Metasploit Remotely?

Obviously Metasploit is a powerful tool. However, all Metasploit tutorials that I've seen are based on using Metasploit from within a subnet. I know that nowdays mostly everyone has some sort of router at home, be it wireless or wired, or piggybacked into the modem. From a IPSec standpoint, is it possible to exploit something into a network from outside of the network? I don't have too many nice neighbors or I'd setup a box in their house and try it. Obviously there are going to be some port issues, and logically the router would choose the first candidate. What if I was trying to access a certain computer on that network? I'm just not sure of how I could specify that ex. 192.168.1.105 is the target (from outside of the network), without first being 'apart' of that pertaining network. So if I were trying to prove to a boss that he needed some sort of hardware firewall, how would I show him on the computer that he's sitting at? Sorry to be so broad. Maybe I need to touch up on my theory of WANs.

Haha, I remember when questions like this were commonplace...maybe AO is coming back! :D ;)

I don't think you'll be able to exploit a machine behind a router, unless the router is forwarding traffic for a certain port to that machine... you would first have to have the network machine initiate some sort of communication to an outside machine - then they could communicate back and forth, and an exploit could take place... but, AFAIK, it is impossible for an outside machine to access any machine on the network, unless ports are being forwarded via the router - and then only that machine could be accessed from the outside on those ports...

Of course, there are tools out there to crack router admin passwords - then you could see every machine on the network, and set up port-forwarding to try whatever exploits you want...

I've heard of metasploit, but I haven't fooled around with it... maybe I'll toy with it on my home network - if you're looking to exploit random machines, there are plenty of people out there hooked straight into the modem...

From what the OP wrote, I suggest the OP concentrate on networking fundamentals and put off diving into metasploit just yet.

"WAN Theory"...Really????

For this scenario, you would be better off generating a malicious PDF and having it do a reverse tcp back to you. Wiskic10_4 is right, it would be hard to get to a machine inside of a network if it is behind a router, as the router acts as kind of a firewall, only allowing inbound traffic to specified ports on internal machines. It is greatly simplified if you can become a part of that network, whether through wireless, or plugging into an active ethernet jack.

Quote:

---

Of course, there are tools out there to crack router admin passwords - then you could see every machine on the network, and set up port-forwarding to try whatever exploits you want...

---

Most home routers [linksys, belkin, netgear etc] that I have seen have a default setting that only allows you to access the web interface internally, so you mileage with this one may vary. But if you are able to access the config page, you can search for 'default router passwords', and have a decent chance of getting in.

Here is an admittedly basic demo of Metasploit that I made: http://vimeo.com/10218067

Just wanted to mention that this is not a hacking site.

Thanks for the help wiskic10_4 and westin (thanks for the vid). I guess I have some good exploring to do. I set up a network here at the house (behind your typical dd-wrt-flashed linksys, and I'm working on exploiting it from my network at work. I'll keep you guys posted on what happens, what I have access to, etc. As for ss2chef, way to be an a$$. I posted this under the "newbie" questions purposely, so maybe you should keep your smart comments to the "senior" section before you un-inspire newbies to post on this site.

Quote:

---

Originally Posted by CyberB0b

Just wanted to mention that this is not a hacking site.

---

No, but it is a security site. I routinely exploit systems, pivot through networks, throw garbage at webapps, and run sniffers/arp poisoners... so that I can learn about security.

The important part is that you either own the systems, or have permission to test their security.

I didn't see anything in the original post talking about 1337 h@x0ring someones network. I am a big fan of learning by doing. Knowing what threats are out there so that you can better defend against them. Sure some of the knowledge can be used for malicious purposes, but you can find that information anywhere. I don't want to see every post on AO answered with 'run malware bytes, run combofix,' etc.

Try to exploit your network. If you succeed, improve security and try again. If you fail, try again.

Just my $0.02...

the Security aspect is publicly displayed. There's a hidden area for all the l337 H@x0r discussions. :)

the monthly wargames that Quinn St the new owners have setup are sweeet!


:2pick:

You should be able to use a reverse payload, set LHOST to the IP of your router (external) and forward LPORT to your host. Or just use a bind payload if the target is not firewalled.

I think...

You could always use Meterpreter for key logging purposes; however, I don't think that is what you are looking for.

