This post shows you how to create an executable file that creates a reverse metapreter shell. All tools used in this post are publicly available. Along the way, I'll explain how to bypass the IPS (Intrusion Prevention System) detecting a metered Meterpreter connection, even if it's over HTTPS! Note that this post is not about building an executable from scratch, but about using tools that are already available in conjunction with each other.
I have recently been involved in two Red Team assessment projects. The scenarios were as follows:
- In one scenario, I had administrative privileges on a public server through the SQLMap OS shell. In this case I wanted a stable shell with more privileges.
- In another scenario, I had a client's laptop. I was connected to an internal network and the system was part of a domain.
In both cases I wanted to set up a meterpreter reverse shell on my server in AWS (Amazon Web Services) and then use the privileges to make further attacks. This technique was successful in both cases with minor changes like outgoing port etc.
After doing some research on AV bypass, I came across some cool techniques and tools that I'll describe in detail. To simulate similar scenarios I faced, I set up a simulated infrastructure using virtual machines and AWS. The structure was as follows:
- Windows 7 Professional 64-bit (installed on a VM on the local machine)
- Symantec Endpoint Protection 14.0 - with updated signatures (installed on Win7)
- Wait for Linux by AWS-u
- Ubuntu on AWS
Part 1: Blocking and Bypassing SSL
A quick look at Metasploit's reverse HTTPS payload and detection by AVs
I successfully generated an executable that spawned a reverse metapreter shell (reverse_https) on a server on AWS. Everything worked like a charm and it was time to test on a system with the antivirus running.
I ran the executable on a VM with Symantec Endpoint Protection enabled. The executable has started, but the session cannot be established because the connection was intercepted by the AV IPS module. with a message that the Meterpreter connection has been detected and blocked. oh oh! How can an IPS detect an encrypted connection? So let's see what happened.
To get around outbound traffic restrictions, attackers usually use the port most likely to be allowed when creating a reverse shell, e.g. 80, 53, 443, etc. By using these ports, filtering rules on devices such as firewalls However, smarter data inspection devices like IPS can read the data transfer as a first stager and run active checks to block the connection and alert the administrator.
Oddly enough, in 2011 Metasploit added support for reverse HTTPS connections, allowing the use of encrypted channels with real SSL sessions. Therefore, the connection cannot be authenticated without an SSL proxy. In my case, the Symantec AV IPS module recognized the Reverse Meterpreter payload (windows/meterpreter/reverse_https) even though I used it.
After further research, I found the author's postErik. An interesting fact that I noticed is that during SSL communication, some data, especially the SSL certificate, is transmitted freely. Therefore, AV scans certain certificate attributes to check for malicious activity. Therefore, even when SSL reverse shell is used, AV identifies the certificate; that it's from Metasploit and blocks the reverse link by marking it as a Meterpreter payload.
Metasploit's reverse HTTPS certificate authentication by AV
To test AV blocking, I set up a listener in Metasploit. The selected payload was "windows/reverse/meterpreter/https" and the port was 443. Note that no payload was created; Only the listener is set up as shown below:
Once the listener was ready, I started Wireshark and opened the reverse handler URL. The following snapshot shows the plain text data during the first SSL handshake. The server sent a clear-text certificate in response to the client's "Hello" request, as shown in the following image:
I then opened the reverse handler URL in different browsers and captured the traffic using Wireshark. I analyzed the Wireshark capture using NetworkMiner, a network forensic analysis tool.
Three different certificates were awarded. The details of the two certificates are shown in the following screenshots:
As shown, the certificates have different random dates. Data such as CN is invalid and arbitrary. Even the validity is arbitrary and not the same in both certificates.
Signature-based IPS analytics at work
Now that we have the certificates, let's test them with Symantec Endpoint Protection.
I just copied the URL from the reverse handler and opened it in the browser. Symantec IPS immediately blocks the URL; Detect the connection as an HTTPS reverse meta-preter.
The following screenshot shows the alert generated by Symantec:
The signature data confirms that reverse HTTPS meter activity has been detected and blocked.
Conclusion on AV detection
The initial SSL connection is clean, shares certificate data, and IPS also recognizes a plain SSL connection with an HTTPS handler with no payload. It is inferred that AV's IPS engine scans the certificate during the first SSL handshake and then checks the X.509 certificate for certain attributes. Attributes can contain information about the publisher, domain name, etc.
SSL Impersonation - Bypass SSL detection
After learning the reason why the reverse HTTPS meterpreter payload was blocked, I wanted to find a way to use a custom certificate instead of the default metasploit certificate. You can generate your own self-signed certificate or use Metasploit's SSL impersonation module.
The module (auxiliary/gather/impersonate_ssl) creates a self-signed certificate with the details of the external certificate; Make the confirmation look real. A similar technique is used in Paranoid Meterpreter, which is used to secure a multi-layered connection by verifying SHA1 hash certificates on both ends so no one can hack a hacker 🙂
Let's generate a certificate using the SSL impersonation module:
Now we need to set up our handler to use the newly generated certificate using the optionhandlerslcertIstagerverifysslcert.
