Metasploit mailing list archives
New Meterpreter HTTP/HTTPS Communication
From: Matthew Presson <matthew.presson () gmail com>
Date: Wed, 29 Jun 2011 10:41:06 -0500
I just finished reading the recent post discussing the new reverse_http and reverse_https stagers, but after reading it a couple of questions popped into my head. HD mentions that: These payloads use the WinInet API and will leverage any proxy or
authentication settings the user has configured for internet access.
What if the compromised machine is joined to a domain, and the proxy servers are configured to use NTLM or Kerberos to authenticate the client? From my understanding, in these situations the user doesn't actually configure a credential set to use to authenticate to the proxy. The authentication happens behind the scenes. So, in this scenario would it still be possible to use this payload to connect back through a proxy to the attacker's machine? And, if I the proxy does use NTLM or Kerberos, wouldn't it also be prudent to harvest any tokens used during the authentication process to potentially penetrate further into the network? If possible, it would be a really nice feature to just return those tokens automatically and store them as loot. -- Matt
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- New Meterpreter HTTP/HTTPS Communication Matthew Presson (Jun 29)
- Re: New Meterpreter HTTP/HTTPS Communication HD Moore (Jun 29)
- Re: New Meterpreter HTTP/HTTPS Communication Matthew Presson (Jun 29)
- Re: New Meterpreter HTTP/HTTPS Communication HD Moore (Jun 29)