Re: my handler has been p0wned

[al1c3andb0b <al1c3andb0b () lavabit com>]

On 03/16/2011 03:54 PM, Nicolas Krassas wrote:
> Did you upload your "testing" files to any of the av scanning sites ? 
> eg. virustotal ?
Yes I did, and with various payloads, but not during these tests (anyway 
I've stopped using these sites), and most often I've used private 
addresses (not even sure I've ever used my public IP once).

But I'm not sure to understand your point: you mean one may download my 
test payload from VirusTotal, execute it, the stager reaches my handler, 
that in turn start sending stages. The payload may fail to execute or 
has no "visible" consequence, so I only see "sending stages" messages in 
msfconsole.
Though this could be possible, I think it's pretty improbable, as this 
implies:
- one day I've uploaded a staged payload to VirusTotal, containing my 
public IP and targeting the port 8080
- Bob has downloaded this payload, with the intent to execute it: why, 
as this makes Bob the victim? Do you rather think about researchers 
doing a survey, or some kind of official services that try to identify 
potential attackers through the VirusTotal database ?
- The payload, on Bob platform, fails to execute OR the payload has no 
visible consequence
- One day, I expose my host (DMZ), and start the _appropriate_ 
metasploit handler
- This very same day, Bob tries to execute my payload

Another nice story, but don't think that's what happened to me.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework