Penetration Testing mailing list archives

Re: Pen Test help

From: H D Moore <sflist () digitaloffense net>
Date: Mon, 18 Jul 2005 17:27:29 -0500

On Monday 18 July 2005 08:32, Stephane Auger wrote:

What does win32_reverse and win32_bind do, anyway?


The Metasploit Framework includes a dozen or so different Windows 
payloads. For any given payload, we try to support at least two 
"transports", these are "bind" and "reverse". A payload that starts off 
with "win32_bind" will cause the remote system to open a listening 
socket. The handler part of the Framework will then connect to this 
socket, do any type of required staging, and then hand off the shell, VNC 
session, etc to the user. The "win32_reverse" payloads work by connecting 
back to the system running the Framework, which opens a listening port to 
accept the connection, and then following the same process.

If you are attacking a system behind a firewall and there are no 
"unfiltered but closed" ports available, the win32_reverse payloads are 
probably your best bet. Many firewalls also restrict the outbound 
connections from systems in the DMZ, so you may need to run the Framework 
as root and use a low "LPORT" value, such as 25, 80, or 443. When using 
the "reverse" payloads, the attacking system's address and listening port 
must be available to the target (ie. on the internet, outside of a 
firewall). Keep in mind that the default "LPORT" value (4444) is blocked 
by most end-user ISPs.

Not every payload is either "bind" or "reverse". The are a few payloads 
that simply execute a system command and do not need a connection at all. 
These include win32_adduser and win32_exec. The "win32_passivex" payloads 
actually use a HTTP connection from the target system back to the 
attacking system to load the next stage (delivered via Internet Explorer 
and a malicious ActiveX control, see [1] for more information).

Payloads that contain the string "_stg" will use multiple stages, loaded 
across the network connection. This reduces the size of the payload by 
establishing the connection and downloading the next stage from the 
Framework. The "win32_reverse_ord" payloads are really tiny, staged 
versions of the "win32_reverse" set, useful when payload space is 
restricted to under 200 bytes.

-HD

1. http://www.uninformed.org/?v=1&a=3&t=sumry

Current thread:

Pen Test help Juda Barnes (Jul 14)
- <Possible follow-ups>
- RE: Pen Test help er t (Jul 15)
  - RE: Pen Test help Juda Barnes (Jul 16)
    - Re: Pen Test help H D Moore (Jul 16)
    - RE: Pen Test help Juda Barnes (Jul 17)
    - Re: Pen Test help H D Moore (Jul 18)
- RE: Pen Test help Stephane Auger (Jul 18)
  - Re: Pen Test help H D Moore (Jul 18)
- FW: Pen Test help Juda Barnes (Jul 18)
- RE: Pen Test help Stephane Auger (Jul 18)
- RE: Pen Test help Roberts, Scott (Jul 18)