From c9f2cd4254a20d7a0c04da5f00201a6c00711b9d Mon Sep 17 00:00:00 2001 From: Jeremy Date: Sun, 6 Aug 2017 21:40:05 -0700 Subject: [PATCH] Updated README.md to include SSL Redirector tips Using SSL Proxy Engine in Apache --- README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9be15c1..d6bbb3f 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ THANK YOU to all of the authors of the content referenced in this wiki and to al - [iptables for HTTP](#iptables-for-http) - [Payloads and Web Redirection](#payloads-and-web-redirection) - [C2 Redirection](#c2-redirection) + - [C2 Redirection with HTTPS](#C2-redirection-with-https) - [Other Apache mod_rewrite Resources](#other-apache-mod_rewrite-resources) - [Modifying C2 Traffic](#modifying-c2-traffic) - [Cobalt Strike](#cobalt-strike) @@ -311,6 +312,26 @@ The intention behind redirecting C2 traffic is twofold: obscure the backend team * [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite - Jeff Dimmock](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/) * [Expand Your Horizon Red Team – Modern SAAS C2 - Alex Rymdeko-Harvey (@killswitch-gui)](https://cybersyndicates.com/2017/04/expand-your-horizon-red-team/) +### C2 Redirection with HTTPS + +Building on "C2 Redirection" above, another method is to have your redirecting server use Apache's SSL Proxy Engine to accept inbound SSL requests, and proxy those to requests to a reverse-HTTPS listener. Encryption is used at all stages, and you can rotate SSL certificates on your redirector as needed. + +To make this work with your mod_rewrite rules, you need to place your rules in **"/etc/apache2/sites-available/000-default-le-ssl.conf"** assuming you've used LetsEncrypt (aka CertBot) to install your certificate. Also, to enable the SSL ProxyPass engine, you'll need the following lines in that same config file: + +```bash +# Enable the Proxy Engine +SSLProxyEngine On + +# Tell the Proxy Engine where to forward your requests +ProxyPass / https://DESTINATION_C2_URL:443/ +ProxyPassReverse / https://DESTINATION_C2_URL:443/ + +# Disable Cert checking, useful if you're using a self-signed cert +SSLProxyCheckPeerCN off +SSLProxyCheckPeerName off +SSLProxyCheckPeerExpire off +``` + ### Other Apache mod_rewrite Resources * [mod-rewrite-cheatsheet.com](http://mod-rewrite-cheatsheet.com/) * [Official Apache 2.4 mod_rewrite Documentation](http://httpd.apache.org/docs/current/rewrite/) @@ -452,4 +473,4 @@ A BIG THANK YOU to all the following people (listed alphabetically) who contribu * [@n0pe_sled - Julian Catrambone](https://twitter.com/n0pe_sled) * [@tifkin_ - Lee Christensen](https://twitter.com/tifkin_) * [@vysecurity - Vincent Yiu](https://twitter.com/vysecurity) -* [@xorrior - Chris Ross](https://twitter.com/xorrior) \ No newline at end of file +* [@xorrior - Chris Ross](https://twitter.com/xorrior)