Redirector

Cloud Based Redirection

- AWS CloudFront

AWS offers a service called CloudFront, which is a Content Delivery Network (CDN). It helps deliver web content quickly and securely from AWS services like Application Load Balancers. You can enhance security by applying a Web Application Firewall (WAF) and control access through Geo-Restrictions. CloudFront also provides a secure domain (*.cloudfront.net) and has the capability to redirect traffic.

First, create and configure a ELB (Elastic Load Balancer):

  • AWS > EC2 > Load balancers > Select load balancer type > Application Load Balancer (HTTP/s)

  • Basic Configuration: Internet-facing & IPv4

  • Network Mapping: In VPC select "saas & terraform" and in Mappings select the desired two zones.

  • Security groups: default: sg-c2d453bd

  • Listeners and routing: HTTP > Port 80 > Forward to: Create target group targeting our C2, select instance if it is in an AWS EC2, or IP Addresses if it is in another site (VPS or other cloud provider) > Configure health checks > click next and select it, then click on include as pending below > Create target group

  • Finally, create the ELB and go to the C2 Sever and allow traffic from it. For example, if the C2 is in a EC2: EC2 > Security Groups > {security group name} > Edit inbound rules > Add rule > Custom TCP > Port 80 > type the security group of the ELB.

Then, configure Cloudfront

  • AWS > CloudFront > Distributions > Create

  • Origin domain: Select previouslly created ELB

  • Default cache behavior: Select GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache Policy > Caching Optimized

  • Create it and edite geographic restrictions > Allow traffic from desired countries

  • Now, copy the Distribution domain name and configure it when creating a listener in the C2

- Azure Front Door CDN

Azure offers a service called Azure Front Door, which is a Content Delivery Network (CDN). It provides seamless connectivity with Azure Virtual Machines (VMs) and other exposed endpoints. Azure Front Door gives you an endpoint with a legitimate domain (*.azurefd.net). You can connect the exposed endpoint and backend origins through routes. Security policies, like Web Application Firewall (WAF), can be applied to these endpoints for enhanced protection.

To create and configure it:

  • Home > Front Door and CDN profiles > Select Front Door and Quick create

  • Type an endpoint name like service (something to blend in)

  • Origin type > Public IP Address Origin hostname > Select the azure instance VM in which the C2 is hosted or create an origin group pointing to the IP of the C2.

  • Set up WAF Policy

  • Disable Caching, really important.

  • Create the CDN and go to the C2 Sever and allow traffic from it. For example, if the C2 is in an Azure Instance: Home > {VM name} > Networking > Add inbound security rule> Source service tag: AzureFrontDoor.Backend > Service HTTP

  • In the Front Door configuration select Update route > Forwarding protocol > HTTP only, so we can create an HTTP beacon poiting to this HTTPs CDN that will forward traffic as HTTP.

  • Now copy the *azurefd.net domain name and configure it when creating a listener in the C2

- Domain Fronting

Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header.

Domain Frontig is one of the CDN services that can be used to bypass the filtering system. For example, what the system sees is google.com, but by using the host field, we set the main destination of the internet packets to our own server, and in this way, the filtering system is bypassed.

To do this, first, sign up on the CDN site of your choice and register your domain on this site.

Then, create a DNS record for your domain AND Make sure to enable the proxy option for this DNS record.

Once that has been done, Go to the Hiddify panel, Navigate to the "Settings and Domains" section and click on "Create.", set the domain mode to "CDN." and enter the subdomain you registered earlier, ensuring its proxy is enabled.

Now, enter the addresses of unfiltered sites using the same CDN in the "Enable TLS Domain Fronting" field. Use a DNS Lookup tool to find these sites. Domain Fronting Lists: https://github.com/vysecurity/DomainFrontingLists

If necessary, enter the clean IPs for your CDN in the "Force Config to Use Following IPs" field.

Once these steps are done, your CDN settings for domain fronting mode are configured and ready to use.

! This feature has been disabled in Cloudflare CDN, but other CDNs can be used for this.

On-Premise Redirection

- Nginx

This proxy service is very powerful and can be deployed with minimal computing resources. It offers rich features to handle requests and responses using custom rules. You can refine request debugging by checking details like IP/Domain, User-Agent, Cookies, and Logic Mapping. It is easy to maintain and customize over the long term, adapting to payload version changes. Additionally, it integrates seamlessly with SSL/TLS certificates for secure connections.

apt-get update

Install nginx and certbot:

sudo apt-get install certbot python-certbot-nginx nginx

Copy the cron job file to the appropriate directory:

cp nysm-cron /etc/cron.d/nysm

Copy the nginx configuration file:

cp ./default.conf /etc/nginx/sites-enabled/default

Replace <DOMAIN_NAME> with your domain name in the nginx configuration:

sed -i.bak "s/<DOMAIN_NAME>/your_domain_name/" /etc/nginx/sites-enabled/default

Remove the backup file created by sed:

rm /etc/nginx/sites-enabled/default.bak

Replace <C2_SERVER> with your C2 server address in the nginx configuration:

sed -i.bak "s/<C2_SERVER>/your_c2_server/" /etc/nginx/sites-enabled/default

Remove the backup file created by sed:

rm /etc/nginx/sites-enabled/default.bak

Append the domain name and C2 server to the resolv.conf file:

echo "your_domain_name your_c2_server" >> /etc/resolv.conf

Obtain SSL certificates using certbot:

certbot --nginx --register-unsafely-without-email --agree-tos -d your_domain_name

Uncomment lines in the nginx configuration file related to SSL (if needed):

sed -i.bak "s/^#nysm#//g" /etc/nginx/sites-enabled/default

Remove the backup file created by sed:

rm /etc/nginx/sites-enabled/default.bak

Restart the nginx service:

systemctl restart nginx.service

Check the status of nginx processes:

ps aux | grep -E 'nginx' | grep -v grep

Check the network status for nginx:

netstat -tulpn | grep -E 'nginx'

- Simple SSH Traffic Redirection

  • Redirector:

In /etc/ssh/sshd_config file:

GatewayPort yes

Then we restart SSH:

systemctl restart ssh

  • C2 Server:

To establish the tunnel:

ssh -fN -R 443:0.0.0.0:8443 158.10.10.10

-f option: sends SSH interactive console to the background

-N option: instructs it to forget about command execution

-R option: reverse tunnel beteween the two machines

We can chain as many redirectors as we want using SSH:

ssh -fR 8888:0.0.0.0:8443 {redirector 1} ssh -fNR 443:0.0.0.0:8888 {redirector 2}

PreviousC2 ServerNextPayload Server

Last updated