Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rana
Participant

Preventing/Block Meterpreter

Is there any advice to prevent/block Meterpreter?

Situation: an external audit shows, the Meterpreter-connections are not blocked, even if Meterpreter-IPS-Protections (there are 3 of them) are set to Prevent.

The following Blades are active: IPSec VPN, Mobile Access, Application Control, URL-Filtering, ClusterXL, Monitoring, IPS, Anti-Bot, Anti-Virus.

Tia
Christian

9 Replies
_Val_
Admin
Admin

What about HTTPSi?

0 Kudos
Rana
Participant

Sorry, it was not in the listing: https-interception is enabled.

0 Kudos
HeikoAnkenbrand
Champion
Champion

Hi @Rana,

I always use SNORT signatures/rules in these cases when there are no manufacturer signatures available.

Most of the time you can extract some good ASCII signatures from the meterpreter exploit code. Then you can create a SNORT signature and import it via the SmartConsole. This is not so easy most of the time but works quite well.

I always try to extract signatures from metasploit,... or other tools.

More information on how to import SNORT signatures can be found here:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

PS: Enable https interception.

0 Kudos
_Val_
Admin
Admin

Can you please provide particular CVEs for alleged vulnerabilities, or any other info that would help to understand the details?

 

0 Kudos
Rana
Participant

Sorry, but I cannot provide any CVEs.

As long as I know, Meterpreter is a plugin for metasploit and used by hackers for pen-tests and of course can be used by evil persons. 😉

The auditor used this for his work and noticed, that Meterpreter-connections should be blocked by a firewall, and that he knows Check Point, and that should be "easy" to configure.

So, Meterpreter itself is not a malware, but can be used to infect hosts.
I not sure, if Meterpreter was downloaded over the firewall or is installed in some other way.

What I found, were these three IPS-protections:

Bildschirmfoto 2021-07-28 um 12.33.27.png

All 3 IPS-protections are enabled for the used IPS-profile, but didn't seem to work, as there are no logs seen.

What I'm not sure about it: these IPS-protections should prevent from "downloading" Meterpreter (the plugin?) through the firewall, or should prevent using Meterpreter through the firewall.

Additional information I got/was seen in the log:

At second attempt with the IPS-protections enabled, commands over Meterpreter were blocked (traffic at port 80), but as Application, which is not allowed for the user (blocked by Application Control). Don't know, if IPS detection should be before or after detection by application.

APLC is configured to accept only some applications for different user-groups (identity awareness).

After that, the communication within Meterpreter was BASE64-encoded over port 80, and all the traffic passed the firewall.

As I see, no https-traffic was used, so enabled https-interception is not necessary for detecting Meterpreter connections.

Christian

0 Kudos
_Val_
Admin
Admin

Thanks for spending time with the explanation. I know what Metepreter and Metasploit are. I am looking for actual attack information that should be blocked and is not. Any example you can provide?

0 Kudos
Rana
Participant

I was sure, you know ... I learnt it. 😉

Unfortunately I have only rare information, about what the auditor exactly did. I got the following two screenshots by the customer:

This attempt was blocked by APCL:Bildschirmfoto 2021-07-28 um 13.44.00.png

The second (should be some BASE64-encoded transfer) was accepted by the firewall:Bildschirmfoto 2021-07-28 um 13.43.47.png

I have to wait till mid August, for the next meeting with the customer and the auditor.

HTH
Christian

0 Kudos
_Val_
Admin
Admin

I would suggest you to reach out to your local office, or TAC, or both. Reproducing the issue might be required, to find the exact action.

0 Kudos
Rana
Participant

OK, thanks, I will do this.

Regards
Christian

0 Kudos