Quote:

---

Originally Posted by dinowuff

You should be able to use a reverse payload, set LHOST to the IP of your router (external) and forward LPORT to your host. Or just use a bind payload if the target is not firewalled.

I think...

You could always use Meterpreter for key logging purposes; however, I don't think that is what you are looking for.

---

This is exactly right. Although, if your target has a firewall/router, it will limit the exploits you can use for your attack. There would have to be port forwarding set up to allow you to attack specific vulnerabilities. You would most likely have to involve user-interaction. [opening an attachment, plugging in a USB key, visiting a malicious site, etc.]

One other suggestion, is to make use of port 80. Most firewalls don't block outbound port 80, so it will just blend in with other web traffic. If the sysadmin sees port 4444 in the logs, it would probably throw up a red flag.

@ the OP:

Quote:

---

Obviously Metasploit is a powerful tool. However, all Metasploit tutorials that I've seen are based on using Metasploit from within a subnet.

---

Hey fellah! you have to start somewhere, and they (Metasploit) went for the core?:)

Who knows what will happen in the next 12~18 months?

In the meantime, I see my friends have given you some possibly useful
alternatives?:D

Good Luck!

Firewalking is your friend.

So is Hydra, Hping, and IPSorcery :)

Quote:

---

Originally Posted by CyberB0b

Just wanted to mention that this is not a hacking site.

---

the difference between a hacker and a security expert is choice of what to do with the knowledge gained and or how you gain the knowledge in the first place

Quote:

---

Originally Posted by romanticcowboy

the difference between a hacker and a security expert is choice of what to do with the knowledge gained and or how you gain the knowledge in the first place

---

I have to disagree with that.

I use coffee in a way it was not designed. I use it to capture facebook chats. In essence I have hacked coffee.

I use wireshark and nmap to test my firewall rules. Meaning I use these tools as they were designed to be used.

Hacking is more about getting something to perform in a way that it was not designed to do.

of course that is just my opinion.

Quote:

---

Originally Posted by dinowuff

I have to disagree with that.

I use coffee in a way it was not designed. I use it to capture facebook chats. In essence I have hacked coffee.

I use wireshark and nmap to test my firewall rules. Meaning I use these tools as they were designed to be used.

Hacking is more about getting something to perform in a way that it was not designed to do.

of course that is just my opinion.

---

I sort of view hacking like I view martial arts... you can use the skillset for good purposes or evil purposes. Hacking isn't necessarily about breaking into systems, or wreaking havoc... we have other words for that... words like criminal, or malicious...

It is kind of like lockpicking. You don't want a criminal with lockpicking skills coming around your house... but if you lock yourself out, you call a locksmith, because he/she is a reputable person with the same skillset.

Nah, it's like a Butcher Knife; You can slit a throat or build a meal ;)

[kung fu music playing]

"Master - how does one defend against the syn attack"?
"grasshopper - to learn encapsulation, one must first learn ip structure".

[\kung fu music playing]

*Punches through a solid brick Wall* Buahahahaha!

this isn't half bad
http://darknet-consulting.com/

Forgot to add the link to the video

http://darknet-consulting.com/video/vector2/meta101.wmv

OK ARE YOU KIDDING ME! WAS THERE REALLY A NEED FOR THIS???

http://pauldotcom.com/2010/07/metasploit-new-gui.html

Hold on to your hats, boys and girls, I hear the hoards a massing

Hey, why not? I mean really, there ARE still valid uses for it. What if some admin wants to test his network out, but he's a Windows admin and doesn't know what he's doing? This point and click stuff helps them.

These tools are a lot like guns, knives, and scalpels; In the wrong hands you can slit a throat, shoot someone, and stab someone. In the right hands, you can gather food, defend yourself, and perform life saving surgery. A lot of tools can both make or destroy things :)

Gore are you trying to say that Smith & Wesson created the first point and click interface?

I don't know, maybe I'm just having a bad day. I only use Metasploit with Back Track so I guess I would use the thing. I don't know. I am a lazy bastard.

The command line interface has always seemed pretty easy to me. If that is too hard for a person, they probably shouldn't be using metasploit in the first place.

Ahhh come on. It's not like things haven't changed over the years. Remember when grades were :

A
B
C
D
E
F
And then the stupid kids complained and they said "Well, an 89 is kind of like an A, we'll call it an A-..." So they lowered the bar just a little?

