wurmt0ngue Posted March 19, 2011 Share Posted March 19, 2011 Ive been able to use backtrack for wep cracking for a few years but I recently decided to try and learn more and really try and dig in. Thanks to g0tm1lk's blog and hak5 I have come a long way and can now exploit local vms and gain access to them using client side browser attacks(however using armitage). My next step is to learn metasploit command line so I actually understand what is happening behind armitage's GUI, but my question here pertains to being able to use metasploit remotely on hosts who arent on the local network. I have a free no ip account and can forward directly to my ip so I figured if I forwarded my ports correctly I could link a friend (knowingly for testing) to my noip host and to my metaploit server. (I could be wrong but please let me know) and this should also give me their ip through console when they connect to the webpage. Am I on the right track here? and what are some other ways I could use metsploit remotely, so far I have only attempted simple client side attacks from the armitage howtos etc. Go easy on me for being a n00b, plz and thx Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted March 20, 2011 Share Posted March 20, 2011 (edited) So far your approach is correct, 1) You will need to know the remote computer IP address or hostname 2) You will need to find out what services are running in the remote host. 3) You could use Nmap to scan for any open ports on the remote host. 4) Once you find what services and ports are opened. 5) Use Metasploit to exploit the host service. 6) Now to make the machine visible to the internet, there are two ways you can go about. 1) Open forwarding ports on the remote router. 2) Or place the remote host in a DMZ, this option is not recommended, because it will completely expose the host to the internet, however once this option is enabled, forwarding ports will no longer be required. If you want to go down this path, make sure the host does not have any confidential information or any important data on it. Hope this helps. Edited March 20, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
digip Posted March 20, 2011 Share Posted March 20, 2011 Whatever you decide to do, notify the parties who's network you use, such as the remote host and even your ISP/friends ISP. What you are doing in your own lab tests or private network, should not be stuff that travels outside the local lan, or you could be seen as trying to attack someones network and get yourself arrested. Personally, I would create several networks at home, get a few routers, switches, set up different subnets for each network, with 1 machine in each network that can speak to the next hop and then play from there. This way you can try to pivot off one machines subnet into the network of another it can communicate with. There really is no difference though between doing this in VM's vs a live network. A network is a network, if the configurations are set up properly. I think doing anything over the internet is going to be an issue and may get you into trouble with the ISP's or hosting providers. If you were in say the Offsec classes, they give you VPN access to a private network set up just for pen-testing. This makes more sense than to try doing something across the internet where you could potentially land yourself in jail if you pointed your scans to the wrong IP or subnets. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 20, 2011 Share Posted March 20, 2011 So far your approach is correct, 1) You will need to know the remote computer IP address or hostname 2) You will need to find out what services are running in the remote host. 3) You could use Nmap to scan for any open ports on the remote host. 4) Once you find what services and ports are opened. 5) Use Metasploit to exploit the host service. 6) Now to make the machine visible to the internet, there are two ways you can go about. 1) Open forwarding ports on the remote router. 2) Or place the remote host in a DMZ, this option is not recommended, because it will completely expose the host to the internet, however once this option is enabled, forwarding ports will no longer be required. If you want to go down this path, make sure the host does not have any confidential information or any important data on it. Hope this helps. 1)Not really, depends on the attack, but typically no. 2)Helpful but not always needed. 6)Only the attacking machine needs to be accessible from the external addresses so the victim computers can "connect back" to start a meterpreter or whatever session is chosen for the payload. http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training Quote Link to comment Share on other sites More sharing options...
Netshroud Posted March 20, 2011 Share Posted March 20, 2011 6) Depends if the payload is a bind or reverse connection. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted March 20, 2011 Share Posted March 20, 2011 (edited) 1)Not really, depends on the attack, but typically no. 2)Helpful but not always needed. 6)Only the attacking machine needs to be accessible from the external addresses so the victim computers can "connect back" to start a meterpreter or whatever session is chosen for the payload. http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training Was only some suggestions, on how he could use Metasploit from outside his LAN. Edited March 21, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 20, 2011 Share Posted March 20, 2011 6) Depends if the payload is a bind or reverse connection. Yup, bind connections will not work with NAT and/or firewalls. I always use reverse. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.