Encrypt meterpreter/reverse_tcp connection

[hdm at metasploit.com (H D Moore)]

On Thu, 2009-01-22 at 11:52 -0600, Nelson wrote:
> Is there a way to encrypt the connection made between a
> meterpreter/reverse_tcp payload and the reverse_tcp handler?  None of
> the set values make it obvious and I need to bypass an IPS.

Not currently, there are a couple different areas that would need
encryption:

1. The initial payload sent across the wire. This is usually encoded
using shikata, so its not too bad right now.

2. The stager itself, upon receiving the connection, will send the
middle stager, followed by the actual stage. Neither of these are
currently encoded, Skape wrote a patch for this a while back, but it
ended up triggering some reliability problems and was reverted. We still
plan on doing this, but need to spend some time to figure out the issues
we ran into previously.

3. The dll injection payload stage. This is a gigantic block of code
(over 2k) and is basically static data. This could be encoded on the fly
as well. Alternatively, the reflective dll injection could be used
instead, which places the injection stub in front of the actual binary.

4. The actual meterpreter service binary. This could probably be decoded
on the fly using a standard encoder, but I imagine we will hit a snag or
two and have to debug it a bit.

5. Once the meterpreter service initializes, it needs to be enhanced to
support "real" encryption (the old service had an XOR option, but it
wasnt really used much). This requires writing a full blown TLS/SSL
client in C++ for the server side (or some kind of block-based crypto +
padding, but that would be a little bit worse). Writing a TLS/SSL client
using CryptoAPI is a pain in the ass and we would love some help on this
if anyone is interested. The server side would be ruby and is cake to
implement.

-HD