Once the handler is started and accessed from a browser over HTTPS, Symantec does not recognize the content. Mission accomplished!
Part 2: Generate payload
After finding a way to secure my multi-layer connection and evade IPS detection, I proceeded to build the payload.
To generate the payload I followed the following steps:
- Use Metasploit to generate a reverse HTTPS payload from Meterpreter configured with a fake SSL certificate.
- UseDon't Kill My Cat (DKMC)This generates masked shell code and embeds it into multilingual images.
- Generate a PowerShell command using DKMC that downloads the content with the embedded shellcode and then executes the shellcode.
- Create an HTA file by embedding the PowerShell code generated above.
Generate shell code with Metasploit
First I generated the payload using Metasploit. You should pay attention to thiscertificate handlerIstagerverifycertit is set. To get around the output port filtering, I checked the output port access by running an output port scan (not covered in this post) and found that port 443 was open in one case and port 53 in the other. I used port 443 for this simulation .
Generate a malicious BMP with DKMC
Once this shellcode was generated, I used DKMC to embed the masked shellcode into the BMP image and created a PowerShell command to download and run the shellcode from the BMP file. DKMC has modules as shown in the image below:
Use to mask the raw shell code generated by Metasploitscthe first module. This generates shell code in hex format.
Now copy this shell code and use it to generate a malicious BMP fileGenModular.
OfBMPThe payload is now generated. I hosted BMP on an Ubuntu server in AWS. Now I had to download the image to the victim server and then run the embedded shell code. I used DKMC's PowerShell module for thisPSModule for generating PowerShell commands.
This generates a PowerShell command with the hidden flag and encrypted content.
The next part is to deliver that cargo. Delivery can be done in different ways:
- If you have access to the victim system and want a more privileged Meterpreter shell, you can simply run a command in a Windows shell to get a reverse shell on your C&C.
- The payload can be saved in a .ps1 (PowerShell script) and run from there.
- The link can be embedded in another executable file, e.gHTA;and then spread via phishing, USB decoys, etc.
Since I had access to the systems in both cases, I ran the command directly in the Windows shell to get the reverse shell on Kali in AWS.
However, to create an ideal executable that can be pushed into a victim's system to create a shell, let's take a look at a third case - creating an HTA.
Embed the PowerShell code in the encrypted HTA
I useto discover, which creates an HTML file with an encrypted HTA file. When a user views an HTML file on the Internet, the HTA file is dynamically decoded in the browser. The goal is to bypass the contents of the file preview. However, in this case our payload can already bypass the AV. So we just use this as a medium to send and run our PowerShell command.
The following command generates a file namedHorizont.htmlthat encryptedhorizon.htawhich in turn has a built-in PowerShell payload.
the last action
I hosted the HTML file on a web server in AWS and accessed the file from a Windows 7 machine running Symantec AV. Opening an HTML page downloads an HTA file.
I then set up a listener on AWS. Here we need to configure the handler to use the previously generated self-signed SSL certificate.
After the HTA file is executed, a reverse metapreter shell is created over HTTPS. Note that the SHA1 hash of the signature is verified on the listener before the connection is established.
The following screenshot shows the status of the reverse connection in Symantec's Network Activity Monitor console; This shows a reverse shell created in a PowerShell process on my Kali on AWS. Impressive!
Conclusion - basic process
In short, the basic process is as follows:
Step 1: Emulate an SSL certificate
step 2: Create shell code configured with an impersonated SSL certificate
step 3: Embed the masked shellcode in the BMP image
Step 4:Set up a listener configured with an impersonated SSL certificate to bypass multi-layer connection detection by IPS.
step 5: Generate a PowerShell command to download and run the payload.
step 6: generate an HTA file embedded in the PowerShell code.
At the time of writing, the executable has been tested on Symantec, Kaspersky, AVG, and Windows Defender and the executable and link have not been detected.
Mohit Suyal
Mohit Suyal works as a cybersecurity consultant at Network Intelligence. Leads and directs projects related to Red Team, Social Engineering, Infrastructure and Application Assessment.
Connected
2
FAQs
Is meterpreter a reverse shell? ›
Meterpreter uses a reverse_tcp shell, which means it connects to a listener on the attacker's machine. There are two popular types of shells: bind and reverse. A bind shell opens up a new service on the target machine, and requires the attacker to connect to it in order to start a session.
What is Meterpreter and how is malware sent to the victim using Meterpreter? ›What is Meterpreter? Meterpreter is a malicious trojan-type program that allows cyber criminals to remotely control infected computers. This malware runs in computer memory without writing anything to disk. Therefore, it injects itself into compromised processes and does not create any new processes.
Can Meterpreter be detected? ›Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection.
Do hackers use reverse shells? ›Hackers execute reverse shell attacks using Python, Java, or Node. js to create a connection from the attacker's computer back to their victim's computer.