And then they did it again because every kid says there is a reason he does bad, or doesn't know anything, and it's not because he's a ****ing idiot, it's because he's a "different learner"!

Well, after a while, I'm sure people with PHDs started wondering "Could they even lower the bar farther than THIS!?" And then we got online Degrees! Ding, winner! No teacher to see if you actually cheated on every test? Awesome!

Lol. This is just an extension. They made a Hacking for Dummies book, and now they made a User Interface for it lol.

Quote:

---

Originally Posted by westin

The command line interface has always seemed pretty easy to me. If that is too hard for a person, they probably shouldn't be using metasploit in the first place.

---

I guess that's what scares me. As GUI's evolve, you won't have to understand command lines, passing parms, or even what you are attacking. Picture this:

Windowed File menu
Start|Configure|View|Help

Under start there is an option to scan all available networks. By default it is a passive scan

Under Configure there is a list of exploits with a option for "All Exploits"

So Skiddie selects "All Exploits" and scans all available networks.

Skiddie knows this is going to take a while because the "POP UP" window told him so and the "Status Bar" is barely moving.

There are many vulnerabilities that simply cannot be patched. While few and far between, to exploit said vulnerability in any useful way, one really needs to understand the vulnerability.

Not any more! Well not yet, but I phear "Not any more"!

Hasn't the metasploit GUI be around for a while?

It seems like there was one at least for Windows in the past. But if I remember correctly, I have read that it was not very good, and that the cli was much easier to navigate.

That's true for most apps. There's only so much you can point on and click on, and when you take into account all those options... Eventually it's going to be a lot faster to type it than try clicking on them all.

Quote:

---

Ahhh come on. It's not like things haven't changed over the years. Remember when grades were :

A
B
C
D
E
F
And then the stupid kids complained and they said "Well, an 89 is kind of like an A, we'll call it an A-..." So they lowered the bar just a little?

---

.............errrrrrrrrrrrr.................NO!

A = 70% +
B = 60~70%
C = 50~60%
D = 45~50%
E = 40~45%
F = <40%

That spread makes the school look good ;)

Also...........just try getting 90% in a language with NO multichoice papers?

Or English Literature & History for that matter?

Here a 70% is a C. The needed credits to graduate are lower in the South (Go figure).

Ah!

A lot depends on the marking standards as well....................?

I have a cousin who is a professor emeritus in physics............. he did his time in ivy leagues like Brown............... he said that his first group as a junior professor complained about their grades...........

He had a look at other groups' submissions and marks, and asked his boss how it would be possible to give more than 100%, as some of his students certainly deserved it, but were not all equal?

//Me..................got 105% in a geology exam at college................ I gave the name in Latin, and described it as a "marine sessile benthos".....Prof. said " give him 2 marks for that" .......out of 1:D

I had well over 200&#37; when I finished up in my 'Advanced Computer Maintenance and Networking' class in HS. Granted, it was one of the only classes I enjoyed. That and AP Language Arts... I don't recall ever getting an 'E' in school... or even seeing that as a possibility. Our grading scale was A B C D F. I think an F was < 60%.

Quote:

---

Originally Posted by gore

That's true for most apps. There's only so much you can point on and click on, and when you take into account all those options... Eventually it's going to be a lot faster to type it than try clicking on them all.

---

True. Metasploit has always had a GUI of sorts, not very useful outside of learning. I may just be paranoid.

I like to use metasploit to show people why it is important to stay on top of patches. It kind of hits it home when they see a new admin user with RDP access on their machine. :D

Quote:

---

Originally Posted by westin

I like to use metasploit to show people why it is important to stay on top of patches. It kind of hits it home when they see a new admin user with RDP access on their machine. :D

---

heh, I can see it now
Unpatched User: "I don't remember adding a user account by the name of 'PATCH YOUR DAMN SYSTEM!'..... Hmmm, very odd."
User PATCH YOUR DAMN SYSTEM! send user an alert that they need to update their computer while banging head on keyboard. =P

Honestly, I've never used metasploit outside my system, and that's just more for personal understanding. Whenever I have to break into a system, it's because the admin was fired, died, what ever and the owners don't know the admin password.

Funny most of the times I got to these places the servers are in a unlocked room.