EDIT 2012-07-01: Please read HD’s comment below, as of 1st of July 2012, you can set “MeterpreterUserAgent” and “MeterpreterServerName” to do that from the framework itself.
The meterpreter/reverse_http(s) payload’s network communications leaves traces of its existence in many places “Mainly HTTP Proxy logs”
One of the most obvious and easiest-to-detect signs are the “User-Agent:” header from the meterpreter side, and the “Server:” header from the handler side, as you can see they are as follows:
– User-Agent: Meterpreter/Windows
– Server: Rex
Changing the “Server: Rex”
This setting is set in the file
look for the section that says:
# The default server name that will be returned in the Server attribute of # a response. # DefaultServer = "<span style="color: #ff0000;">Rex</span>"
Change it to something less suspicious, I changed mine to “Microsoft-IIS/7.0”
Restart metasploit, and let’s see what happened
Aaah, that’s better… we’re done from the server “handler” side…
Changing the “User-Agent: Meterpreter/Windows”
Changing that won’t be as straight forward, steps:
- Change the source code of meterpreter dll “the second stage”.
- Compile a new “metsrv.dll”
- Replace the framework’s “metsvc.dll” with the custom compiled one.
Get a copy from the source code:
it’s under “/opt/framework/msf3/external/source”
Open the solution file in visual studio:
The file is under “meterpreter\workspace\meterpreter.sln”
Open the solution file in visual studio, edit server_setup.c:
The solution file is under “meterpreter\workspace\meterpreter.sln”
Locate “metsrv” project -> “server_setup.c” -> then the “Meterpreter/Windows” header defined in the “InternetOpen” function … change it to something less suspicious.
I used: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0”
Remove problematic projects:
Remove “Right click->Remove” the following projects:
Build solution, get the modified “metsrv.dll”
Use the “Release” build configurations, then “Build” -> “Build Solution”.
Voila!! We now have a new metsrv.dll, it will be in the “meterpreter\output” directory.
“P.S: that’s what specify the User-Agent”
Replace the “metsrv.dll” the framework directory
Replace “metsrv.dll” in the following directory with the one we just created
Pop a box, enjoy your new lower profile 🙂
Thanks! This has been fixed as of commit https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7 . Just set MeterpreterUserAgent and MeterpreterServerName to the desired values (defaults are now much better as well).
I guess next time I’ll ask before spending a whole day writing a post about a workaround for a feature that will be implemented the next 🙂
Thanks HD yet again, it’s really impressive how quickly our voices are being heard…
Interesting… I recompiled metsrv.dll using VS Express 2010 (not changing anything) and it got detected by 5 out of 40 AV’s whereas the original one got detected by 17 out of 41.
Contourner un IDS comme un nul(l) « Pirater comme un nul(l)
[…] Cet article m’a permis de trouver metsrv.dll, alors merci : http://eldeeb.net/wrdprs/?p=71 […]