RE: Pen Test help

From: Stephane Auger (sauger@pre2post.com)
Date: Mon Jul 18 2005 - 20:17:23 EDT


Thank you all for your explanations, it really cleared that up for me :)

Stephane

-----Original Message-----
From: H D Moore [mailto:sflist@digitaloffense.net]
Sent: July 18, 2005 6:27 PM
To: pen-test@securityfocus.com
Subject: Re: Pen Test help

On Monday 18 July 2005 08:32, Stephane Auger wrote:
> What does win32_reverse and win32_bind do, anyway?

The Metasploit Framework includes a dozen or so different Windows
payloads. For any given payload, we try to support at least two
"transports", these are "bind" and "reverse". A payload that starts off
with "win32_bind" will cause the remote system to open a listening
socket. The handler part of the Framework will then connect to this
socket, do any type of required staging, and then hand off the shell,
VNC
session, etc to the user. The "win32_reverse" payloads work by
connecting
back to the system running the Framework, which opens a listening port
to
accept the connection, and then following the same process.

If you are attacking a system behind a firewall and there are no
"unfiltered but closed" ports available, the win32_reverse payloads are
probably your best bet. Many firewalls also restrict the outbound
connections from systems in the DMZ, so you may need to run the
Framework
as root and use a low "LPORT" value, such as 25, 80, or 443. When using
the "reverse" payloads, the attacking system's address and listening
port
must be available to the target (ie. on the internet, outside of a
firewall). Keep in mind that the default "LPORT" value (4444) is blocked

by most end-user ISPs.

Not every payload is either "bind" or "reverse". The are a few payloads
that simply execute a system command and do not need a connection at
all.
These include win32_adduser and win32_exec. The "win32_passivex"
payloads
actually use a HTTP connection from the target system back to the
attacking system to load the next stage (delivered via Internet Explorer

and a malicious ActiveX control, see [1] for more information).

Payloads that contain the string "_stg" will use multiple stages, loaded

across the network connection. This reduces the size of the payload by
establishing the connection and downloading the next stage from the
Framework. The "win32_reverse_ord" payloads are really tiny, staged
versions of the "win32_reverse" set, useful when payload space is
restricted to under 200 bytes.

-HD

1. http://www.uninformed.org/?v=1&a=3&t=sumry



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:36 EDT