-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Meterpreter HTTP Communication
The Meterpreter payload supports a number of transport, including reverse_http and reverse_https. This document describes how these transports work.
During the generation process for a new reverse_http or reverse_https payload, an initial connect-back URL will be created. This URL will be either "short" or "long" and the 8-bit checksum of this URL will be set to one of the INIT_* constants defined in the UriChecksum mixin. The URL will be generated using the base64url character set. The "short" URL will always be 5 bytes in length while the "long" URL will be between 30 and 128 bytes in length. Which variant is used is determined by the space constraints of the exploit that generates the payload. The "long" URL can also include an embedded Payload UUID.
The HTTP handler within Metasploit will receive the request for the initial URL, determine which INIT_* checksum it correlates to, extract any embedded Payload UUID, and then respond with either the second stage for staged payloads or a new URL for stageless payloads. The new URL is generated by the handler, will embed any Payload UUID that was included in the original request, and will hash to the value defined by the URI_CHECKSUM_CONN constant. Note that characters other than the base64url character set are ignored during calculation of the checksum.
The connect URL must be unique between sessions in order for the sessions to function properly.
Once the Meterpreter connect URL is requested, the actual dispatch loop starts to run. The Meterpreter payload will make repeated requests with a HTTP body consistent of "RECV". Any queued commands will be returned to the payload, which will process them individually, and return the results in a following request. If no commands were returned as a result of a "RECV" request, the payload will double the interval until the next request, with a maximum that is generally about 10 seconds.
Additional details about the configuration of the HTTP transport can be found on the transport control wiki page.
- Home Welcome to Metasploit!
- Using Metasploit A collection of useful links for penetration testers.
-
Setting Up a Metasploit Development Environment From
apt-get installtogit push. - CONTRIBUTING.md What should your contributions look like?
- Landing Pull Requests Working with other people's contributions.
- Using Git All about Git and GitHub.
- Contributing to Metasploit Be a part of our open source community.
- Meterpreter All about the Meterpreter payload.