More Spiders, Fewer Trees: Meterpreter Hop

Just about every time you see a serious network intrusion where the attackers obtain access to internal networks, the attackers used "hop points" to conceal their identity and evade detection. Hop points of course are just a fancy word for a kind of proxy (as Citizen Lab likes to refer to them) that forwards data to and instructions from the real controller. Some security companies have made tracking these hop points into a major business, and many sell access to their lists as expensive threat intelligence feeds. Since setting up a new hop takes a little time and effort, attackers sometimes re-use them. But for any significant operation, attackers are going to come from at least one new server, and probably many more.

Setting up and using hop points has been a chore for penetration testers as well. Normally setting up a hop requires owning the server to open and listen on arbitrary ports and forward data. But today, using a new payload and session type I contributed to the metasploit framework, you can use any common PHP host as a hop for meterpreter. This is a big deal since it's the first time metasploit has natively supported receiving a connect-back shell that goes somewhere other than directly to the Metasploit controller.

Moving from direct connections to hops turns your C2 graph from a tree to a spider

Moving from direct connections to hops turns your C2 graph from a tree to a spider

The main advantage is that using different hops keeps your shells alive even when one is discovered and its corresponding hop is blocked. On a practical level, purchasing PHP hosting on a shared host is significantly less expensive than purchasing access to a full virtual or physical host, and can frequently be found for free, and setting up a hop is as easy as dropping a single PHP file in the directory. There's no need for iptables rules or ssh port forwards or external tools like htran.

Check it out in the video below:


Comments are closed.