Run C2 on an existing webserver

[Thermostaten]

Would it be possible to run the C2 on an existing webserver ? 

My ideal setup would be: 

webserver listen on ip 10.0.0.80 (just some local ip the server has and is behind NAT to an external IP) and port 443 + 80 and run HSTS, behind cloudflare or alike.

The hak5 C2 listen on 127.0.0.1 port 443, 80 2022 

The webserver redirects /whatever_i_choose/link to the C2 service ->  127.0.0.1:443, 80 2022 etc.. 

That way i can have a covert C2 running behind a legit looking webserver.

I were thinking of using IP tables or apache proxy, mod_rewrite to do this - would it work when the C2 wants the ssl cert ? could this be done ? 

Best regards 

T

 

root@server:~# netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      782/sshd            
tcp        0      0 10.10.10.10:80          0.0.0.0:*               LISTEN      1565/apache2        
tcp        0      0 10.10.10.10:443         0.0.0.0:*               LISTEN      1565/apache2        
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1633/c2_community-l 
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      1633/c2_community-l 
tcp        0      0 127.0.0.1:2022          0.0.0.0:*               LISTEN      1633/c2_community-l 

 

Edited October 24, 2019 by Thermostaten

[Cap_Sig]

It is an interesting idea.  I have not done a setup like this yet but it might be possible.  The biggest thing would be configuration of the files for devices making sure it is directed at the outward facing IP of you route.  This is done during the process of configuration when setting up the server for device configuration files.  Just keep in mind that anytime the outward facing connection IP changes you must reload corrected configuration files to your devices.  

[Thermostaten]

I got one step closer ( have not tested a client connection yet) 

Now my covert server is online and when you know the "secret" link you will get the c2 login page - in this example below the secret link is /hak5

To ensure it is not always online i have also installed knockd and run a start / stop script that ensures nothing from the c2 is exposed or running when I do not need the C2.

To get knockd to work you have to alter /lib/systemd/system/knockd.service and remove or # outcomment the "CapabilityBoundingSet" line - then it can run the scripts.

I am using iptables (not sure it is needed)

-A POSTROUTING -o ens192 -j MASQUERADE

Starting C2 like this: 

/srv/hak5/c2/c2_community-linux-64 -db ./c2.db -hostname www.my-covert-server.com -https -listenip 127.0.0.1

And I am use cloudflare and took cloudflares certificate ( they make it for you ) - converted it in to a pem and a .key file 

And in apache default-ssl.conf i added this: 

  SSLCertificateFile      /etc/ssl/private/my-covert-server.com.pem
  SSLCertificateKeyFile   /etc/ssl/private/my-covert-server.com.key

Then i found cloudflares CA cert by googling and added it also to the default-ssl.conf

  SSLCertificateChainFile /usr/share/ca-certificates/cloudflare/cloudflare-ca.crt

and for proxying i added this (also to default-ssl.conf).. 

        <IfModule mod_proxy.c>
         # a2enmod proxy
         # a2enmod proxy_http
         ProxyPreserveHost On
         SSLProxyEngine On
         ProxyRequests Off
         ServerName www.my-cover-server.com
         ServerAlias my-cover-server.com
         #
         ProxyPassMatch    "/hak5/(.*)" "https://127.0.0.1:443/$1"
         ProxyPassReverse  "/hak5/(.*)" "https://127.0.0.1:443/$1"

         ProxyPassMatch    "/assets/(.*)" "https://127.0.0.1:443/assets/$1"
         ProxyPassReverse  "/assets/(.*)" "https://127.0.0.1:443/assets/$1"

         ProxyPassMatch    "/api/(.*)" "https://127.0.0.1:443/api/$1"
         ProxyPassReverse  "/api/(.*)" "https://127.0.0.1:443/api/$1"

         ProxyPassMatch    "/login/(.*)" "https://127.0.0.1:443/login/$1"
         ProxyPassReverse  "/login/(.*)" "https://127.0.0.1:443/login/$1"

         ProxyPassMatch    "/dapi/(.*)" "https://127.0.0.1:443/dapi/$1"
         ProxyPassReverse  "/dapi/(.*)" "https://127.0.0.1:443/dapi/$1"
        </IfModule>

Edited October 28, 2019 by Thermostaten

[Thermostaten]

root@server:/srv/hak5# cat /lib/systemd/system/knockd.service
[Unit]
Description=Port-Knock Daemon
After=network.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN  CAP_DAC_READ_SEARCH CAP_FOWNER CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service

 

 

# Here is the knockd.conf in /etc

root@server:/srv/hak5# cat /etc/knockd.conf 
[options]
        PidFile = /var/run/knockd.pid
        LogFile = /var/log/knockd.log
        Interface = ens192

[startHAK5]
        sequence    = 80,1337,443,6666
        seq_timeout = 5
        command     = /srv/hak5/port_knock_on
        tcpflags    = syn

[stopHAK5]
        sequence    = 5555,443,1337,80
        seq_timeout = 5
        command     = /srv/hak5/port_knock_off
        tcpflags    = syn