Jump to content

can metasploit payloads be set with broadcast addresses for "LHOST="?


Recommended Posts

lets say the environment you are in uses a DHCP server with a very short lease time.

can metasploit payloads (for instance reverse_tcp meterpreter) be set with an LHOST=

or the subnet broadcast address (i.e. LHOST=

how would someone get around a short lease time with DHCP?

I am going to lab this however I am just wondering off hand if anyone knows?

the idea in this case is that the reverse shell connects to anyone listening. I am of course not referring to that specific payload. just in general. if my payload is set with LHOST= and when the payload gets executed, my address has already changed to the connection wont go through.

Link to comment
Share on other sites

First of all. A short leastime does not mean your pc will get a new ip every time the lease time is over.

DHCP in short:

1) Client connects on the network.

2) Client sends a request for network settings. ( dhcp request ) broadcast

3) dhcp server offers 4 times the same settings ( dhcp offer )

4) Client accepts the offer and start using it( dhcp ack )

5) Server locks the ip/mac till releasetime

Now the dhcp settings offert by the server is not only the usual stuff: ip/mask/router/dns Its also release time AND renew time.

The renew time should always be lower then the release time. When the client reaches the renew time, it will send a new request to the server

but this time it will be a DHCP inform request. Asking the server to extend the release time for this address.

So basicly as long as your device is online and got a connection towards the dhcp server it should not change ip.

But the safest way: Set your device as a static ip on the network !

As of using broadcast addresses for your exploit. If could work but defiantly isn't stealthy and i think a lot of AV/firewall programs will not like it

Edited by GuardMoony
Link to comment
Share on other sites

I was really using the DHCP server as an example to help explain.

I am just wondering if you can use broadcast addresses without being asked "Why" and having to explain.

thanks for the feedback!

I am going to try it out in a lab. I can see how it might be useful in some scenarios.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...