mailing list archives
Re: New Meterpreter HTTP/HTTPS Communication
From: HD Moore <hdm () metasploit com>
Date: Wed, 29 Jun 2011 10:53:24 -0500
On 6/29/2011 10:41 AM, Matthew Presson wrote:
I just finished reading the recent post discussing the new reverse_http
and reverse_https stagers, but after reading it a couple of questions
popped into my head.
HD mentions that:
These payloads use the WinInet API and will leverage any proxy
or authentication settings the user has configured for internet
What if the compromised machine is joined to a domain, and the proxy
servers are configured to use NTLM or Kerberos to authenticate the
client? From my understanding, in these situations the user doesn't
actually configure a credential set to use to authenticate to the proxy.
The authentication happens behind the scenes.
So, in this scenario would it still be possible to use this payload to
connect back through a proxy to the attacker's machine? And, if I the
proxy does use NTLM or Kerberos, wouldn't it also be prudent to harvest
any tokens used during the authentication process to potentially
penetrate further into the network? If possible, it would be a really
nice feature to just return those tokens automatically and store them as
Systems that use transparent credential passing to the proxy will pass
this on to the Meterpreter payload going through these two new stagers.
Keep in mind that the initial stager has to be *small* in order for it
to be any use with most exploits. The reverse_https stager is only about
350 bytes before you add the callback URL.
Once you have the full Meterpreter payload loaded, you can use things
like hashdump/cachedump or even upload your own tools to suck out the
cached passwords. Since you typically have the token of the user running
the payload already, this tends to be overkill.