Changing meterpreter/reverse_http “User-Agent:” and “Server:” strings

EDIT 2012-07-01: Please read HD’s comment below, as of 1st of July 2012, you can set “MeterpreterUserAgent” and “MeterpreterServerName” to do that from the framework itself.

The meterpreter/reverse_http(s) payload’s network communications leaves traces of its existence in many places “Mainly HTTP Proxy logs”

One of the most obvious and easiest-to-detect signs are the “User-Agent:” header from the meterpreter side, and the “Server:” header from the handler side, as you can see they are as follows:

– User-Agent: Meterpreter/Windows

– Server: Rex

Changing the “Server: Rex”

This setting is set in the file

 "/opt/framework/msf3/lib/rex/<wbr>proto/http/server.rb"</wbr>

look for the section that says:

# The default server name that will be returned in the Server attribute of
# a response.
#
       DefaultServer = "<span style="color: #ff0000;">Rex</span>"

Change it to something less suspicious, I changed mine to “Microsoft-IIS/7.0”

Restart metasploit, and let’s see what happened

Aaah, that’s better… we’re done from the server “handler” side…

Changing the “User-Agent: Meterpreter/Windows”

Changing that won’t be as straight forward, steps:

  1. Change the source code of meterpreter dll “the second stage”.
  2. Compile a new “metsrv.dll”
  3. Replace the framework’s “metsvc.dll” with the custom compiled one.

Get a copy from the source code:

it’s under “/opt/framework/msf3/external/source”

Open the solution file in visual studio:

The file is under “meterpreter\workspace\meterpreter.sln”

Open the solution file in visual studio, edit server_setup.c:

The solution file is under “meterpreter\workspace\meterpreter.sln”

Locate “metsrv” project -> “server_setup.c” -> then the “Meterpreter/Windows” header defined in the “InternetOpen” function … change it to something less suspicious.

I used: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0”

Remove problematic projects:

Remove “Right click->Remove” the following projects:

  • ext_server_pivot
  • ext_server_sniffer

Build solution, get the modified “metsrv.dll”

Use the “Release” build configurations, then “Build” -> “Build Solution”.

Voila!! We now have a new metsrv.dll, it will be in the “meterpreter\output” directory.

“P.S: that’s what specify the User-Agent”

Replace the “metsrv.dll” the framework directory

Replace “metsrv.dll” in the following directory with the one we just created

/opt/framework/msf3/data/meterpreter/

Pop a box, enjoy your new lower profile 🙂

4 Comments

    • sherif

      I guess next time I’ll ask before spending a whole day writing a post about a workaround for a feature that will be implemented the next 🙂

      Thanks HD yet again, it’s really impressive how quickly our voices are being heard…

  1. Interesting… I recompiled metsrv.dll using VS Express 2010 (not changing anything) and it got detected by 5 out of 40 AV’s whereas the original one got detected by 17 out of 41.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.