mailing list archives
New Meterpreter HTTP/HTTPS Communication
From: Matthew Presson <matthew.presson () gmail com>
Date: Wed, 29 Jun 2011 10:41:06 -0500
I just finished reading the recent post discussing the new reverse_http and
reverse_https stagers, but after reading it a couple of questions popped
into my head.
HD mentions that:
These payloads use the WinInet API and will leverage any proxy or
authentication settings the user has configured for internet access.
What if the compromised machine is joined to a domain, and the proxy servers
are configured to use NTLM or Kerberos to authenticate the client? From my
understanding, in these situations the user doesn't actually configure a
credential set to use to authenticate to the proxy. The authentication
happens behind the scenes.
So, in this scenario would it still be possible to use this payload to
connect back through a proxy to the attacker's machine? And, if I the proxy
does use NTLM or Kerberos, wouldn't it also be prudent to harvest any tokens
used during the authentication process to potentially penetrate further into
the network? If possible, it would be a really nice feature to just return
those tokens automatically and store them as loot.
- New Meterpreter HTTP/HTTPS Communication Matthew Presson (Jun 29)