Metasploit mailing list archives
Encrypt meterpreter/reverse_tcp connection
From: hdm at metasploit.com (H D Moore)
Date: Thu, 22 Jan 2009 14:12:24 -0600
On Thu, 2009-01-22 at 11:52 -0600, Nelson wrote:
Is there a way to encrypt the connection made between a meterpreter/reverse_tcp payload and the reverse_tcp handler? None of the set values make it obvious and I need to bypass an IPS.
Not currently, there are a couple different areas that would need encryption: 1. The initial payload sent across the wire. This is usually encoded using shikata, so its not too bad right now. 2. The stager itself, upon receiving the connection, will send the middle stager, followed by the actual stage. Neither of these are currently encoded, Skape wrote a patch for this a while back, but it ended up triggering some reliability problems and was reverted. We still plan on doing this, but need to spend some time to figure out the issues we ran into previously. 3. The dll injection payload stage. This is a gigantic block of code (over 2k) and is basically static data. This could be encoded on the fly as well. Alternatively, the reflective dll injection could be used instead, which places the injection stub in front of the actual binary. 4. The actual meterpreter service binary. This could probably be decoded on the fly using a standard encoder, but I imagine we will hit a snag or two and have to debug it a bit. 5. Once the meterpreter service initializes, it needs to be enhanced to support "real" encryption (the old service had an XOR option, but it wasnt really used much). This requires writing a full blown TLS/SSL client in C++ for the server side (or some kind of block-based crypto + padding, but that would be a little bit worse). Writing a TLS/SSL client using CryptoAPI is a pain in the ass and we would love some help on this if anyone is interested. The server side would be ruby and is cake to implement. -HD
Current thread:
- Encrypt meterpreter/reverse_tcp connection Nelson (Jan 22)
- Encrypt meterpreter/reverse_tcp connection Rob Fuller (Jan 22)
- Encrypt meterpreter/reverse_tcp connection natron (Jan 22)
- Encrypt meterpreter/reverse_tcp connection H D Moore (Jan 22)
- Encrypt meterpreter/reverse_tcp connection Rob Fuller (Jan 22)