Results 1 to 8 of 8

Thread: Disabling AV and firewall by meterpreter before reverse connection

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Default Disabling AV and firewall by meterpreter before reverse connection

    Hello

    Please, can you help me to solve this problem:

    I have antivirus and firewall on the target machine with Windows XP SP2. I encoded meterpreter/reverse_tcp payload by msfencode to bypass AV. That works great - antivirus didn't catch anything. But the problem is firewall. Firewall is configured to ask user for all inbound and outbound network traffic. So when meterpreter tries to connect back to attacker, it will display a window to user and ask him to allow or deny communication. And if user decides to deny communication, no meterpreter session will be opened.

    Is it possible to execute meterpreter script killav.rb after exploitation and before connecting back to attacker ? Ot is there any other way to bypass the firewall ?

    Thaks

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    Turn the firewall off. Problem solved.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    12

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    Quote Originally Posted by Archangel-Amael View Post
    Turn the firewall off. Problem solved.
    Hm. Your advice seemed to work for me...

  4. #4
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    It would be too easy... This is just a model situation. Let's say, I don't have physical access to the target computer. I only have remote access.

  5. #5
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    Quote Originally Posted by ivo14 View Post
    It would be too easy... This is just a model situation. Let's say, I don't have physical access to the target computer. I only have remote access.
    Well then hypothetically I would say you could be doing something that we won't discuss here. I would also say both hypothetically and literally, you should read up more about what you are doing.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    Quote Originally Posted by ivo14 View Post
    It would be too easy... This is just a model situation. Let's say, I don't have physical access to the target computer. I only have remote access.
    Well it is too easy.
    But if you are relying just on some "stupid scripts" making your "model situation" too easy you are out of luck.

    I as well doubt what you have in mind here.
    Tiocfaidh ár lá

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    Easy fixed, your initial payload just needs to make the necessary configuration changes to disable the firewall, or add a rule to allow the traffic you want to allow. Details of how this can be achieved will be firewall specific. Once you know how to do this, simply code something up in the appropriate format to make the change and run it as part of your exploit payload - either as part of the initial shellcode, or perhaps with something otherwise bound within the initial exploit file which can then be extracted and run. The options you have available will depend on the exploit you are using. Looks like you have some research ahead of you....

    You could also try something like this. Or you could make use of a program thats already allowed to communicate out via the Firewall... *hint* reverse_http *hint*
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #8
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Default Re: Disabling AV and firewall by meterpreter before reverse connection

    Quote Originally Posted by lupin View Post
    Easy fixed, your initial payload just needs to make the necessary configuration changes to disable the firewall, or add a rule to allow the traffic you want to allow. Details of how this can be achieved will be firewall specific. Once you know how to do this, simply code something up in the appropriate format to make the change and run it as part of your exploit payload - either as part of the initial shellcode, or perhaps with something otherwise bound within the initial exploit file which can then be extracted and run. The options you have available will depend on the exploit you are using. Looks like you have some research ahead of you....

    You could also try something like this. Or you could make use of a program thats already allowed to communicate out via the Firewall... *hint* reverse_http *hint*
    It sounds useful I'll try it...

    Thanks .

Similar Threads

  1. reverse tcp meterpreter virtualbox help
    By Starwiz in forum Beginners Forum
    Replies: 4
    Last Post: 06-09-2010, 08:55 AM
  2. Meterpreter reverse TCP question??
    By BurningDownBabylon in forum Beginners Forum
    Replies: 4
    Last Post: 05-07-2010, 06:55 PM
  3. making meterpreter/reverse shell FUD?
    By seankilla in forum OLD Newbie Area
    Replies: 4
    Last Post: 11-14-2009, 05:08 AM
  4. Replies: 8
    Last Post: 08-02-2009, 11:28 PM
  5. meterpreter reverse to no-ip.biz
    By cr1spyj0nes in forum OLD Newbie Area
    Replies: 5
    Last Post: 04-13-2009, 06:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •