Secondary Categories: 02-Infrastructure

Simple Redirector

You can use one of the following tools to create a simple redirector:

  • IPtables
  • Socat
socat TCP-LISTEN:80,fork TCP:192.168.1.1:80
iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT –to 192.168.1.1:80

HTTPS Redirector

In this example I will be setting up a redirector using Apache.

sudo apt install apache2
sudo a2enmod ssl rewrite proxy proxy_http
sudo systemctl restart apache2

Now we need to setup the configuration for apache using symlinks to the β€œavailable” directory.

cd /etc/apache2/sites-enabled
sudo rm 000-default.conf
sudo ln -s /etc/apache2/sites-available/default-ssl.conf .
sudo system restart apache2

Once we restart Apache and navigate to https://<IP ADDRESS> the default Apache page should load with Apache’s default self-signed certificate.

Now we need to generate a new key pair. This should be done on the team server.

openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out public.crt -keyout private.key
openssl req -new -key private.key -out acme.csr

Then we can use certbot to sign the certificate.

certbot certonly -d example.com --apache --register-unsafely-without-email --agree-tos
  • The Public IP address of the machine used to make this request will be logged as making this request.

If certbot is used it will produce four seperate files in the following folder:

/etc/letsencrypt/archive/example.com

The two that we will need for the C2 infrastructure is the fullchain.pem and privkey.pem. For now lets copy these to:

  • /etc/ssl/certs/
  • /etc/ssl/private/

Then we need to edit the /etc/apache2/sites-available/default-ssl.conf for the following directives:

  • SSLCertificateFile
  • SSLCertificateKeyFile

If you are trying to emulate this in you own home lab then you can just use the public.crt and private.key files instead and will need to add the following lines in the Apache default-ssl.conf file:

SSLProxyCheckPeerCN off

This will essentially tell Apache to ignore that the SSL certificate is self signed.

FINALLY… Restart Apache

sudo systemctl restart apache2

Cobalt Strike

In order to use these certificates with Cobalt Strike you need to import it into the Java KeyStore.

First we need to combine the seperate public and private key into a single PKCS12 file. This should be done on the team server.

openssl pkcs12 -inkey private.key -in public.crt -export -out example.pkcs12

We can then convert it to the Java KeyStore using keytool

keytool -importkeystore -srckeystore example.pkcs12 -srcstoretype pkcs12 -destkeystore example.store

Then in the Malleable C2 Profile you need to add the following:

https-certificate {
     set keystore "acme.store";
     set password "password";
}
  • The team server expects the keystore to be in the same directory as itself

Resources:

TitleURL
placeholder

Also Check Out:

  • PLACEHOLDER