Thermostaten Posted October 24, 2019 Share Posted October 24, 2019 Would it be possible to run the C2 on an existing webserver ? My ideal setup would be: webserver listen on ip 10.0.0.80 (just some local ip the server has and is behind NAT to an external IP) and port 443 + 80 and run HSTS, behind cloudflare or alike. The hak5 C2 listen on 127.0.0.1 port 443, 80 2022 The webserver redirects /whatever_i_choose/link to the C2 service -> 127.0.0.1:443, 80 2022 etc.. That way i can have a covert C2 running behind a legit looking webserver. I were thinking of using IP tables or apache proxy, mod_rewrite to do this - would it work when the C2 wants the ssl cert ? could this be done ? Best regards T root@server:~# netstat -tupln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 782/sshd tcp 0 0 10.10.10.10:80 0.0.0.0:* LISTEN 1565/apache2 tcp 0 0 10.10.10.10:443 0.0.0.0:* LISTEN 1565/apache2 tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 1633/c2_community-l tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 1633/c2_community-l tcp 0 0 127.0.0.1:2022 0.0.0.0:* LISTEN 1633/c2_community-l Link to comment Share on other sites More sharing options...
Cap_Sig Posted October 25, 2019 Share Posted October 25, 2019 It is an interesting idea. I have not done a setup like this yet but it might be possible. The biggest thing would be configuration of the files for devices making sure it is directed at the outward facing IP of you route. This is done during the process of configuration when setting up the server for device configuration files. Just keep in mind that anytime the outward facing connection IP changes you must reload corrected configuration files to your devices. Link to comment Share on other sites More sharing options...
Thermostaten Posted October 28, 2019 Author Share Posted October 28, 2019 I got one step closer ( have not tested a client connection yet) Now my covert server is online and when you know the "secret" link you will get the c2 login page - in this example below the secret link is /hak5 To ensure it is not always online i have also installed knockd and run a start / stop script that ensures nothing from the c2 is exposed or running when I do not need the C2. To get knockd to work you have to alter /lib/systemd/system/knockd.service and remove or # outcomment the "CapabilityBoundingSet" line - then it can run the scripts. I am using iptables (not sure it is needed) -A POSTROUTING -o ens192 -j MASQUERADE Starting C2 like this: /srv/hak5/c2/c2_community-linux-64 -db ./c2.db -hostname www.my-covert-server.com -https -listenip 127.0.0.1 And I am use cloudflare and took cloudflares certificate ( they make it for you ) - converted it in to a pem and a .key file And in apache default-ssl.conf i added this: SSLCertificateFile /etc/ssl/private/my-covert-server.com.pem SSLCertificateKeyFile /etc/ssl/private/my-covert-server.com.key Then i found cloudflares CA cert by googling and added it also to the default-ssl.conf SSLCertificateChainFile /usr/share/ca-certificates/cloudflare/cloudflare-ca.crt and for proxying i added this (also to default-ssl.conf).. <IfModule mod_proxy.c> # a2enmod proxy # a2enmod proxy_http ProxyPreserveHost On SSLProxyEngine On ProxyRequests Off ServerName www.my-cover-server.com ServerAlias my-cover-server.com # ProxyPassMatch "/hak5/(.*)" "https://127.0.0.1:443/$1" ProxyPassReverse "/hak5/(.*)" "https://127.0.0.1:443/$1" ProxyPassMatch "/assets/(.*)" "https://127.0.0.1:443/assets/$1" ProxyPassReverse "/assets/(.*)" "https://127.0.0.1:443/assets/$1" ProxyPassMatch "/api/(.*)" "https://127.0.0.1:443/api/$1" ProxyPassReverse "/api/(.*)" "https://127.0.0.1:443/api/$1" ProxyPassMatch "/login/(.*)" "https://127.0.0.1:443/login/$1" ProxyPassReverse "/login/(.*)" "https://127.0.0.1:443/login/$1" ProxyPassMatch "/dapi/(.*)" "https://127.0.0.1:443/dapi/$1" ProxyPassReverse "/dapi/(.*)" "https://127.0.0.1:443/dapi/$1" </IfModule> Link to comment Share on other sites More sharing options...
Thermostaten Posted October 28, 2019 Author Share Posted October 28, 2019 root@server:/srv/hak5# cat /lib/systemd/system/knockd.service [Unit] Description=Port-Knock Daemon After=network.target Documentation=man:knockd(1) [Service] EnvironmentFile=-/etc/default/knockd ExecStart=/usr/sbin/knockd $KNOCKD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed SuccessExitStatus=0 2 15 ProtectSystem=full #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN [Install] WantedBy=multi-user.target Alias=knockd.service # Here is the knockd.conf in /etc root@server:/srv/hak5# cat /etc/knockd.conf [options] PidFile = /var/run/knockd.pid LogFile = /var/log/knockd.log Interface = ens192 [startHAK5] sequence = 80,1337,443,6666 seq_timeout = 5 command = /srv/hak5/port_knock_on tcpflags = syn [stopHAK5] sequence = 5555,443,1337,80 seq_timeout = 5 command = /srv/hak5/port_knock_off tcpflags = syn Link to comment Share on other sites More sharing options...
amrx Posted September 16, 2023 Share Posted September 16, 2023 Interesting, I am working on something similar, except I want to keep it on all the time for the team. Link to comment Share on other sites More sharing options...
Riggs Posted September 20, 2023 Share Posted September 20, 2023 If I've understood your intentions correctly, I've already achieved this for myself. I basically forced the Hak5 C2 application to bind to port 8080 and then spun up an nginx server on the same VPS and bound that to 80 and 443, then used the nginx server to reverse proxy traffic to/from the Hak5 C2 application which remains running on 8080. This gives me some flexibility in being able to actively modify the responses being sent from the Hak5 C2 application on the fly to my browser (over 80 and 443). In a high-level example, if a request is made to access the Hak5 C2 application from any browser (in practice it will only be mine as it requires auth), the nginx server will first see the traffic on 80 and 443, then forward the request to the Hak5 C2 application running on 8080, then (for example) replace the .css code being sent back with my own .css code to persistently change the cosmetic appearance. I've actually created a persistent theme this way and named it 'HAK5 THE PLANET EDITION', although it's only me using it for now. I don't believe this is against the licensing terms of use, as I technically haven't reverse-engineered, disassembled, nor modified the original application code. The Hak5 C2 application remains in its original state, I'm just choosing what parts of the code I want to see presented in my browser in response to my own browser requests. I was also thinking of adding MFA, but haven't got around to that yet. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.