I'm practicing wit metasploit. But yesterday i had some troubles. Let me say:
The target is my brother`s computer, a laptop with a XP home edition SP3 machine with Norton AV and Firewall. He knows that I'm exploiting.
Ok. I put a meterpreter/reverse_tcp_dns in a simple program and encode it 15 times with shikata encoder. It works fine, everything is ok.
But when i was post exploitation, the idea was to download a program that was already installed on the target, modify and encode it, and upload it. I did it but experimenting strange issues:
1) First, when i tried with msnmessenger exe I noticed that when the machine rebooted, if my multi handler was listening, no trouble happened, the messenger worked as usual and the meterpreter session was created. But if the target reboots and the multi handler is not listening, the messenger starts connecting and when it connects automatically closes killing his process. If I manually start it, happens the same.
I dont know why it is happening, if anyone knows and want to share it would very appreciated.
2) Other issue is when i try to introduce a payload (same) and encode it at Windows Media Player. Everything looks fine but when i try to manually start it at target, it opens but with no success at attacker machine (mine), no stage sent, no session open, the multi handler stills listening. When i see my modified media player it is 67 kB size but when i upload it, automatically changes from 67 to 63 kB.
Seems like Win os detects that the program was modified and automatically put a backup copy instead. No AV pop ups.
Why don't do that with msn messenger?Other question is: Why I can't introduce a payload and encode it with all executables I find? Why some? Shikata tells me Encoding unsuccesful. Is this an EXE file?
3) Last one, excuse me if the post is too long. This question is relative to timestomp. when I'm at meterpreter and have uid NT AUTHORITY\SYSTEM and retrieve timestomp -v C:\\"Documents and Settings"\\user\\file.txt, meterpreter begin a new line with no output.
Anyone can give me a clue?
Thank a lot for reading and for your patience,
Last edited by pentrite; 02-01-2011 at 11:42 PM.