Penetration Testing mailing list archives
Re: Pen Test help
From: H D Moore <sflist () digitaloffense net>
Date: Mon, 18 Jul 2005 17:27:29 -0500
On Monday 18 July 2005 08:32, Stephane Auger wrote:
What does win32_reverse and win32_bind do, anyway?
The Metasploit Framework includes a dozen or so different Windows payloads. For any given payload, we try to support at least two "transports", these are "bind" and "reverse". A payload that starts off with "win32_bind" will cause the remote system to open a listening socket. The handler part of the Framework will then connect to this socket, do any type of required staging, and then hand off the shell, VNC session, etc to the user. The "win32_reverse" payloads work by connecting back to the system running the Framework, which opens a listening port to accept the connection, and then following the same process. If you are attacking a system behind a firewall and there are no "unfiltered but closed" ports available, the win32_reverse payloads are probably your best bet. Many firewalls also restrict the outbound connections from systems in the DMZ, so you may need to run the Framework as root and use a low "LPORT" value, such as 25, 80, or 443. When using the "reverse" payloads, the attacking system's address and listening port must be available to the target (ie. on the internet, outside of a firewall). Keep in mind that the default "LPORT" value (4444) is blocked by most end-user ISPs. Not every payload is either "bind" or "reverse". The are a few payloads that simply execute a system command and do not need a connection at all. These include win32_adduser and win32_exec. The "win32_passivex" payloads actually use a HTTP connection from the target system back to the attacking system to load the next stage (delivered via Internet Explorer and a malicious ActiveX control, see [1] for more information). Payloads that contain the string "_stg" will use multiple stages, loaded across the network connection. This reduces the size of the payload by establishing the connection and downloading the next stage from the Framework. The "win32_reverse_ord" payloads are really tiny, staged versions of the "win32_reverse" set, useful when payload space is restricted to under 200 bytes. -HD 1. http://www.uninformed.org/?v=1&a=3&t=sumry
Current thread:
- Pen Test help Juda Barnes (Jul 14)
- <Possible follow-ups>
- RE: Pen Test help er t (Jul 15)
- RE: Pen Test help Juda Barnes (Jul 16)
- Re: Pen Test help H D Moore (Jul 16)
- RE: Pen Test help Juda Barnes (Jul 17)
- Re: Pen Test help H D Moore (Jul 18)
- RE: Pen Test help Juda Barnes (Jul 16)
- Re: Pen Test help H D Moore (Jul 18)