karencho Posted November 8, 2016 Share Posted November 8, 2016 Hello i have installed meterpreter payload on victims computer over the WAN ,now i want to know how to do so meterpreter was calling back to multiple ip, i have always deferent ip address ,using vps or public wifi .... so how to do so meterpreter calling back to ip address that i use now? is that possible? and one more when i install payload on victims machine it is calling me back perfectly ,but if i install another payload on deferent machine ,but that machine is located on the same network that was first victim will it call me back or it will conflict with first one? Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 8, 2016 Share Posted November 8, 2016 You could probably use a service like DynDNS: https://dyn.com/dns This will allow you to use a hostname instead of an IP address. So if you don't have a static IP - something like this would be your best bet I think. All you have to do is update your DNS service whenever your IP changes. You would also need to create your payload again, using the hostname as opposed to the IP. Quote Link to comment Share on other sites More sharing options...
karencho Posted November 8, 2016 Author Share Posted November 8, 2016 so you are saying register in dyn.com/dns create payload using hostname of dyn.com and thats it .... then it will redirect it to my ip address yes and when ip will change i will change records in dyn.com and it will automaticly redirects it to new ip address ? did i get write or wrong? Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 8, 2016 Share Posted November 8, 2016 No, that's exactly right. That's the purpose of having a service like that, for when you don't have a static IP. There are some more details here: https://help.dyn.com/remote-access/getting-started-with-remote-access/ There are some other alternatives that accept bitcoin and such if you're concerned about privacy: https://www.noip.com/ Also, I know there are some VPN services that offer port forwarding. So if you have AirVPN or something similar, you just connect to your VPN. Your payload would then point to the hostname/port provided by your VPN service. It's all a matter of preference. Quote Link to comment Share on other sites More sharing options...
karencho Posted November 8, 2016 Author Share Posted November 8, 2016 port forwarding is not a problemm ,thanks for quick reply, can you tell me one more thing, how can i do to meterpreter session was calling back to host for 12-15 hours?is that possible? because by the default it is calling back for 15-20 minutes than dying .... and one more thing if i will configure that infected exe file take action on windows start up every day will it corrupt or crush windows work ,will windows normaly works like it works before? Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 8, 2016 Share Posted November 8, 2016 (edited) If you're comfortable with Ruby, I think you can modify the payload session time out here: https://github.com/rapid7/metasploit-framework/blob/cac890a797d0d770260074dfe703eb5cfb63bd46/lib/msf/core/payload/python/meterpreter_loader.rb met.sub!('SESSION_EXPIRATION_TIMEOUT = 604800', "SESSION_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}") met.sub!('SESSION_COMMUNICATION_TIMEOUT = 300', "SESSION_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}") met.sub!('SESSION_RETRY_TOTAL = 3600', "SESSION_RETRY_TOTAL = #{datastore['SessionRetryTotal']}") met.sub!('SESSION_RETRY_WAIT = 10', "SESSION_RETRY_WAIT = #{datastore['SessionRetryWait']}") I'm not 100% on this, someone more familiar with the framework might know better. But it looks like each payload references SessionCommunicationTimeout. So adjusting that might work. If your pentest requires a persistent shell, it might be better to try forwarding some ports on the target machine. Also - if you haven't already, test your payload exe file on VirusTotal - as typically a generic meterpreter payload will be flagged by most AV software. You might be better off designing your exploit from scratch if your pentest requires you to remain undetected. Edited November 8, 2016 by Decoy Quote Link to comment Share on other sites More sharing options...
karencho Posted November 8, 2016 Author Share Posted November 8, 2016 it will be undetectable but i need to know if meterpreter reverse tcp can crush something in windows so it need to be reinstalled .... Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 8, 2016 Share Posted November 8, 2016 The only thing a stock reverse tcp payload is doing is firing off a reverse shell and potentially binding to another process. You're going to have to get creative with Ruby if you want to design your own payload; however in my experience Pentesting shouldn't destroy anything on the target system(s). Quote Link to comment Share on other sites More sharing options...
karencho Posted November 8, 2016 Author Share Posted November 8, 2016 thanks a lot Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 8, 2016 Share Posted November 8, 2016 No problem. Good luck! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.