From c9f2cd4254a20d7a0c04da5f00201a6c00711b9d Mon Sep 17 00:00:00 2001 From: Jeremy Date: Sun, 6 Aug 2017 21:40:05 -0700 Subject: [PATCH 1/2] Updated README.md to include SSL Redirector tips Using SSL Proxy Engine in Apache --- README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9be15c1..d6bbb3f 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ THANK YOU to all of the authors of the content referenced in this wiki and to al - [iptables for HTTP](#iptables-for-http) - [Payloads and Web Redirection](#payloads-and-web-redirection) - [C2 Redirection](#c2-redirection) + - [C2 Redirection with HTTPS](#C2-redirection-with-https) - [Other Apache mod_rewrite Resources](#other-apache-mod_rewrite-resources) - [Modifying C2 Traffic](#modifying-c2-traffic) - [Cobalt Strike](#cobalt-strike) @@ -311,6 +312,26 @@ The intention behind redirecting C2 traffic is twofold: obscure the backend team * [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite - Jeff Dimmock](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/) * [Expand Your Horizon Red Team – Modern SAAS C2 - Alex Rymdeko-Harvey (@killswitch-gui)](https://cybersyndicates.com/2017/04/expand-your-horizon-red-team/) +### C2 Redirection with HTTPS + +Building on "C2 Redirection" above, another method is to have your redirecting server use Apache's SSL Proxy Engine to accept inbound SSL requests, and proxy those to requests to a reverse-HTTPS listener. Encryption is used at all stages, and you can rotate SSL certificates on your redirector as needed. + +To make this work with your mod_rewrite rules, you need to place your rules in **"/etc/apache2/sites-available/000-default-le-ssl.conf"** assuming you've used LetsEncrypt (aka CertBot) to install your certificate. Also, to enable the SSL ProxyPass engine, you'll need the following lines in that same config file: + +```bash +# Enable the Proxy Engine +SSLProxyEngine On + +# Tell the Proxy Engine where to forward your requests +ProxyPass / https://DESTINATION_C2_URL:443/ +ProxyPassReverse / https://DESTINATION_C2_URL:443/ + +# Disable Cert checking, useful if you're using a self-signed cert +SSLProxyCheckPeerCN off +SSLProxyCheckPeerName off +SSLProxyCheckPeerExpire off +``` + ### Other Apache mod_rewrite Resources * [mod-rewrite-cheatsheet.com](http://mod-rewrite-cheatsheet.com/) * [Official Apache 2.4 mod_rewrite Documentation](http://httpd.apache.org/docs/current/rewrite/) @@ -452,4 +473,4 @@ A BIG THANK YOU to all the following people (listed alphabetically) who contribu * [@n0pe_sled - Julian Catrambone](https://twitter.com/n0pe_sled) * [@tifkin_ - Lee Christensen](https://twitter.com/tifkin_) * [@vysecurity - Vincent Yiu](https://twitter.com/vysecurity) -* [@xorrior - Chris Ross](https://twitter.com/xorrior) \ No newline at end of file +* [@xorrior - Chris Ross](https://twitter.com/xorrior) From 46082301ad9fe28e86e5e76d2c62b44879430eca Mon Sep 17 00:00:00 2001 From: Jeff Dimmock Date: Mon, 14 Aug 2017 21:31:40 -0700 Subject: [PATCH 2/2] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d6bbb3f..1f6c264 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ THANK YOU to all of the authors of the content referenced in this wiki and to al - [iptables for HTTP](#iptables-for-http) - [Payloads and Web Redirection](#payloads-and-web-redirection) - [C2 Redirection](#c2-redirection) - - [C2 Redirection with HTTPS](#C2-redirection-with-https) + - [C2 Redirection with HTTPS](#c2-redirection-with-https) - [Other Apache mod_rewrite Resources](#other-apache-mod_rewrite-resources) - [Modifying C2 Traffic](#modifying-c2-traffic) - [Cobalt Strike](#cobalt-strike) @@ -312,7 +312,7 @@ The intention behind redirecting C2 traffic is twofold: obscure the backend team * [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite - Jeff Dimmock](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/) * [Expand Your Horizon Red Team – Modern SAAS C2 - Alex Rymdeko-Harvey (@killswitch-gui)](https://cybersyndicates.com/2017/04/expand-your-horizon-red-team/) -### C2 Redirection with HTTPS +#### C2 Redirection with HTTPS Building on "C2 Redirection" above, another method is to have your redirecting server use Apache's SSL Proxy Engine to accept inbound SSL requests, and proxy those to requests to a reverse-HTTPS listener. Encryption is used at all stages, and you can rotate SSL certificates on your redirector as needed.