
       Name: HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)
     Module: payload/cmd/windows/http/x64/vncinject/reverse_https
   Platform: Windows
       Arch: cmd
Needs Admin: No
 Total s
Evasion options for payload/cmd/windows/http/x64/vncinject/reverse_https:
=========================

om>
    hdm <x@hdm.io>
    agix
    rwincey

Basic options:
Name                  Current Setting  Required  Description
----                  ---------------  --------  -----------
AUTOVNC               true             yes       Automatically launch VNC viewer if present
DisableCourtesyShell  true             no        Disables the Metasploit Courtesy shell
EXITFUNC              process          yes       Exit technique (Accepted: '', seh, thread, process, none)
FETCH_COMMAND         CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE          false            yes       Attempt to delete the binary after execution
FETCH_FILENAME        UdFOFThcK        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST                          no        Local IP to use for serving payload
FETCH_SRVPORT         8080             yes       Local port to use for serving payload
FETCH_URIPATH                          no        Local URI to use for serving payload
FETCH_WRITABLE_DIR    %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
LHOST                                  yes       The local listener hostname
LPORT                 8443             yes       The local listener port
LURI                                   no        The HTTP Path
VNCHOST               127.0.0.1        yes       The local host to use for the VNC proxy
VNCPORT               5900             yes       The local port to use for the VNC proxy
ViewOnly              true             no        Runs the viewer in view mode


When FETCH_COMMAND is one of CURL:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.

Description:
    Fetch and execute an x64 payload from an HTTP server.
    Tunnel communication over HTTP (Windows x64 wininet)


    Name                        Current Setting                                                                      Required  Description
    ----                        ---------------                                                                      --------  -----------
    DisableSessionTracking      false                                                                                no        Disables the VNC payload from following the active session as users log in an out of the input desktop
    EXE::Custom                                                                                                      no        Use custom exe instead of automatically generating a payload exe
    EXE::EICAR                  false                                                                                no        Generate an EICAR file instead of regular payload exe
    EXE::FallBack               false                                                                                no        Use the default template in case the specified one is missing
    EXE::Inject                 false                                                                                no        Set to preserve the original EXE function
    EXE::OldMethod              false                                                                                no        Set to use the substitution EXE generation method.
    EXE::Path                                                                                                        no        The directory in which to look for the executable template
    EXE::Template                                                                                                    no        The executable template file name.
    EnableStageEncoding         false                                                                                no        Encode the second stage payload
    FetchHandlerDisable         false                                                                                yes       Disable fetch handler
    FetchHttpServerName         Apache                                                                               yes       Fetch HTTP server name
    FetchListenerBindAddress                                                                                         no        The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
    FetchListenerBindPort                                                                                            no        The port to bind to if different from FETCH_SRVPORT
    HandlerSSLCert                                                                                                   no        Path to a SSL certificate in unified PEM format
    HttpCookie                                                                                                       no        An optional value to use for the Cookie HTTP header
    HttpHostHeader                                                                                                   no        An optional value to use for the Host HTTP header
    HttpProxyHost                                                                                                    no        An optional proxy server IP address or hostname
    HttpProxyPass                                                                                                    no        An optional proxy server password Max parameter length: 63 characters
    HttpProxyPort                                                                                                    no        An optional proxy server port
    HttpProxyType               HTTP                                                                                 yes       The type of HTTP proxy (Accepted: HTTP, SOCKS)
    HttpProxyUser                                                                                                    no        An optional proxy server username Max parameter length: 63 characters
    HttpReferer                                                                                                      no        An optional value to use for the Referer HTTP header
    HttpServerName              Apache                                                                               no        The server header that the handler will send in response to requests
    HttpUnknownRequestResponse  <html><body><h1>It works!</h1></body></html>                                         no        The returned HTML response body when the handler receives a request that is not from a payload
    HttpUserAgent               Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0  no        The user-agent that the payload should use for communication Max parameter length: 255 characters
    IgnoreUnknownPayloads       false                                                                                no        Whether to drop connections from payloads using unknown UUIDs
    MSI::Custom                                                                                                      no        Use custom msi instead of automatically generating a payload msi
    MSI::EICAR                  false                                                                                no        Generate an EICAR file instead of regular payload msi
    MSI::Path                                                                                                        no        The directory in which to look for the msi template
    MSI::Template                                                                                                    no        The msi template file name
    MSI::UAC                    false                                                                                no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
    OverrideLHOST                                                                                                    no        When OverrideRequestHost is set, use this value as the host name for secondary requests
    OverrideLPORT                                                                                                    no        When OverrideRequestHost is set, use this value as the port number for secondary requests
    OverrideRequestHost         false                                                                                no        Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
    OverrideScheme                                                                                                   no        When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
    PayloadUUIDName                                                                                                  no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                                                                                                   no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                                                                                                  no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking         false                                                                                yes       Whether or not to automatically register generated UUIDs
    PingbackRetries             0                                                                                    yes       How many additional successful pingbacks
    PingbackSleep               30                                                                                   yes       Time (in seconds) to sleep between pingbacks
    PrependMigrate              false                                                                                yes       Spawns and runs shellcode in new process
    PrependMigrateProc                                                                                               no        Process to spawn and run shellcode in
    ReverseAllowProxy           false                                                                                yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
    ReverseListenerBindAddress                                                                                       no        The specific IP address to bind to on the local system
    ReverseListenerBindPort                                                                                          no        The port to bind to on the local system if different from LPORT
    ReverseListenerComm                                                                                              no        The specific communication channel to use for this listener
    SSLVersion                  Auto                                                                                 yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
    StageEncoder                                                                                                     no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                                                                                        no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback       true                                                                                 no        Fallback to no encoding if the selected StageEncoder is not compatible
    StagerRetryCount            10                                                                                   no        The number of times the stager should retry if the first connect fails
    StagerRetryWait             5                                                                                    no        Number of seconds to wait for the stager between reconnect attempts
    StagerURILength                                                                                                  no        The URI length for the stager (at least 5 bytes)
    StagerVerifySSLCert         false                                                                                no        Whether to verify the SSL certificate in Meterpreter
    VERBOSE                     false                                                                                no        Enable detailed status messages
    WORKSPACE                                                                                                        no        Specify the workspace for this module

