Didier Stevens created a great little script called metatool.py
You can find it here : https://blog.didierstevens.com/2021/04/18/metatool-py/
In my lab, I have a bro/zeek with a span port which catches the entire outgoing traffic to the Internet.
If you simply output the http.log file and then feed it to the script you can then detect any Metasploit
root@rita:/opt/bro/logs/current# cat http.log | awk ‘{split($0,a,” “); print a[9]a[10]}’ | sed -e ‘s/^”//’ -e ‘s/”$//’ | awk NF > URLlist.txt
root@rita:/opt/bro/logs/current# python3 /home/rita/metatool.py urluuid URLlist.txt
URL: ******.***/rn_6RISI4wl9cHxxI8NllQ7ndoU8fM1AFtnINp-FZCUZSXo0ccvLtdITAXrq8WD
puid: b’ae7ffa448488e309′ (b’\xae\x7f\xfaD\x84\x88\xe3\t’)
platform: 1 (windows)
architecture: 1 (ARCH_X86)
timestamp: 2020/05/06 20:07:01
Only bad side of this, is that as it’s on a span ports, there is no SSL decryption, so only msf beacons on clear HTTP will be caught.
I did the same excercice with my Firewall. A Palo Alto Networks.
I enabled a Log Forwarding Syslog for the HTTP logs.
root@rita:/var/log# cat syslog | awk ‘{split($0,a,”,”); print a[32]}’ | sed -e ‘s/^”//’ -e ‘s/”$//’ | awk NF > URLlist.txt
root@rita:/var/log# python3 /home/rita/metatool.py urluuid URLlist.txt
URL: *****.***/rn_6RISI4wl9cHxxI8NllQ7ndoU8fM1AFtnINp-FZCUZSXo0ccvLtdITAXrq8WD
puid: b’ae7ffa448488e309′ (b’\xae\x7f\xfaD\x84\x88\xe3\t’)
platform: 1 (windows)
architecture: 1 (ARCH_X86)
timestamp: 2020/05/06 20:07:01
This allows detection in https and in http normally. The above example is a browser going to that URL.
Unfortunatly the Firewall running the latest version doesn’t log the URLs in the URL filtering logs with it’s the real Metasploit payload ! And in the data logs, the URL isn’t showing. Too bad. The mice lives another day.
0
Recent Comments