Forum Thread: Weird IP Question

Hello again Null-Byte,

Just a short question that perhaps you guys know the answer to, I have exploited a machine that for some reason never allows a connection unless I run Teamviewer on it at the same time, I can't even run portscan but I can ping it. I believe it has something to do with the router at that location since the computer was moved and then it started working but now it's back at the original location. But I digress.. my question is, last time I tried connecting to it and ran the listener it does what it usually does, nothing at all. But then it tried sending a stage to an unknown IP address, 104.209.160.170. Which makes me really curious because when I checked the IP's location it was in the US.

Anyone know why metasploit tried sending a stage to a completely unknown IP address that I haven't even exploited?

Thanks in advance,
Ulf.

7 Responses

Is this computer behind a different router? You may just be scanning the router.
Is this accurate?
Your computer-Router->victim's router-victims computer

Yeah it's behind another router. You think that's why I can't get any session at all? I wonder why it suddenly works when I open Teamviewer though, it's on completely different ports. Gotta look for the tutorial on getting past routers then.

yes, that is probably why it doesn't work. the target's router might be blocking your scans and exploits, but when teamviewer server is open on the target, a port might also be automatically opened on the target router, thus allowing a connection.

if i just could ask a few things:

  • for the sake of confirming my theory, when you say "open teamviewer", do you mean opening teamviewer on you or the server? and is it a client or a server you open of teamviewer?
  • are you using a reverse-tcp or bind-tcp payload?
  • and finally, what exploit are you using, and what are your settings in metasploit? (IP addresses don't matter)

-Phoenix750

Hey björn, where are you from?

Denmark?

@Phoenix750:

1.) I mean opening a connection from my computer to the target. As soon as I do that, metasploit sends the stage and I get a session. It persists until either computer restarts, even if I close Teamviewer before that.

2.) I'm using reverse tcp.
3.) I'm using a Veil exe, for persistence I'm using task scheduler. So no particular exploit to speak of.

If the targets router is blocking me, is there a technique or a tutorial here that can teach me how to get past it?

@Blackcat:
Just a random name I picked for this account.

Anyone know why metasploit tried sending a stage to some random IP in the US with Microsoft as the ISP? Kinda worried about that one.

(edited because I asked a stupid question)
But - what ports are you using?

I'm using port 443. I haven't really looked into other ports, a lot of tutorials choose that one so I've just defaulted to using it aswell.

Share Your Thoughts

  • Hot
  • Active