I understand that Reverse_TCP generally uses port 4444/4445 by default, and only affects Windows XP (Correct me if I'm wrong). What I am wondering is if it is possible to take control of someone's computer that is truly remote, I.E. completely off of the internal network (Lan/Wan).. say a friends computer via their public IP Address? (We're both on vaca and forgot to bring our homework we need to do.) He is using Windows Vista SP1 currently, but every time I try and Reverse_TCP it, I get an exploit failed when it states it should work on Vista SP1.
If it is possible to do that, and we know his external IP Address, does the RPORT have to be open or does Reverse_TCP already check for that and attempt to fix it if it isn't? If the RPORT has to be open, are we able to NMAP his home pc (I presume this is possible) for open ports and set it to the RPORT, thus providing us with our open port that is a pre-req?
On a side note, is there a way for NMAP to scan for "STEALTHED" ports?