Retrieving an IP address From a Backdoored Metasploit Binary

edited June 2011 in Tech & Games
If you use Metasploit, I'm sure you know about creating a binary file which contains a payload. If you wanted a shell on the system you're attacking, you'd select a reverse_tcp payload which would send a shell back to your machine through a TCP connection. Obviously if you want this to happen, you stick your IP address into the payload so it knows where to send the shell to.

My question is - if a victim had the backdoored file on their computer, could they somehow pull your IP address out of the payload within the file?

Comments

  • DfgDfg Admin
    edited June 2011
    Hmm, unless they have a firewall running or now about programming. Basically if this happened to me, I would try to decrypt it using some tools or just let it run and check my local connections and even try using wireshark and sniff the packets being used.

    I think you should try this:
    Make a VM, Open the payload there and try looking for the IP.
  • edited June 2011
    That's the thing - I want to know if you can extract the IP address without running the file. If there's a payload sitting on someone's computer and they find it, I want to know if they can also find your IP address from it.
  • OnesanOnesan Acolyte
    edited June 2011
    probably, ill have to try myself but i cant see why not, it should be a simple matter,

    edit, downloading hxd and metasploit into virtualbox now ill let you know what i find
  • DfgDfg Admin
    edited June 2011
    trx100 wrote: »
    That's the thing - I want to know if you can extract the IP address without running the file. If there's a payload sitting on someone's computer and they find it, I want to know if they can also find your IP address from it.

    Notepad :D

    Might not work.
  • edited June 2011
    Onesan wrote: »
    probably, ill have to try myself but i cant see why not, it should be a simple matter,

    edit, downloading hxd and metasploit into virtualbox now ill let you know what i find

    This sounds hopeful :) If I could be bothered, I'd be checking for myself. In fact, that might be one thing I do with my day today.
  • edited June 2011
    Pretty sure you can encode the whole thing so that it isn't picked up by AV's - I assume that a really strong level of encryption would make it much harder to pick apart and find an IP address, right?
  • AmieAmie Regular
    edited June 2011
    If they really want to find you they can just let the payload run in a VM and monitor which IP it tries to access, with or without blocking actual internet access.
  • edited June 2011
    Yeah, I understand that by monitoring your network activity with something like Wireshark, you can see which connections are being made, which would probably show the IP address as well.

    I think the next thing I need to take a look at is how to hide backdoors well. Of course, you should probably get rid of them after you've used them for whatever evil plans you have up your sleeve :) Anyone have any experience using backdoors?
Sign In or Register to comment.