Re: New Meterpreter HTTP/HTTPS Communication

[HD Moore <hdm () metasploit com>]

On 6/29/2011 10:41 AM, Matthew Presson wrote:
> I just finished reading the recent post discussing the new reverse_http
> and reverse_https stagers, but after reading it a couple of questions
> popped into my head.  
>
> HD mentions that:
>
>          These payloads use the WinInet API and will leverage any proxy
>         or authentication settings the user has configured for internet
>         access.
>
>
> What if the compromised machine is joined to a domain, and the proxy
> servers are configured to use NTLM or Kerberos to authenticate the
> client?  From my understanding, in these situations the user doesn't
> actually configure a credential set to use to authenticate to the proxy.
>  The authentication happens behind the scenes.
>
> So, in this scenario would it still be possible to use this payload to
> connect back through a proxy to the attacker's machine?  And, if I the
> proxy does use NTLM or Kerberos, wouldn't it also be prudent to harvest
> any tokens used during the authentication process to potentially
> penetrate further into the network?  If possible, it would be a really
> nice feature to just return those tokens automatically and store them as
> loot.

Systems that use transparent credential passing to the proxy will pass
this on to the Meterpreter payload going through these two new stagers.

Keep in mind that the initial stager has to be *small* in order for it
to be any use with most exploits. The reverse_https stager is only about
350 bytes before you add the callback URL.

Once you have the full Meterpreter payload loaded, you can use things
like hashdump/cachedump or even upload your own tools to suck out the
cached passwords. Since you typically have the token of the user running
the payload already, this tends to be overkill.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework