Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: identify the IP of the .exe payload

Hybrid View

  1. #1
    Member
    Join Date
    Jun 2008
    Posts
    56

    Default identify the IP of the .exe payload

    hi every one
    if we create a .exe payload (for example ...meterepreter/reverse_tcp... with LHOST=192.168.10.10...)
    with a output file in .exe format (suppose reverse.exe)

    their is any tool that can identify the IP address and the port number that is present in reverse.exe (in this case 192.168.0.10.10)

    WITHOUT executing it ,and type netstat in the command prompt and see at witch port and ip we are connected ???
    thanks

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    You could also use a firewall on the machine, start it and see which IP it tries to connect to.

    Besides that you could try a hex editor and look for the pattern. Create an executable file with an address you know and look for it. Might work, haven't tried it out yet.
    Tiocfaidh ár lá

  3. #3
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    I presume the IP wouldn't be stored in the same way as variable strings? (ie the strings command?)
    wtf?

  4. #4
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    A hex editor will not show anything like an IP address.
    You'll have to reverse the exe e.g. with IDA Pro
    Don't eat yellow snow :rolleyes:

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Open the exe in a text editor that support RegEx and search for a IP pattern.

    Copy the exe to a *nix machine and use strings or grep on it.

    Edit: BAH....I missed the no execution part...however, I'm still leaving this in case someone needs the info in the future.
    Do a netstat -ab on the box it's running on to identify which executable is connected to which systems outside. (Note: netstat -ab is slow, but it'll work).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default yes

    Yes, separate out the part of the header containing the ip addresses and convert from network encoding to see the information you need. The ip address will be in octets as you know.

    Use inet_ntoa

    If you are simply printing rather than storing you can print it directly as a string

    (Late edit: Apols if I misinterpreted...my solution is coming over the network...maybe the query relates to compiled code within the exe in which case you will need to reverse engineer)
    Lux sit

  7. #7
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by samer View Post
    hi every one
    if we create a .exe payload (for example ...meterepreter/reverse_tcp... with LHOST=192.168.10.10...)
    with a output file in .exe format (suppose reverse.exe)

    their is any tool that can identify the IP address and the port number that is present in reverse.exe (in this case 192.168.0.10.10)

    WITHOUT executing it ,and type netstat in the command prompt and see at witch port and ip we are connected ???
    thanks
    http://cwsandbox.org/?page=submit

    not sure but try it ...

    m-1-k-3

  8. #8
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    using the cwsandbox for that job is irresponsible, as you will be overloading their servers with such requests, at the same time when all kind of valid ones are sent to them... if you're going to use a sandbox to see the IP, why not just see the connection it makes in wireshark, or netstat? Or the firewall, or whatever? Why creating a whole new virtual environment at the sandbox site for the purpose?

  9. #9
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by xorred View Post
    using the cwsandbox for that job is irresponsible, as you will be overloading their servers with such requests, at the same time when all kind of valid ones are sent to them... if you're going to use a sandbox to see the IP, why not just see the connection it makes in wireshark, or netstat? Or the firewall, or whatever? Why creating a whole new virtual environment at the sandbox site for the purpose?
    just upload the file and they will analyse it for you! what are you talking about?

    m-1-k-3

  10. #10
    Member
    Join Date
    Feb 2010
    Location
    Root
    Posts
    121

    Default

    We could use wireshark or the likes, but he mentioned, without running the exe. I would use IDA to reverse it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •