Forum Thread: Metasploit Questions

Metasploit Questions

Hi there,
im null and ive been on null-byte for quite sometime now.

i decided to make an account because, Why not? i love it here and i guess it would be better if i was a part of the community. Anyway..

I have some questions about Metasploit. (i still have little knowledge about all this, sorry.)

1.
LHOST and LPORT:

okay, i understand that LHOST is what the payload (i think that's what you call it.) should connect back to; and that LPORT is what port it should be on. my question/s is/are:

Should it matter what port I choose? if so, how do i port forward? (Im not sure if this is the solution to that)

2.
(if) it works! i managed to make the pay load connect back and i have a console.
cool, i have a terminal thats connected.. after im done doing whatever (Ethical) how do i connect back?

can i just fire-up my listener and connect back? (so long as the person has Internet connection of course.) or does the person have to try to open the payload again?

i guess that's t for now.

Thank you for reading.

NULL

EDIT: I'm connect to the internet via WiFi and I'm using kali linux 2.0 (sana)

5 Responses

  1. It is a good habit to use common ports that relate to your exploit. For example if you exploit a web browser it would be a good guess that ports 80 (http) and ports (443) will be usable. This will also look less suspicious to anyone paying attention.

Port forwarding is used for a few things, but in context of what I think your asking you would only need to use it if you are attacking across the WAN and not your LAN. To set it up you have to look up how for your router, not all are the same. A good place to start with that other than Google is Port Forward

  1. No and no, you will need to setup persistence so the machine will connect back to you when you want it to. Try starting here to figure out how that's done Persistence

I believe that using higher ports is less suspicious. Someone checking netstat will usually overlook higher ports but might investigate if an unknown connection has been made on a port that does not normally have unknown traffic.

I might be wrong in the psychological thinking, but that is just what my experience taught me. I see your point though, and it all really boils down to how alert the target is to any threats.

TRT

It's just more of an opinion really rather than just right or wrong. Personally in my experience common ports are more likely to get through any security measures and get me the shell. Even more so if I can disguise the traffic as the protocol that uses the port such as http or even better https. To me it looks more common for a victim to be connected on these ports to a foreign address than an uncommon port connected to a foreign address.

Higher ports like what you are saying can be nice in situations where machines have multiple applications installed and no one knows what ports they really use. I think of it more in pivoting or lateral movements where web traffic would stand out between two machines that don't host a web site. These ports may be more likely to go unnoticed since hopefully no one knows what ports the vendors have chosen to use.

# 1 #

• You can use any port, as long as it is not being used by another service at that particular time.

• You only need to port forward if you are planning to perform the exploits on a Wide Area Network (WAN) which is usually the internet.

==============================================================

# 2 #

• You will need to set up persistence for that to work independently.

==============================================================

Feel free to use the search function on top of each page to look for further help.

TRT

Thank you, both of the articles are very helpful.

i don't have access to my router, only my cousin knows the password to it.
is there a way to check what ports i can use?
(Im connected to the Internet via WiFI.)

Share Your Thoughts

  • Hot
  • Active