Results 1 to 10 of 10

Thread: Metasploit and NAT

  1. #1
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    3

    Default Metasploit and NAT

    I have a test Windows 2000 server on my local LAN that I can easily get a command shell using Metasploit Framework 3. If I take my attacking laptop off the LAN and come in remotely on the same port (port 80) through my firewall, the exploit always fails saying "exploit completed, but no session was created".

    I have created a port forward on my remote firewall to forward the designated LPORT to the internal private IP of my attacking PC. And my firewall on the test LAN has port 80 open and accessible to the test victim.

    Any ideas what I am doing wrong?

    Thanks for any help

  2. #2
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    I've experienced somehow.. The same on LAN's too :S On "world wide web" connections
    it worked fine, but somehow on lan's i did have some similar problems, but my problem
    was that the file was sent, but eh.. It looked like it wasn't anyway :S And if it was, then
    it didn't execute probably maybe :S As the pentesting machine weren't giving a shell

    I don't have a fix for it tho, sorry ;(
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by whatthe? View Post
    I have a test Windows 2000 server on my local LAN that I can easily get a command shell using Metasploit Framework 3. If I take my attacking laptop off the LAN and come in remotely on the same port (port 80) through my firewall, the exploit always fails saying "exploit completed, but no session was created".

    I have created a port forward on my remote firewall to forward the designated LPORT to the internal private IP of my attacking PC. And my firewall on the test LAN has port 80 open and accessible to the test victim.

    Any ideas what I am doing wrong?

    Thanks for any help
    Maybe use Wireshark to make sure the traffic is actually being routed correctly to the port? The router / firewall may be dropping the packets.
    dd if=/dev/swc666 of=/dev/wyze

  4. #4
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    3

    Default

    Thanks SWC666

    I have already sniffed traffic on the victim machine and can see that my remote attacking machine is indeed making a connection to it through the firewall on port 80.

    I have also verified that I can connect through my remote firewall (on the attacking side via port 4444 (set as LPORT in the exploit). I ran a netcat listener on 4444 on my attacking pc and could connect to it on this port from my victim machine.

    Is there something about NAT or port forwarding that that does not work with Metsploit?

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Chances are, whatever 'sploit you're using doesn't understand dynamic port allocation.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by whatthe? View Post
    If I take my attacking laptop off the LAN and come in remotely on the same port (port 80) through my firewall, the exploit always fails saying "exploit completed, but no session was created".

    I have created a port forward on my remote firewall to forward the designated LPORT to the internal private IP of my attacking PC.
    How can both of the unerlined statements be true at the same time?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by thorin View Post
    How can both of the unerlined statements be true at the same time?
    /Central Computer from Judge Dredd.

    They cannot be, Judge McGruder
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    3

    Default

    The problem occurs when the victim and attacking pc are on seperate lan's with seperate private ip schemes. When I put them on the same lan (i.e. no nat, firewall, internet between them) the sploit works like a charm.

  9. #9
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Sounds like a tcp/ip protocol book is in your future.

  10. #10
    Junior Member
    Join Date
    Jul 2007
    Posts
    47

    Default

    I take it that when you are running it over the www you are putting your external IP for the LHOST and not your internal IP?

    I usually use the DMZ feature that most routers have now-a-days and place my local machine in that for the duration of the exploit.

    Or better still use a different 'PAYLOAD' - instead of a reverse shell use a bind shell - this way nothing has to come back to you, you just need to connect to the target on the port you specify - of course you need to use a port that the targets firewall is letting through, but a quick port scan should soon show you which port you can use ( don't forget about UDP)
    Removed by -=Xploitz=-
    We do NOT allow external links. We only allow "internal" links to our forums. See PM's.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •