Tuesday, April 11, 2017

Hunting Red Team Meterpreter C2 Infrastructure

Introduction

This is part 2 of hunting Red Team C2 Infrastructure. Part 1 covered finding Empire C2 end points. In this post, we will show how to do the same for Meterpreter. There were no immediate crashing bugs found in the Meterpreter HTTP/S handler, but there is still enough information to profile these end points.

Meterpreter

Meterpreter is an advanced C2 infrastructure often used as a payload with the popular Metasploit exploit framework. It's cross-platform and highly extensible. In this post, we will focus on finding the reverse HTTP/S handlers for Meterpreter.

Meterpreter Headers

Using the HTTP request of GET / HTTP/1.0, the following headers were returned. 

HTTP/1.1 200 OK
Connection: close
Server: Apache
Content-Length: 44

The thing that stands out here (similar to Empire) is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.0 as the protocol, but the reply is still for HTTP/1.1

Meterpreter default page

<html><body><h1>It works!</h1></body></html>

Hashes of defaul page

MD5: c7b4690c8c46625ef0f328cd7a24a0a3
SHA1: 12179caec26a089cabcbb75c4dbe0bdfe60951f7
SHA2: 8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb

Finding Meterpreter Listeners with Shodan

Shodan is a search engine for Security Researchers. They routinely scan common ports across the Internet, and make the data publicly available, and easily searchable. APIs are also provided for automating a lot of the tasks required.

Using the common headers, and default web page listed above, we are able to narrow down the list of possible Meterpreter C2 node candidates on the Internet with a simple query. 

'Server: Apache' 'It works!' -'Content-Type' 'Length: 44'

You'll notice that the results returned all are HTTP/1.1 with matching profiles that we scoped out above.

Random URLs

Another characteristic that makes Meterpreter listeners easy to identify, is that all requests that aren't to the backend result in the same response. Random URLs will get the same response as grabbing the index. Legitimate servers will typically produce a 404 error. 
GET /lkafjdklfjasdklfjalkdjflkajd HTTP/1.0

Changing default values

There's no excuse for leaving your C2 node exposed to the entire Internet. Use whitelisting of IP space in order to keep your tests in scope, and avoid having other people attack your nodes. In order to change the default server and page discussed above, these are all part of the advanced settings. 

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 127.0.0.1
set LPORT 8000
show advanced
set MeterpreterServerName nginx
set HttpUnknownRequestResponse httml_here

Going beyond Shodan

In case there are any questions about the servers found being Meterpreter listeners, the following is a valid URI that will download Stage1 of the Meterpreter session from any given reverse HTTP/S listener. 

GET /huO7Mf9GbAoRFBAVSfkxDwLTm3Wcz8n3kuXycv7k4vWV-_dXg3aY1iQy83Cejls15IeYlhUZ0QMT8S1zHKR33-Ga1rVIiV6QNFjXzTgr4lwNq_YR1tqyIbl9ddVzJ8UeYWJ0MJnThtVJ7d46IZnwHYok-XXZJrhqgUaaJMQtmCGCQWFA9tXMVtZtQEaR9Hse2Muw-P5TX4M7LKtm93LLFCT5i1NshdiwcWOnVJq HTTP/1.0

As we discussed in part 1, we can use Scans.io data in order to get a broader search of HTTPS servers. If you still have a copy of the data, you can run a zgrep search like the following to identify possible C2 nodes from this data. 

zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json

This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Meterpreter HTML. You can parse this file and extract each IP address that should be tested.

Happy hunting.
Posted by at
Labels: , , ,

17 comments:

  1. Johnson 90March 13, 2018 at 11:43 PM

    Rifles have the longest effective range of any hunting weapon, so if you are new to hunting, rifles are your best bet.https://GameCameraWorld.com

    ReplyDelete
  2. Lynna ConnerApril 30, 2018 at 12:10 PM

    The stability and reliability of the folding hunting knives can make your next hunting, fishing, or camping trip easier and convenient for the task at hand. guidance sports

    ReplyDelete
  3. ShawnAugust 3, 2018 at 2:04 AM

    Subsequently most seekers figure out how to begin deer hunting from the counsel of a relative, regularly a dad.weblink

    ReplyDelete
  4. ShawnSeptember 5, 2018 at 4:43 AM

    Though it may not be that close to big game hunting season in your area many of these things are pre hunt suggestions so they can help you prepare even now for your hunt.hunting and shooting optics

    ReplyDelete
  5. JohnSeptember 7, 2018 at 4:29 AM

    Then you'll have to take after a particular set of rules before you purchase one for your rifle zoomtargets.com

    ReplyDelete
  6. The BloggerSeptember 13, 2018 at 1:46 AM

    That does not mean that hunters should not hunt lions. best broadheads Hunt prices are at a place where they have become as affordable as a plains game hunt for someone wanting to hunt a non-exportable lion.

    ReplyDelete
  7. fortniteSeptember 29, 2018 at 8:59 AM

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog, I will keep visiting this blog very often. Best Hunting Compound Bow

    ReplyDelete
  8. JohnOctober 14, 2018 at 2:26 PM

    Here are a few types of arrow rests that archers can choose from whisker biscuit

    ReplyDelete
  9. https://pickbestscope.com/October 18, 2018 at 11:28 PM

    OpticsPlanet is one of the largest retailers of Rifle Scopes and Rifle Optics in the world, offering scopes from over 75 top riflescope brands Best Rifle Scope Under $500 at Review Yoon

    ReplyDelete
  10. Robert Andrew 5November 5, 2018 at 7:21 AM

    In this guide, I'll show you 5 best hunting boots for cold weather with detailed reviews. Then I'll help you to quickly choose warmest hunting lacrosse rubber boots

    ReplyDelete
  11. YousufzaiNovember 9, 2018 at 4:02 AM

    Thank you sharing such informative blog to us. I never see or heard about this insects. I love to watch national geographic, discovery channel because it shows the most amazing and beautiful animals and insects which we never saw in our entire life. Here, in this as well you share these insects which I never saw anywhere and its life cycle. I love this blog. Thank you once again for sharing this blog with us. Please keep on sharing such informative things in coming days as well. Cheers hunting

    ReplyDelete
  12. kevinMarch 31, 2019 at 3:54 AM

    This comment has been removed by the author.

    ReplyDelete
  13. The BloggerMay 27, 2019 at 12:46 PM

    This comment has been removed by the author.

    ReplyDelete
  14. Roobet jackOctober 5, 2019 at 12:50 AM

    I got this blog site through my friends and when I searched this really there were informative articles at the place.
    Optic World

    ReplyDelete
  15. Jerry GonzalezNovember 4, 2019 at 7:09 AM

    Thank for your info!

    ReplyDelete
  16. Philip PierceNovember 11, 2019 at 3:30 AM

    Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome! munizioni Fiocchi calibro 223

    ReplyDelete
  17. Richard H. BlackNovember 20, 2019 at 6:51 AM

    If you are looking for more information about flat rate locksmith Las Vegas check that right away. https://archerytopic.com/

    ReplyDelete

Subscribe to: Post Comments (Atom)