Forum Thread: Just Some Questions About Kali...

Just Some Questions About Kali...

Hey guys so I'm pretty new and I have a few questions that I was hoping some of you could help me answer...

  1. How exactly is one supposed to target a client behind a router? I mean if we can obtain their router's public IP, do we need their MAC address too? Or their internal IP? (Wouldn't this change due to DHCP?). Also, assuming we have both their internal and external IP address, which do we set as the RHOST, and how would the configuration of parameters for a WAN victim be different from that of a LAN victim?
  1. How would I still set my LHOST for exploits if I were using proxychains and attacking over WAN? (Internal/ external/ IP of first proxy? I'm practising in VirtualBox and thus am ignorant to this)
  1. My victim is an admin account in another virtual Windows PC. Is it abnormal that I do not have system privileges after I exploit it? 'getsystem' does not work unless I click 'run as admin'. If running as administrator is the only way for getsystem to work, is there a way to configure the payload to only be openable as admin? (I'm using a payload created with veil-evasion)
  1. Finally, and most importantly, I'm having alot of trouble creating a persistent backdoor. After following countless guides inside and outside of nullbyte (Includint OTW's guide), I have not been able to make a backdoor. I followed all the steps and all the expected messages pop up, but when I background the current meterpreter session and list all sessions, only one pops up. I tried making the port the same as my exploit, and making it different, all of which did not work. No sessions are established after the 'reboot' command is given.

Thank you for taking the time to read all of that and thank you for sharing your knowledge! Cheers.

5 Responses

Also pretty new here, I might not be correct:

  1. Unless port forwarding is set up, you won't be able to target a host behind a router. You could find a DMZ host on the same network and pivot from it, hack the router and set up port forwarding, or get someone to run a reverse payload using social engineering.

When targeting a host behind a router, you use their external IP as RHOST, and your external IP as LHOST. You will also need to forward ports on your own router if you use reverse payloads.

  1. External IP.
  1. I don't know. Try messing with file properties.
  1. That's because when you set up a backdoor it tries to connect to you every n seconds. If nothing is listening for the connection, no new sessions will be opened. The solution is to use exploit/multi/handler to listen for the connection.

Do you use the meterpreter's built in persistence script? If so, the AV is very likely to catch it. You can try creating your own backdoor!

Thank you for your extremely prompt reply. As of yet, I am still unable to solve the problem and have followed OTW's tutorial word for word, and got the exact same responses in the terminal EXCEPT that I don't get the 'Meterpreter session 2 opened'. Instead, I'm returned to the meterpreter prompt, and whenever I enter 'background' and list all sessions, only the current one (on port 1337) shows up. The exploit I'm using is a veil-evasion exe file that has already been downloaded on the victim machine and has repeatedly successfully communicated with the attacking OS on port 1337. Is this because I use port 443 when configuring the meterpreter script? Thanks again for your help.

Update:

I popped onto the host OS and scoured through the logs. I finally found that the multiple attempts to install a backdoor have been picked up by the free Panda AntiVirus I had installed (the original payload is still undetected). I'm guessing this means that the backdoor was indeed created, but for some reason a new meterpreter session is not created. I tried opening a separate handler on a different tab trying to connect to and listen on port 443, but it says that the connection failed to bind, suggesting that the port is in use. So I cannot find the supposedly active meterpreter session, and cannot listen for it either. Am I doing something wrong? Thanks

When the AV picks up your attempts to create a backdoor, it deletes the needed files before a connection can be made. Don't use the persistence script, it's probably going to be caught by all AVs.

If you know any programming languages, you really should write your own backdoor. The way I created mine is:

  1. Write a program in any compiled language. The program should run another program with the embedded payload every 30 seconds or so.
  2. Upload the backdoor and payload file to target computer and hide it.
  3. Add backdoor to registry, so it runs on startup.

When a connection fails to bind, it means something else is listening on the port already. Did you have any web browsers open?

Ahh I see. Everything worked after I disabled antivirus on the victim machine. You mentioned building a backdoor myself? I've been looking to begin exploit development as I'm decent in python but have only done some algorithms, games and various bots. It is, however, an interpreted language, so how would you recommend I begin learning to code my own backdoor? Thanks yet again for your help.

If you are good with python, you could write a backdoor in it and then turn it into an executable using py2exe.

If you don't want to do that, you can learn, for example, C++. That's what I wrote my backdoor in. The backdoor itself is very simple, I just have a loop with "run payload, wait 30 seconds".

I learned C++ by following a tutorial on the internet to get the basics, then coming up with a project and trying to accomplish it.

Share Your Thoughts

  • Hot
  • Active