Development and operations a practical guide



Download 4.62 Mb.
View original pdf
Page71/96
Date11.02.2023
Size4.62 Mb.
#60628
1   ...   67   68   69   70   71   72   73   74   ...   96
1 Joe Vest, James Tubberville Red Team Development and Operations
C2 Redirectors
C2 redirectors are pivots designed to separate communications between a target and C servers.
They are designed to protect the C servers' IP addresses from identification. Redirectors are what the target will see as malicious. The target may observe any IP address or domain name associated with a redirector. If a defender identifies malicious activity, they may block a redirector IP address.
Redirectors should be treated as burnable. If burned, a Red Team Operator can simply switch to an alternate redirector for pivoting C traffic from the target to the C server.
Redirectors and C servers must be protected. Command and Control servers must communicate with the target over the C channel, such as HTTPS on port 443. Efforts to limit (or drop) C connections from unexpected networks should be made however, this is not the only communication to a C2
server. An operator must use the C interface to control the server and issue commands. This must also be protected. ACLs or other protections should be put in place only to allow access from Red
Team Operators. A responsible Red Team should not allow C control outside designated Red Team
IPs/Segments. Even "hacker" software is not safe.
Given that thought, proper security and access controls effectively limit the risk of new vulnerabilities or unknown access methods in Red Team tools. For example, in September 2016, a remote code execution flaw was found in Cobalt Strike 3.5. This flaw allowed remote code execution on the C server via a malicious beacon. Effective access controls, if employed, significantly limit the likelihood of compromise from any network other than Red Team, redirector, or target.
Virtual Private Services such as Amazon EC, Digital Ocean, and Linode are great solutions to create internet-accessible redirectors. Redirector servers can be easily deployed or torn down. Most service providers offer an API that allows the deployment and destruction of redirectors to be scripted and automated. Redirectors can be made to be highly resistant to removal or to be even more obfuscated. Techniques such as Domain Fronting take advantage of the trust in highly trusted CDNs.
A reverse HTTP proxy, such as Apache mod_rewrite, can be used to tune HTTP traffic to obfuscate better or hide malicious traffic.
Deploying Redirectors
There are several ways to redirect traffic. Here area couple of quick examples for Linux and
Windows dumb pipe redirectors. A dumb pipe redirctors is the process of redircting traffic from on
TCP port to another.


Linux:
Create a cron job to start a socat script that redirects TCP 443 from the redirector to 10.10.10.10:
crontab -e
@reboot /usr/bin/socat TCP-LISTEN:443,fork / TCP:10.10.10.10:443 &
Windows:
Use the netsh command to create a persistent port redirection rule that redirects TCP 443 from the redirector to 10.10.10.10:
netsh interface portproxy add v4tov4 listenport=443 listenaddress=10.20.20.20
connectport=443 connectaddress=10.10.10.10
There are several methods and techniques for redirection. The examples in this book focus on exposing the need that redirectors are critical to an engagement. Red Team operators must include a set of processes and technical approaches in the Red Team toolbox.

Download 4.62 Mb.

Share with your friends:
1   ...   67   68   69   70   71   72   73   74   ...   96




The database is protected by copyright ©ininet.org 2024
send message

    Main page