HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 71 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Metasploit Sessions
EH-Net
May 21, 2013, 08:23:59 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Metasploit Sessions  (Read 7381 times)
0 Members and 1 Guest are viewing this topic.
jonas
Newbie
*
Offline Offline

Posts: 46


View Profile
« on: June 16, 2009, 02:43:03 PM »
Hi!  

I've been fooling around with metasploit and successfully exploited a WinXP machine with the vncinject/bind_tcp payload.   Now i run the same exploit on another machine.  Everything goes well but then it sais: "Session is running in the background".  Now when i do sessions -i ID it get the message it's not interactive.
So i close the first VNC window and try the same exploit on the first pc again.  Still starts in the background........  How do i get it UP!?

Do i have to connect to loopback:port something?  set autonvc to 0?
(I'm not able to test this atm....)

Thx!

ps. Great site!
« Last Edit: June 16, 2009, 02:44:47 PM by jonas » Logged
viruz
Jr. Member
**
Offline Offline

Posts: 50


View Profile
« Reply #1 on: June 16, 2009, 03:49:33 PM »
well to my little understanding...if u use vncinject payload, it will give u access to operate on the target machine in GUI mode. but in some instances, it will complete the dll inject and give u full access and control, and in some instances it will not and only give u the shell (cmd) which u will ave to operate on.

i guess it is only returning the shell to you in your situation which is not bad as well, another thing i noticed about using vncinject is anytime u connect to the target machine, it automatically opens a cmd on the target machine...which can give the admin a clue that something is going on and anything you type/input in the shell at your end will be seen by the target machine user....i dont really like vnc though but i think you were not given the full access to visually control the target.

i may be wrong for i am still a student....but find it helpful
Logged
jonas
Newbie
*
Offline Offline

Posts: 46


View Profile
« Reply #2 on: June 16, 2009, 04:06:58 PM »
Yes.  I get the VNC full access windows and i can control the computer remotely with the GUI interface.  But it only works the first time.  Everything after that it all starts in "background" even if im running the exploit on another machine. 

But i can't figure out where do bring it up from "running in background" to interact with it. 

I'm still a student myself so no worries! =) Thx anyway.
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #3 on: June 16, 2009, 07:17:50 PM »
I am not entirely sure what's happening here.  I think that I need a bit more information.   What exploit are you running, what are the settings when you run the exploit?

My guess is that you are specifying the same local port both times you run the exploit.   If the first connection is still active, I believe the local port will be in use.   You can try to specify another local port each time you run the exploit with the vnc payload.   

Try running netstat -an (on windows) or netstat -ant (on nix).   See what ports are listening each time you run the exploit. 
Logged
~~~~~~~~~~~~~~
Ketchup
jonas
Newbie
*
Offline Offline

Posts: 46


View Profile
« Reply #4 on: June 17, 2009, 11:40:28 AM »
I believe i was using the exploit/windows/dcerpc/ms03_026 with windows/vncinject/tcp_bind.  Specifying another local port sounds like it could be right!

I only set the RPORT, RHOST and LHOST.
The VNCPORT is 5900 and LPORT is 4444 as default.

So if i change these or just LPORT it should maybe work....
Logged
viruz
Jr. Member
**
Offline Offline

Posts: 50


View Profile
« Reply #5 on: June 17, 2009, 01:02:59 PM »
the RHOST will be the same, the LHOST is also the same coz it is your attacking machine, the one u are on, but if you already have an established connection to the target and do not exit it properly, it may still be open in an underground/hidden mode, trying to connect back to the target by running the exploit again might get bounced and tell you there is an established connection, so you will have to change the LPORT which is the port the target will reverse connection back to your attacking machine.

RHOST = Remote Host (target machine)
RPORT = Remote Port (target machine port)
LHOST = Local Host (your machine, the one you are attacking from)
LPORT = Local Port (used for listening to reverse connection from target)

what Ketchup is extremely useful, do it as he said and you will have no problem.
Logged
hayabusa
Hero Member
*****
Offline Offline

Posts: 1631



View Profile
« Reply #6 on: June 17, 2009, 01:18:30 PM »
If you launched VNC on the destination machine, the first time, assuming you didn't close it, the VNC listener should still be listening on the 5900 port.  Try using a VNC client to connect to that port, on the target machine.

If the initial ports are left open, from your injection of the DLL, then no, you won't be able to re-use the same ports, until both your machine and target get rebooted.  IF you change both RPORT and LPORT to fresh, unused ports, the same attack might allow you in, again.  Note, though, that many attacks will fail if attempted a second time against the same service on the target, if the target PC has not been rebooted, yet...

Ketchup's response will tell you, though, if the previous port combinations are still in use.  But they might not tell you if the service you previously exploited is still in an 'exploitable' state, or if the service needs a restart.

HTH.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
jonas
Newbie
*
Offline Offline

Posts: 46


View Profile
« Reply #7 on: June 17, 2009, 06:20:23 PM »
thx man.  I experienced that some of the exploits would work if i waited for some time.  Looks like some of the exploits bring the service to it's knees....

When running nmap the exploited ports are down.... hehe.
Got the VNC working and installed teamviewer from mail.  Pretty neat but not very stealthy :p   Lucky for me its only a free pentest Wink
Logged
LSOChris
Guest
« Reply #8 on: June 22, 2009, 09:22:25 PM »
change the LPORT for 2nd VNC connection or use meterpreter
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.071 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.