Meterpreter HTTP Communication

HD Moore edited this page Jun 26, 2015 · 8 revisions

The Meterpreter payload supports a number of transport, including reverse_http and reverse_https. This document describes how these transports work.

The Initial URL

During the generation process for a new reverse_http or reverse_https payload, an initial connect-back URL will be created. This URL will be either "short" or "long" and the 8-bit checksum of this URL will be set to one of the INIT_* constants defined in the UriChecksum mixin. The URL will be generated using the base64url character set. The "short" URL will always be 5 bytes in length while the "long" URL will be between 30 and 128 bytes in length. Which variant is used is determined by the space constraints of the exploit that generates the payload. The "long" URL can also include an embedded Payload UUID.

The Connection URL

The HTTP handler within Metasploit will receive the request for the initial URL, determine which INIT_* checksum it correlates to, extract any embedded Payload UUID, and then respond with either the second stage for staged payloads or a new URL for stageless payloads. The new URL is generated by the handler, will embed any Payload UUID that was included in the original request, and will hash to the value defined by the URI_CHECKSUM_CONN constant. Note that characters other than the base64url character set are ignored during calculation of the checksum.

The connect URL must be unique between sessions in order for the sessions to function properly.

TLS Certificate Pinning

The Meterpreter HTTPS transport supports certificate pinning. This applies to the stageless payloads as well as Meterpreter payloads loaded with the reverse_winhttps stagers. At this time, some of the non-Windows stagers also support certificate pinning, but this is still a work in progress. Certificate pinning is enabled by setting the StagerVerifySSLCert option to true and by extracting a SHA1 hash of the certificate specified in the HandlerSSLCert option. The SHA1 hash of the certificate will be verified during the staging process, and also in the handler, if these options are specified in the listener. This feature requires the pre-generation of a unified SSL/TLS certificate in PEM format, with the private key followed by one or more certificates in the chain. If an incoming session connects through a man-in-the-middle proxy that presents a different certificate, the first connection will connect back, but then immediately terminate. The handler will detect a non-responsive connection and close the session automatically.

The command below generates a custom unified PEM TLS certificate that works with the HandlerSSLCert option:

$ openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
    -subj "/C=US/ST=Texas/L=Austin/O=Development/CN=www.example.com" \
    -keyout www.example.com.key \
    -out www.example.com.crt && \
cat www.example.com.key  www.example.com.crt > www.example.com.pem && \
rm -f www.example.com.key  www.example.com.crt

The Application Protocol

Once the Meterpreter connect URL is requested, the actual dispatch loop starts to run. The Meterpreter payload will make repeated requests with a HTTP body consistent of "RECV". Any queued commands will be returned to the payload, which will process them individually, and return the results in a following request. If no commands were returned as a result of a "RECV" request, the payload will double the interval until the next request, with a maximum that is generally about 10 seconds.

Additional details about the configuration of the HTTP transport can be found on the transport control wiki page.

Metasploit Wiki Pages


Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.