Changing meterpreter reverse_http User-Agent and Server strings

Changing meterpreter/reverse_http “User-Agent:” and “Server:” strings

 

EDIT 2012-07-01: Please read HD’s comment below, as of 1st of July 2012, you can set “MeterpreterUserAgent” and “MeterpreterServerName” to do that from the framework itself.

The meterpreter/reverse_http(s) payload’s network communications leaves traces of its existence in many places “Mainly HTTP Proxy logs”

One of the most obvious and easiest-to-detect signs are the “User-Agent:” header from the meterpreter side, and the “Server:” header from the handler side, as you can see they are as follows:

- User-Agent: Meterpreter/Windows

- Server: Rex

Changing the “Server: Rex”

This setting is set in the file

 "/opt/framework/msf3/lib/rex/proto/http/server.rb"

look for the section that says:

# The default server name that will be returned in the Server attribute of
# a response.
#
       DefaultServer = "Rex"

Change it to something less suspicious, I changed mine to “Microsoft-IIS/7.0″

Restart metasploit, and let’s see what happened

Aaah, that’s better… we’re done from the server “handler” side…

Changing the “User-Agent: Meterpreter/Windows”

Changing that won’t be as straight forward, steps:

1. Change the source code of meterpreter dll “the second stage”.
2. Compile a new “metsrv.dll”
3. Replace the framework’s “metsvc.dll” with the custom compiled one.

Get a copy from the source code:

it’s under “/opt/framework/msf3/external/source”

Open the solution file in visual studio:

The file is under “meterpreter\workspace\meterpreter.sln”

Open the solution file in visual studio, edit server_setup.c:

The solution file is under “meterpreter\workspace\meterpreter.sln”

Locate “metsrv” project -> “server_setup.c” -> then the “Meterpreter/Windows” header defined in the “InternetOpen” function … change it to something less suspicious.

I used: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0″

Remove problematic projects:

Remove “Right click->Remove” the following projects:

• ext_server_pivot
• ext_server_sniffer

Build solution, get the modified “metsrv.dll”

Use the “Release” build configurations, then “Build” -> “Build Solution”.

Voila!! We now have a new metsrv.dll, it will be in the “meterpreter\output” directory.

“P.S: that’s what specify the User-Agent”

Replace the “metsrv.dll” the framework directory

Replace “metsrv.dll” in the following directory with the one we just created

/opt/framework/msf3/data/meterpreter/

Pop a box, enjoy your new lower profile

原文：http://eldeeb.net/wrdprs/?p=71

没经过原作者同意就转过来了，原谅我