N00b Question

[Atomix.Gray]

Question regarding SET or Metasploit: Lets say as an exmaple you set a payload that embeds a reverse shell to a PDF document. The payload LHOST is a internal 192... address. If you were to email the PDF document to someone outside of 192... address how/do they loop back to your internal network adderss. This part has confused me for a while. Or am I wrong? Does the "victim" (in the case my PC at home) have to be on the same network to gain 'shell'

[digip]

From what I understand, you can set the target to 0.0.0.0 and use a reverse handler, so when the victim opens the PDF, they make the connection back to you. Being on the same network helps though. If you are at home and behind NAT, chances are it will fail though without port forwarding to your machine doing the attack, for which it might be easier to have that machine in a DMZ while doing the attack. Your payload might very well have worked, but if the victim can't then reach you behind NAT, then it has no means of finishing the reverse connection and your router might just drop the connection from the victim.

[Atomix.Gray]

IPV6 for the win! http://hak5.org/episodes/episode-810 enable IPV6 and you should be good to go.... At least I think :)

Thanks for the reply digip

[Atomix.Gray]

persistence is something I REALLY need to work on.

[Infiltrator]

IPV6 for the win! http://hak5.org/episodes/episode-810 enable IPV6 and you should be good to go.... At least I think :)

Thanks for the reply digip

The only problem with IPv6 is that, if the victims network is not setup/configured to use IPV6 protocol, your attack may not work.

Your best option, would be to do what Digip suggested, place a machine in a DMZ or forward the necessary ports on the router.

[digip]

Problem with IPv6, is also the router might not be setup for it, so the victim machine would have to setup to to 6 to 4 tunneling in hopes of reaching you. IPv6 in itself is not a complicated thing, or at least in concept, but getting all of it working on a victims computer remotely, is probably not going to be easy. That would probably be something you would do in post exploitation, like after you already have access to the victim, and want to set up persistence so you can get back in any time(which is what I think you meant in your post above, but only comes AFTER you are already in and have root access).

[Atomix.Gray]

Thanks for the replies. I will look into the port forwarding or perhaps setting up a DMZ.

Cheers

[Diggs]

I know I have successfully gotten a shell by setting up Port forwarding to a server, setting up the IP address as the home IP. There are a couple of important points about this:

1. If you have Dynamic IP, make sure the exploit fires before the IP changes.

2. Set up the LPORT to the forwarded port.

3. Testing will be in two stages: One where you test the payload locally and use the local Server IP. Another where you check your routing from another Access Point. You can't ship a payload from inside the network to the public IP. It will always fail. If you have a webserver on Public IP 184.1.1.1 and local IP 192.168.0.2 and you are on that network, http://184.1.1.1 will fail to connect. You will need to connect to 192.168.0.2. Which means that any payloads calling home to 184.1.1.1 will fail on the local net. Go to a coffee shop and test bomb your laptop to make sure you are getting the connections or run if off a tethered cell phone.

Hope this helps. Number 3 gave me hell when I was first figuring things out. I thought that my payload was failing when it was just failing to reach the server.

Diggs

[Atomix.Gray]

So I think this process would work. I have a public server that I can enable SSH on

http://pauldotcom.com/2010/03/ssh-gymnastics-with-proxychain.html

[Infiltrator]

1. If you have Dynamic IP, make sure the exploit fires before the IP changes.

If the IP really changes, the other option would be to send the victim a TCP reserve shell embedded in a PDF file. This will really put your skills to the test, because getting someone to do something for you, isn't always easy.

You will also need to have the correct ports forwarded on your router, or you set up a PC in a DMZ.

Edited January 15, 2012 by Infiltrator

[TheKingUnderTheHill]

I've been wondering about this as well, if i tell it to connect back to my external

IP (eg. 10.41.23.213) and its dynamic, doesnt that mean once the IP changes I will no

longer have the connection? If so, is there a way around this?

Cheers!

[telot]

I've been wondering about this as well, if i tell it to connect back to my external

IP (eg. 10.41.23.213) and its dynamic, doesnt that mean once the IP changes I will no

longer have the connection? If so, is there a way around this?

Cheers!

Many routers and all OS's can install a dyndns client. The router version is much more convenient. DynDns (or dyn.com as its called now...) is a service that does exactly what you're looking for here. Sign up for a free account, make a dyndns address (KingUnderHill.dyndns.com or something) and then put in your account information into the client (apt-get install inadyn if you're using debian - google it for other OS's) and boom! Anytime your IP changes, the installed client notices and shoots up the new (changed) IP to dyndns, so KingUnderHill.dyndns.com always points to your IP, no matter what it might be or how often it changes.

Also, make sure you're forwarding the LPORT that you set to the internal IP of your metasploit box.

Hope this makes sense, its early and I'm without coffee...good luck!

telot

[TheKingUnderTheHill]

Awesome, thanks! I got all of that cheers!

However, how would I set it so that it goes to example.dyndns.com, do I just enter that

instead of the IP when setting up?

[Atomix.Gray]

You have to change the setup_config file to allow NAT - I believe you just disable the automatic IP feature then it will ask if you are using NAT/External - I believe this is where you'd put your TheKing.dyn address at.