in Metasploit. It was something I had avoided up until this moment. Anyhow, the best way to learn is to have a bit of a play around, so I decided to do so. I have two PC's sitting side by side, one running Windows Vista which was also the one I booted BackTrack on, and the other running Ubuntu and Windows XP. I booted into Windows XP, because it has the VNC server and viewer installed. Then I went into BackTrack on this PC and tried a VNC exploit where I wait for the connection. Here is where I got a bit confused. The default port for listening was port 4444. What I would like to know is - do I need to open this port on BackTrack and then try and connect to BackTrack from the other PC, or do I need to change this port to the default for VNC - 5900, and then try and connect from the XP computer? Or am I missing something completely? I did read in one of the other threads about creating a malicious web page - I am assuming that's not applicable with the VNC exploits, but I could be wrong. Any ideas? Thanks, and if you could point me towards further reading/tutorials that would be cool too. I just need a little something to start on, and then I can teach myself the rest with ease. Thanks guys

    -Stephen

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    It would help if I knew what exploit you were referring too.

  3. #3

    Default

    Sorry Purehate, you have a point there. It is the Client Buffer Overflow RealVNC 3.3.7.

    -Stephen

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Default port of 4444 was target or attacker?

    You can tell which port VNC is listening on, on the target using netstat -a (locally) or nmap (remotely).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    This is a good video to check out just to see how everything works. I believe this is an older version of metasploit, but same concept.

    http://www.irongeek.com/i.php?page=videos/metasploit1
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by phoenix910 View Post
    Sorry Purehate, you have a point there. It is the Client Buffer Overflow RealVNC 3.3.7.

    -Stephen
    So I'm going to assume you realize that the victim computer must have RealVNC 3.3.7. running on it?

    Also Just because the exploit is for VNC that does not automatically mean you will get vnc control. Now naturally you would try that payload first but if it doesnt work well then keep trying. Normally only one or two of the payloads will work on any given exploit .

  7. #7
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    Reverse Shell is the only thing that has worked for me.

    Then I run this http://www.tburke.net/info/misc/vnc_remote.htm
    Or something close to that. I have it all nicely wrapped into a batch file. Just upload, run the batch file, then you got a VNC server to connect to. The only downside, is that on some machines, the VNC server will showup in the taskbar on the bottom right. Or sometimes there is a space there but no Icon. When you hover the mouse over it, It says VNC. So it's not "really" hidden. But the install is pretty silent.

    Or this article http://wiki.hak5.org/wiki/Remotely_Install_VNC
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  8. #8
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by spankdidly View Post
    Reverse Shell is the only thing that has worked for me.

    Then I run this http://www.tburke.net/info/misc/vnc_remote.htm
    Or something close to that. I have it all nicely wrapped into a batch file. Just upload, run the batch file, then you got a VNC server to connect to. The only downside, is that on some machines, the VNC server will showup in the taskbar on the bottom right. Or sometimes there is a space there but no Icon. When you hover the mouse over it, It says VNC. So it's not "really" hidden. But the install is pretty silent.

    Or this article http://wiki.hak5.org/wiki/Remotely_Install_VNC
    the way to get around that is when you are building the backdoor/vnc on a windows machine you install it first and delete that key out of the registry. The rebuild the program, put it in a batch file with a listen command and the connect with metasploit. I could do a write up on building a vnc back door from scratch but it must be done in windows because it must be installed to delete the registry keys to make it invisible. I f you set the file to run at startup the next time the machine is turned on it is running. Much more invisible than that hack5 article.

  9. #9

    Default

    Quote Originally Posted by purehate View Post
    So I'm going to assume you realize that the victim computer must have RealVNC 3.3.7. running on it?

    Also Just because the exploit is for VNC that does not automatically mean you will get vnc control. Now naturally you would try that payload first but if it doesnt work well then keep trying. Normally only one or two of the payloads will work on any given exploit .
    Yeah, I did realise that, but my main problem was just in the fact that I know that VNC is listening on port 5900 on the other PC, and I was trying to do a reverse shell, so that from the other PC I could attempt to connect to my BackTrack one, at which stage it receives a connection and then launches the exploit. But would I have to change MetaSploits default port for receiving connections then from 4444 to 5900 as well?

    And to all the others who have posted links, thank you, I shall have a look soon enough.

    -Stephen

  10. #10
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    No the port on the attack machine is whatever the default is unless you change it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •