Secondary Categories: 02-Infrastructure
Simple Redirector
You can use one of the following tools to create a simple redirector:
- IPtables
- Socat
socat TCP-LISTEN:80,fork TCP:192.168.1.1:80
iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT βto 192.168.1.1:80
HTTPS Redirector
In this example I will be setting up a redirector using Apache.
sudo apt install apache2
sudo a2enmod ssl rewrite proxy proxy_http
sudo systemctl restart apache2
Now we need to setup the configuration for apache using symlinks to the βavailableβ directory.
cd /etc/apache2/sites-enabled
sudo rm 000-default.conf
sudo ln -s /etc/apache2/sites-available/default-ssl.conf .
sudo system restart apache2
Once we restart Apache and navigate to https://<IP ADDRESS>
the default Apache page should load with Apacheβs default self-signed certificate.
Now we need to generate a new key pair. This should be done on the team server.
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out public.crt -keyout private.key
openssl req -new -key private.key -out acme.csr
Then we can use certbot to sign the certificate.
certbot certonly -d example.com --apache --register-unsafely-without-email --agree-tos
- The Public IP address of the machine used to make this request will be logged as making this request.
If certbot is used it will produce four seperate files in the following folder:
/etc/letsencrypt/archive/example.com
The two that we will need for the C2 infrastructure is the fullchain.pem
and privkey.pem
. For now lets copy these to:
/etc/ssl/certs/
/etc/ssl/private/
Then we need to edit the /etc/apache2/sites-available/default-ssl.conf
for the following directives:
SSLCertificateFile
SSLCertificateKeyFile
If you are trying to emulate this in you own home lab then you can just use the public.crt
and private.key
files instead and will need to add the following lines in the Apache default-ssl.conf
file:
SSLProxyCheckPeerCN off
This will essentially tell Apache to ignore that the SSL certificate is self signed.
FINALLY⦠Restart Apache
sudo systemctl restart apache2
Cobalt Strike
In order to use these certificates with Cobalt Strike you need to import it into the Java KeyStore.
First we need to combine the seperate public and private key into a single PKCS12 file. This should be done on the team server.
openssl pkcs12 -inkey private.key -in public.crt -export -out example.pkcs12
We can then convert it to the Java KeyStore using keytool
keytool -importkeystore -srckeystore example.pkcs12 -srcstoretype pkcs12 -destkeystore example.store
Then in the Malleable C2 Profile you need to add the following:
https-certificate {
set keystore "acme.store";
set password "password";
}
- The team server expects the keystore to be in the same directory as itself
Resources:
Title | URL |
---|---|
place | holder |
Also Check Out:
- PLACEHOLDER