This solution doesn’t seem to be very well documented and I finally got around to testing it myself, so I’m dropping a quick demo.
Reverse meterpreter connections require port forwarding, which isn’t possible over tor (inside whonix). This is a simple solution for establishing reverse HTTP connections in msf:
Create A Hidden Server
Setup an onion as we normally would:
The onion MUST be listening on port 80 for this to work. The forwarding port (9999) can be anything you want. Restart tor, and take note of your new onion address:
Create payload
I created a simple (non-obfuscated) msfvenom executable for this demo but you should obviously encrypt your payload in a real scenario.
Set the payload type to reverse_http and the LHOST to your onion address but append .link to the URL. This will allow your payload to proxy between a tor2web clearnet domain and the tor network.
Configure msf
When configuring metasploit, set a reverse_http payload and set the LHOST to your local IP address with LPORT on 9999.
That’s about it. Feed the payload to your target and a session should be established in msf. I haven’t tested yet with the new .rtf CVE or MS Word macros, but I imagine it should work.
Also plan on looking at socat soon, it seems like it’ll handle such connections more elegantly.