Forum Thread: Miscellaneous Metasploit Questions

Miscellaneous Metasploit Questions

I know that ultimately I need to just get in there and play around -- but I'm hoping if I can get a few direct questions out of the way, I'll save myself a few hours of troubleshooting.

I've been reading a lot and watched quite a few demos, but maybe these questions are so painfully obvious that no one thinks to address them?

1.) A few tutorials I've read that involve emailing someone a payload embedded in a document/file mention migrating before the user closes the file, because at that point the connection will be lost and you probably won't get it back.

But how does that work in the real world? You can't know exactly when they'll open it, and it's impractical to suggest that I just sit in front my computer waiting for this very small window of time. Is there a Metasploit script you can include or something that would automatically migrate? I can't imagine pulling off a client-side attack this way.

2.) In the description of the 'duplicate.rb' script, this post:

Mentions 'risky' actions that would attract the AV. What kinds of things qualify as 'risky'?

  1. When conducting a client-side attack outside of your LAN, is there a preferable protocol? TCP/HTTP/HTTPS? One post I read called TCP "all but dead" but didn't go on to explain why.
  1. I've read a few comments referring to AVG as "not an actual AV program." Since the target computer I'm considering runs AVG, I'd like to get a better idea what that means. Does it mean that killav.rb won't work against it?
  1. And this is really dumb, but -- one tutorial I read migrated his session to the PID of the AV program. Wouldn't there be some advantage to that? Like, that the AV wouldn't monitor its own process or something? It seems like there would be, but I've only read one tutorial that has done this and I feel like if there was a real advantage, everyone would recommend it.

I know that you should probably try and kill the AV, but my experience with things like AVG is that as soon as you disable them, you get a dozen obnoxious pop-up messages warning you that your computer is insecure. It almost seems like disabling the AV will call more attention to you than otherwise.

FWIW, what I'd like to try is a client-side attack, outside my LAN (eventually), and I'd like to try the new OLE (MS14-060) exploit. The SAMBA setup has already thrown a few hurdles my way, though. Ha.

The ultimate goal would really just to be to download a file off a remote computer -- pretty simple. No pivoting or anything like that.

1 Response

You can actually script meterpreter to auto-migrate.

Look for the migrate.rb script, and to automize the action, there's the AutoRunScript option, that activates as soon as the target is exploited.

A syntax semple would be:
msf> set AutoRunScript run migrate.rbPATH

Developers and hackers are so lazy...

Share Your Thoughts

  • Hot
  • Active