Residuum

I did both. I bridged the VM-Ware directly over my main OS and a second time over my router and disabled all FW's. Further, I set up a test which i could exploit, when the XP firewall was down. So unfortunately remote exploitation even with old OS is not that easy than client sided attacks. The book Penetration Tester's Guide only gives some good tips finding vulnerabilities on not updated system. But not on a certain System you want to exploit, since most computers do not run telnet, ssh, sql, http etc. I have been using the auxiliary scanners of msf and Nessus, which also provides a lot of informations about possible attack vectors. So I am now looking in arp poisoning and sniffing of traffic to find an entry point.

Thanks you all for the replies, I will take a look at the book. I bridged the VM in the network unsuccessfully creating a session with metasploit. So you are probably right that the target is patched.

first thank you for your extensive answer. I do not agree with you first comment fully. Lets assume you set a up router and forward port 80 to an webhost in you NAT, then you could still access the webhost with only knowing the address of the router. As far as I understood Metasploit, the LHOST belongs to the payload giving it the IP to reach out to. So if you set it to you local nat ip it would never be found. I am certain hitting it directly with the knowledge of an smb port being open and if it wasn't a coincidence executing it accidentally. I have setup a webpage including a small program I wrote to taking orders from an ftp and shoveling up the result. So I try to move on..... Your suggestion with the bindshell is intriguing. I ll have to try it :)

well there is indeed a possibility to disable the handler: set DisablePayloadHandler=true I haven't tried it but it should work. However I thought about it again and the listener jumped back on 0.0.0.0 when using the remote address as lhost, so it should have worked already. The test target runs XP sp2 so it should be exploidable! weird stuff is going on.

Hey, I am looking for an answer regarding metasploit. I try to connect to a remote pc outside my network and somehow therefore I would like to set up a handle on my internal ip, but give my payload the external ip. However I am only seeing the option to set LHOST in which case the handler or the payload gets the wrong ip and setting up a separate handler would blocking my port. Maybe there is an easier method? to set the server ip of reverse_tcp to my external not directly creating a handler on the same ip.... The following assumptions can be made: port is correctly forwarded on machine with external ip payload and exploit are working on target payload is reverse_tcp Thanks for the Help Residuum