EH-Net

Hi!  

I've been fooling around with metasploit and successfully exploited a WinXP machine with the vncinject/bind_tcp payload.   Now i run the same exploit on another machine.  Everything goes well but then it sais: "Session is running in the background".  Now when i do sessions -i ID it get the message it's not interactive.
So i close the first VNC window and try the same exploit on the first pc again.  Still starts in the background........  How do i get it UP!?

Do i have to connect to loopback:port something?  set autonvc to 0?
(I'm not able to test this atm....)

Thx!

ps. Great site!

well to my little understanding...if u use vncinject payload, it will give u access to operate on the target machine in GUI mode. but in some instances, it will complete the dll inject and give u full access and control, and in some instances it will not and only give u the shell (cmd) which u will ave to operate on.

i guess it is only returning the shell to you in your situation which is not bad as well, another thing i noticed about using vncinject is anytime u connect to the target machine, it automatically opens a cmd on the target machine...which can give the admin a clue that something is going on and anything you type/input in the shell at your end will be seen by the target machine user....i dont really like vnc though but i think you were not given the full access to visually control the target.

i may be wrong for i am still a student....but find it helpful

Yes.  I get the VNC full access windows and i can control the computer remotely with the GUI interface.  But it only works the first time.  Everything after that it all starts in "background" even if im running the exploit on another machine. 

But i can't figure out where do bring it up from "running in background" to interact with it. 

I'm still a student myself so no worries! =) Thx anyway.

I am not entirely sure what's happening here.  I think that I need a bit more information.   What exploit are you running, what are the settings when you run the exploit?

My guess is that you are specifying the same local port both times you run the exploit.   If the first connection is still active, I believe the local port will be in use.   You can try to specify another local port each time you run the exploit with the vnc payload.   

Try running netstat -an (on windows) or netstat -ant (on nix).   See what ports are listening each time you run the exploit. 

I believe i was using the exploit/windows/dcerpc/ms03_026 with windows/vncinject/tcp_bind.  Specifying another local port sounds like it could be right!

I only set the RPORT, RHOST and LHOST.
The VNCPORT is 5900 and LPORT is 4444 as default.

So if i change these or just LPORT it should maybe work....

the RHOST will be the same, the LHOST is also the same coz it is your attacking machine, the one u are on, but if you already have an established connection to the target and do not exit it properly, it may still be open in an underground/hidden mode, trying to connect back to the target by running the exploit again might get bounced and tell you there is an established connection, so you will have to change the LPORT which is the port the target will reverse connection back to your attacking machine.

RHOST = Remote Host (target machine)
RPORT = Remote Port (target machine port)
LHOST = Local Host (your machine, the one you are attacking from)
LPORT = Local Port (used for listening to reverse connection from target)

what Ketchup is extremely useful, do it as he said and you will have no problem.

If you launched VNC on the destination machine, the first time, assuming you didn't close it, the VNC listener should still be listening on the 5900 port.  Try using a VNC client to connect to that port, on the target machine.

If the initial ports are left open, from your injection of the DLL, then no, you won't be able to re-use the same ports, until both your machine and target get rebooted.  IF you change both RPORT and LPORT to fresh, unused ports, the same attack might allow you in, again.  Note, though, that many attacks will fail if attempted a second time against the same service on the target, if the target PC has not been rebooted, yet...

Ketchup's response will tell you, though, if the previous port combinations are still in use.  But they might not tell you if the service you previously exploited is still in an 'exploitable' state, or if the service needs a restart.

HTH.

thx man.  I experienced that some of the exploits would work if i waited for some time.  Looks like some of the exploits bring the service to it's knees....

When running nmap the exploited ports are down.... hehe.
Got the VNC working and installed teamviewer from mail.  Pretty neat but not very stealthy :p   Lucky for me its only a free pentest ;)

change the LPORT for 2nd VNC connection or use meterpreter