Penetration Testing mailing list archives
RE: Pen Test help
From: "Roberts, Scott" <scottroberts () hersheys com>
Date: Mon, 18 Jul 2005 13:56:11 -0400
Win32_bind initiates a connection with the target machine an establishes an Administrator terminal session. Win32_reverse tells the target machine to start an outgoing session to your attach machine, which has a port listening, and then gives you an Administrator terminal session. Win32_reverse has a huge advantage in that many Win32_bind sessions may fail because firewall rules don't allow incoming connections except over specified ports (and usually not ports used for remote shell). Since Win32_reverse has the session start from the inside and tunnel out to the attacking machine it's much less likely do be blocked, since many firewall Admins don't block outgoing traffic as well as they block incoming traffic (this may be a bad idea, but this isn't the right list to discuss that). Hope that helps, Scott -----Original Message----- From: Stephane Auger [mailto:sauger () pre2post com] Sent: Monday, July 18, 2005 9:33 AM To: pen-test () securityfocus com Subject: RE: Pen Test help What does win32_reverse and win32_bind do, anyway? -----Original Message----- From: H D Moore [mailto:sflist () digitaloffense net] Sent: July 17, 2005 11:35 PM To: pen-test () securityfocus com Subject: Re: Pen Test help On Sunday 17 July 2005 14:32, Juda Barnes wrote:
Anyway the machine have 53/tcp open port so if I will have the right exploit I will be able to bind to 53 the shell
That won't work. To bind on top of another service under Windows you have to specify the local address in the bind() call. The metasploit win32_bind payloads do not do this, so it will end up binding a shell to some random TCP port instead. Your best bet is to put your attacking system outside of a firewall and use the win32_reverse payloads instead (25, 80, 443, etc).
msf iis50_webdav_ntdll(win32_exec) > check [*] Server does not appear to be vulnerable Well I tried most of the framework exploits none of them work.
Are you sure that the system is vulnerable to anything? The metasploit check seems to disagree with the Nessus scan results, are you using an older version of Nessus? -HD
Attachment:
smime.p7s
Description:
Current thread:
- Pen Test help Juda Barnes (Jul 14)
- <Possible follow-ups>
- RE: Pen Test help er t (Jul 15)
- RE: Pen Test help Juda Barnes (Jul 16)
- Re: Pen Test help H D Moore (Jul 16)
- RE: Pen Test help Juda Barnes (Jul 17)
- Re: Pen Test help H D Moore (Jul 18)
- RE: Pen Test help Juda Barnes (Jul 16)
- Re: Pen Test help H D Moore (Jul 18)