Re: Pen Test help

From: H D Moore (sflist@digitaloffense.net)
Date: Mon Jul 18 2005 - 18:27:29 EDT

• Next message: Desai, Dipen: "RE: Suggested lab materials/systems/setup?"
• Previous message: contact@parosproxy.org: "Paros 3.2.3 release"
• In reply to: Stephane Auger: "RE: Pen Test help"
• Next in thread: Juda Barnes: "FW: Pen Test help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Monday 18 July 2005 08:32, Stephane Auger wrote:
> What does win32_reverse and win32_bind do, anyway?

The Metasploit Framework includes a dozen or so different Windows
payloads. For any given payload, we try to support at least two
"transports", these are "bind" and "reverse". A payload that starts off
with "win32_bind" will cause the remote system to open a listening
socket. The handler part of the Framework will then connect to this
socket, do any type of required staging, and then hand off the shell, VNC
session, etc to the user. The "win32_reverse" payloads work by connecting
back to the system running the Framework, which opens a listening port to
accept the connection, and then following the same process.

If you are attacking a system behind a firewall and there are no
"unfiltered but closed" ports available, the win32_reverse payloads are
probably your best bet. Many firewalls also restrict the outbound
connections from systems in the DMZ, so you may need to run the Framework
as root and use a low "LPORT" value, such as 25, 80, or 443. When using
the "reverse" payloads, the attacking system's address and listening port
must be available to the target (ie. on the internet, outside of a
firewall). Keep in mind that the default "LPORT" value (4444) is blocked
by most end-user ISPs.

Not every payload is either "bind" or "reverse". The are a few payloads
that simply execute a system command and do not need a connection at all.
These include win32_adduser and win32_exec. The "win32_passivex" payloads
actually use a HTTP connection from the target system back to the
attacking system to load the next stage (delivered via Internet Explorer
and a malicious ActiveX control, see [1] for more information).

Payloads that contain the string "_stg" will use multiple stages, loaded
across the network connection. This reduces the size of the payload by
establishing the connection and downloading the next stage from the
Framework. The "win32_reverse_ord" payloads are really tiny, staged
versions of the "win32_reverse" set, useful when payload space is
restricted to under 200 bytes.

-HD

1. http://www.uninformed.org/?v=1&a=3&t=sumry

• Next message: Desai, Dipen: "RE: Suggested lab materials/systems/setup?"
• Previous message: contact@parosproxy.org: "Paros 3.2.3 release"
• In reply to: Stephane Auger: "RE: Pen Test help"
• Next in thread: Juda Barnes: "FW: Pen Test help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:35 EDT