GN_82 Posted November 26, 2021 Posted November 26, 2021 How can I set different host names in the 'devide.config' file? Example http -> XXX.mydomain.com:47509 ssh -> XXX.mydomain.com:5450
GN_82 Posted November 26, 2021 Author Posted November 26, 2021 Sorry! The example is: http -> XXX.mydomain.com:47509ssh -> XXX.my2domain.com:5450
dark_pyrro Posted November 26, 2021 Posted November 26, 2021 Why would you want to do that? If you point the A record of both domains to the same server, it could work in theory, but you still need support for this kind of handling in the device.config file and in C2 and in the device itself I guess. Perhaps you are onto something with the way you spell the filename; devide.config could perhaps be divide.config in order to split the traffic in two pipes (that was a joke).
GN_82 Posted November 28, 2021 Author Posted November 28, 2021 Hi dark_pyrro... :-) The idea is to be able to have an alternative reverse channel of communication with the device. For example, with Ngrok we cannot raise TCP and Http tunnels with the same address or domain. Session Status online Region United States (us) Web Interface http://0.0.0.0:4040 Forwarding tcp://XXX.tcp.ngrok.io:83354 -> demoh5c2:2022 Forwarding http://mydomain.ngrok.io -> http://demoh5c2:80 Forwarding https://mydomain.ngrok.io -> https://demoh5c2:443
dark_pyrro Posted November 28, 2021 Posted November 28, 2021 OK, I couldn't see Ngrok as a part of it all in my crystal ball when reading the first posts. So, you want to host your own C2 server in your own internal network and access it from the outside using a free Ngrok plan with the limitations that comes with it?
GN_82 Posted November 28, 2021 Author Posted November 28, 2021 I am currently testing to lift C2 with docker container. I use SSLH to try to SSH over HTTPs to avoid these limitations. My C2 container docker run --rm -it --network docker_modulesnet -v h5domaindemo_data:/data -v $(pwd)/certs/:/certs --name h5domaindemo docker_h5domaindemo /bin/bash -c 'FILE="/data/backup.tar"; tar xvf $FILE -C / ; /app/c2 -hostname h5domaindemo.ngrok.io -https -certFile /certs/hiaas.crt -keyFile /certs/hiaas.key' My SSLH container docker run --rm -it --network docker_modulesnet -e SSH_HOST=h5domaindemo -e SSH_PORT:2022 -e HTTPS_HOST=h5domaindemo -e HTTPS_PORT:443 --name sslh-hub shaddysignal/sslh-hub My Ngrok config (bussines plan) tunnels: c2_http: addr: h5domaindemo:80 proto: http bind-tls: false # inspect: false hostname: mycustomdomain.ngrok.io c2_https: addr: sslh-hub:443 proto: http bind-tls: true # inspect: false hostname: mycustomdomain.ngrok.io I have not found any documentation that allows me to generate the device.config file manually.
dark_pyrro Posted November 28, 2021 Posted November 28, 2021 I haven't seen any documentation on how to generate a device.config file manually and I'm pretty sure there is nothing publicly available. Your setup is really a way of making things complicated adding that many elements and layers to the mix.
GN_82 Posted November 28, 2021 Author Posted November 28, 2021 you are right :-), but don't you think it's much better to use SSH over HTTPs as a firewall evasion measure? Is there any documentation or repository of C2 code?
dark_pyrro Posted November 28, 2021 Posted November 28, 2021 No, it's proprietary code. The best evasion measure is not hosting anything in your own network at all that needs to have connections initiated from the outside > in perspective. I use VPS for such things instead. An alternative could be to use a ZeroTier based network, but there's no guarantee for a secure environment. Depends on what Hak5 devices you are intending to connect to the C2 server though.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.