This is part 2 of hunting Red Team C2 Infrastructure. Part 1 covered finding Empire C2 end points. In this post, we will show how to do the same for Meterpreter. There were no immediate crashing bugs found in the Meterpreter HTTP/S handler, but there is still enough information to profile these end points.
Meterpreter is an advanced C2 infrastructure often used as a payload with the popular Metasploit exploit framework. It's cross-platform and highly extensible. In this post, we will focus on finding the reverse HTTP/S handlers for Meterpreter.
Using the HTTP request of GET / HTTP/1.0, the following headers were returned.
HTTP/1.1 200 OK Connection: close Server: Apache Content-Length: 44
The thing that stands out here (similar to Empire) is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.0 as the protocol, but the reply is still for HTTP/1.1
Meterpreter default page
Hashes of defaul pageMD5: c7b4690c8c46625ef0f328cd7a24a0a3
Finding Meterpreter Listeners with Shodan
Shodan is a search engine for Security Researchers. They routinely scan common ports across the Internet, and make the data publicly available, and easily searchable. APIs are also provided for automating a lot of the tasks required.
Using the common headers, and default web page listed above, we are able to narrow down the list of possible Meterpreter C2 node candidates on the Internet with a simple query.
'Server: Apache' 'It works!' -'Content-Type' 'Length: 44'
You'll notice that the results returned all are HTTP/1.1 with matching profiles that we scoped out above.
Random URLsAnother characteristic that makes Meterpreter listeners easy to identify, is that all requests that aren't to the backend result in the same response. Random URLs will get the same response as grabbing the index. Legitimate servers will typically produce a 404 error.
GET /lkafjdklfjasdklfjalkdjflkajd HTTP/1.0
Changing default values
There's no excuse for leaving your C2 node exposed to the entire Internet. Use whitelisting of IP space in order to keep your tests in scope, and avoid having other people attack your nodes. In order to change the default server and page discussed above, these are all part of the advanced settings.
use exploit/multi/handler set payload windows/meterpreter/reverse_http set LHOST 127.0.0.1 set LPORT 8000 show advanced set MeterpreterServerName nginx set HttpUnknownRequestResponse httml_here
Going beyond Shodan
In case there are any questions about the servers found being Meterpreter listeners, the following is a valid URI that will download Stage1 of the Meterpreter session from any given reverse HTTP/S listener.
GET /huO7Mf9GbAoRFBAVSfkxDwLTm3Wcz8n3kuXycv7k4vWV-_dXg3aY1iQy83Cejls15IeYlhUZ0QMT8S1zHKR33-Ga1rVIiV6QNFjXzTgr4lwNq_YR1tqyIbl9ddVzJ8UeYWJ0MJnThtVJ7d46IZnwHYok-XXZJrhqgUaaJMQtmCGCQWFA9tXMVtZtQEaR9Hse2Muw-P5TX4M7LKtm93LLFCT5i1NshdiwcWOnVJq HTTP/1.0
As we discussed in part 1, we can use Scans.io data in order to get a broader search of HTTPS servers. If you still have a copy of the data, you can run a zgrep search like the following to identify possible C2 nodes from this data.
zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json
This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Meterpreter HTML. You can parse this file and extract each IP address that should be tested.Happy hunting.