4

I am busy with security testing on a clients network and was asked to show how "easy" AV evasion is. I created a nice powershell reverse HTTPS file through veil-evasion, which is not detected by the Symantec virusscanner (testing with Norton Deluxe).

So that was easy enough, but when I run it the IPS part of the virusscanner (I tested it, it is purely the IPS) still detects meterpreter network traffic. As far as I can see with Wireshark the connection gets to the "Hello, Certificate, Server Hello Done" message and is killed then and there.

My question is how does the IPS detect this? What in the meterpreter message is triggering this IPS? And then, what to use to circumvent this still using meterpreter (and not have to write my own backdoor)?

Anders
  • 64,406
  • 24
  • 178
  • 215
Wealot
  • 879
  • 2
  • 12
  • 25
  • I don't know either how the IPS detects it, but try the reverse_tcp_rc4 payload – Volker Jan 09 '17 at 10:04
  • Late comment, but wanted to test a bit more before commenting. I still don't know why rev_https is caught, but I see that rev_rc4 (meterpreter) is not caught. So there must be a difference. Meanwhile I have tried PowershellEmpire and that works wonders/ no AV detection/ no IPS detection. Lovely :D. Does anyone know of a tool like veil-evasion that takes premade payloads? – Wealot Jan 09 '17 at 12:02
  • Sorry for the obvious question but do the certificates generated for the reverse HTTPS include any common strings "Generated by metasploit" etc...? – Rob C Jan 09 '17 at 14:06
  • Actually that is a good question, when I have time I am going to look into the certificate, maybe I can find something. Otherwise I guess I'll have to leave it be :D – Wealot Jan 10 '17 at 07:33
  • 1
    I have encountered this problem before and I was able to bypass the IPS by using a trusted certificate from Let's Encrypt. You should get a trusted certificate, configure it in the handler and then check. – void_in Jan 10 '17 at 14:07

2 Answers2

4

By default, Metasploit generates self-signed certificates with a random 4-character CN. Some aspect of that cert is most likely what the IPS is triggering on.

You can override this by providing a certificate in PEM format in the advanced option HandlerSSLCert.

egypt
  • 311
  • 1
  • 6
2

I think we can not exactly know how the IPS detects. It could be something like signature/rule that different between IPS vendors. By the way, There are many artifacts which can be used to identify reverse HTTPS, for example from this old article in NETRESEC's blog, talks about same characteristics in X.509 certificates used in Metasploit's reverse HTTPS.

Update 1: Some IPS is able to analyze SSL/TLS integrated protocol by act as intermediary between you and your destination but you must accept its certificate.

Update 2: This is, for example, Snort rule 34864 by Didier Stevens used for detects Metasploit Meterpreter reverse HTTPS by the content of its certificate. I suggest you to download and search for Metasploit Meterpreter reverse HTTPS certificate in community.rules file

Pandora
  • 167
  • 5
  • Thanks for the reply. Going to read that article and will try to find out if there is anything in there. But I'll have to do that outside of company time... So will be a bit before I'll reply and put an answer as "the answer" :D – Wealot Jan 10 '17 at 07:34
  • Ok looked at it some more, can only see that the certificate is always 10 years from 2014 to 2024 (different days and months). Also the notBefore is always 3 days after the notAfter (so notBefore 14-08-24 and notAfter 24-08-21). For the rest everything seems to be random, but I cannot actually get the certificate out (for some reason it won't work like normally...). So still no idea :D and it might be a bit to much to really figure out as I am no expert. So this answer will have to do! (until a better one comes along :D) – Wealot Jan 10 '17 at 12:10
  • Just added Snort's rule example that used for detects reverse HTTPS in my latest update. Sometimes, a detected pattern can be unreadable data but always appear. – Pandora Jan 10 '17 at 13:45