Run C2 on an existing webserver

[Thermostaten]

Would it be possible to run the C2 on an existing webserver ? 

My ideal setup would be: 

webserver listen on ip 10.0.0.80 (just some local ip the server has and is behind NAT to an external IP) and port 443 + 80 and run HSTS, behind cloudflare or alike.

The hak5 C2 listen on 127.0.0.1 port 443, 80 2022 

The webserver redirects /whatever_i_choose/link to the C2 service ->  127.0.0.1:443, 80 2022 etc.. 

That way i can have a covert C2 running behind a legit looking webserver.

I were thinking of using IP tables or apache proxy, mod_rewrite to do this - would it work when the C2 wants the ssl cert ? could this be done ? 

Best regards 

T

 

root@server:~# netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      782/sshd            
tcp        0      0 10.10.10.10:80          0.0.0.0:*               LISTEN      1565/apache2        
tcp        0      0 10.10.10.10:443         0.0.0.0:*               LISTEN      1565/apache2        
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1633/c2_community-l 
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      1633/c2_community-l 
tcp        0      0 127.0.0.1:2022          0.0.0.0:*               LISTEN      1633/c2_community-l 

 

Edited October 24, 2019 by Thermostaten

[Cap_Sig]

It is an interesting idea.  I have not done a setup like this yet but it might be possible.  The biggest thing would be configuration of the files for devices making sure it is directed at the outward facing IP of you route.  This is done during the process of configuration when setting up the server for device configuration files.  Just keep in mind that anytime the outward facing connection IP changes you must reload corrected configuration files to your devices.  

[Thermostaten]

I got one step closer ( have not tested a client connection yet) 

Now my covert server is online and when you know the "secret" link you will get the c2 login page - in this example below the secret link is /hak5

To ensure it is not always online i have also installed knockd and run a start / stop script that ensures nothing from the c2 is exposed or running when I do not need the C2.

To get knockd to work you have to alter /lib/systemd/system/knockd.service and remove or # outcomment the "CapabilityBoundingSet" line - then it can run the scripts.

I am using iptables (not sure it is needed)

-A POSTROUTING -o ens192 -j MASQUERADE

Starting C2 like this: 

/srv/hak5/c2/c2_community-linux-64 -db ./c2.db -hostname www.my-covert-server.com -https -listenip 127.0.0.1

And I am use cloudflare and took cloudflares certificate ( they make it for you ) - converted it in to a pem and a .key file 

And in apache default-ssl.conf i added this: 

  SSLCertificateFile      /etc/ssl/private/my-covert-server.com.pem
  SSLCertificateKeyFile   /etc/ssl/private/my-covert-server.com.key

Then i found cloudflares CA cert by googling and added it also to the default-ssl.conf

  SSLCertificateChainFile /usr/share/ca-certificates/cloudflare/cloudflare-ca.crt

and for proxying i added this (also to default-ssl.conf).. 

        <IfModule mod_proxy.c>
         # a2enmod proxy
         # a2enmod proxy_http
         ProxyPreserveHost On
         SSLProxyEngine On
         ProxyRequests Off
         ServerName www.my-cover-server.com
         ServerAlias my-cover-server.com
         #
         ProxyPassMatch    "/hak5/(.*)" "https://127.0.0.1:443/$1"
         ProxyPassReverse  "/hak5/(.*)" "https://127.0.0.1:443/$1"

         ProxyPassMatch    "/assets/(.*)" "https://127.0.0.1:443/assets/$1"
         ProxyPassReverse  "/assets/(.*)" "https://127.0.0.1:443/assets/$1"

         ProxyPassMatch    "/api/(.*)" "https://127.0.0.1:443/api/$1"
         ProxyPassReverse  "/api/(.*)" "https://127.0.0.1:443/api/$1"

         ProxyPassMatch    "/login/(.*)" "https://127.0.0.1:443/login/$1"
         ProxyPassReverse  "/login/(.*)" "https://127.0.0.1:443/login/$1"

         ProxyPassMatch    "/dapi/(.*)" "https://127.0.0.1:443/dapi/$1"
         ProxyPassReverse  "/dapi/(.*)" "https://127.0.0.1:443/dapi/$1"
        </IfModule>

Edited October 28, 2019 by Thermostaten

[Thermostaten]

root@server:/srv/hak5# cat /lib/systemd/system/knockd.service
[Unit]
Description=Port-Knock Daemon
After=network.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN  CAP_DAC_READ_SEARCH CAP_FOWNER CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service

 

 

# Here is the knockd.conf in /etc

root@server:/srv/hak5# cat /etc/knockd.conf 
[options]
        PidFile = /var/run/knockd.pid
        LogFile = /var/log/knockd.log
        Interface = ens192

[startHAK5]
        sequence    = 80,1337,443,6666
        seq_timeout = 5
        command     = /srv/hak5/port_knock_on
        tcpflags    = syn

[stopHAK5]
        sequence    = 5555,443,1337,80
        seq_timeout = 5
        command     = /srv/hak5/port_knock_off
        tcpflags    = syn

 

[amrx]

Interesting, I am working on something similar, except I want to keep it on all the time for the team.

[Riggs]

If I've understood your intentions correctly, I've already achieved this for myself. I basically forced the Hak5 C2 application to bind to port 8080 and then spun up an nginx server on the same VPS and bound that to 80 and 443, then used the nginx server to reverse proxy traffic to/from the Hak5 C2 application which remains running on 8080. This gives me some flexibility in being able to actively modify the responses being sent from the Hak5 C2 application on the fly to my browser (over 80 and 443).

In a high-level example, if a request is made to access the Hak5 C2 application from any browser (in practice it will only be mine as it requires auth), the nginx server will first see the traffic on 80 and 443, then forward the request to the Hak5 C2 application running on 8080, then (for example) replace the .css code being sent back with my own .css code to persistently change the cosmetic appearance. I've actually created a persistent theme this way and named it 'HAK5 THE PLANET EDITION', although it's only me using it for now.

I don't believe this is against the licensing terms of use, as I technically haven't reverse-engineered, disassembled, nor modified the original application code. The Hak5 C2 application remains in its original state, I'm just choosing what parts of the code I want to see presented in my browser in response to my own browser requests. I was also thinking of adding MFA, but haven't got around to that yet.