mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 10:31:38 +01:00
README
This commit is contained in:
parent
8df1d96755
commit
097a56e99e
@ -1,5 +1,13 @@
|
|||||||
## malleable-redirector - a proxy2 plugin
|
## malleable-redirector - a proxy2 plugin
|
||||||
|
|
||||||
|
**Let's raise the bar in C2 redirectors IR resiliency, shall we?**
|
||||||
|
|
||||||
|
Red Teaming business has seen [several](https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/) [different](https://posts.specterops.io/automating-apache-mod-rewrite-and-cobalt-strike-malleable-c2-profiles-d45266ca642) [great](https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10) ideas on how to combat incident responders and misdirect them while offering resistant C2 redirectors network at the same time.
|
||||||
|
|
||||||
|
This piece of code tries to combine many of these great ideas into a one, lightweight utility, mimicking Apache2 in it's roots of being a simple HTTP(S) reverse-proxy. Combining Malleable C2 profiles understanding, knowledge of bad IP addresses pool and a flexibility of easily adding new inspection and misrouting logc - resulted in having a crafty repellent for IR evasion.
|
||||||
|
|
||||||
|
### Abstract
|
||||||
|
|
||||||
This program acts as a HTTP/HTTPS reverse-proxy with several restrictions imposed upon which requests and from whom it should process, similarly to the .htaccess file in Apache2's mod_rewrite.
|
This program acts as a HTTP/HTTPS reverse-proxy with several restrictions imposed upon which requests and from whom it should process, similarly to the .htaccess file in Apache2's mod_rewrite.
|
||||||
|
|
||||||
`malleable_redirector` was created to resolve the problem of effective IR/AV/EDRs/Sandboxes evasion on the C2 redirector's backyard. It comes in a form of a plugin for other project of mine called [proxy2](https://github.com/mgeeky/proxy2), that is a lightweight forward & reverse HTTP/HTTPS proxy.
|
`malleable_redirector` was created to resolve the problem of effective IR/AV/EDRs/Sandboxes evasion on the C2 redirector's backyard. It comes in a form of a plugin for other project of mine called [proxy2](https://github.com/mgeeky/proxy2), that is a lightweight forward & reverse HTTP/HTTPS proxy.
|
||||||
@ -36,12 +44,14 @@ $ python3 proxy2.py -P 80/http -P 443/https -p plugins/malleable_redirector.py -
|
|||||||
[INFO] 19:21:45: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
|
[INFO] 19:21:45: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
|
||||||
[INFO] 19:21:45: [RESPONSE] HTTP 200 OK, length: 5543
|
[INFO] 19:21:45: [RESPONSE] HTTP 200 OK, length: 5543
|
||||||
[INFO] 19:21:46: [REQUEST] GET /
|
[INFO] 19:21:46: [REQUEST] GET /
|
||||||
[ERROR] 19:21:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile.
|
[...]
|
||||||
[INFO] 19:21:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212
|
[ERROR] 19:24:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile.
|
||||||
[INFO] 19:21:48: [REQUEST] GET /jquery-3.3.1.min.js
|
[...]
|
||||||
[INFO] 19:21:48: == Valid malleable http-get request inbound.
|
[INFO] 19:24:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212
|
||||||
[INFO] 19:21:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
|
[INFO] 19:24:48: [REQUEST] GET /jquery-3.3.1.min.js
|
||||||
[...]
|
[INFO] 19:24:48: == Valid malleable http-get request inbound.
|
||||||
|
[INFO] 19:24:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
|
||||||
|
[...]
|
||||||
```
|
```
|
||||||
|
|
||||||
The above output contains a line pointing out that there has been an unauthorized, not compliant with our C2 profile inbound request, which got dropped due to incompatible User-Agent string presented:
|
The above output contains a line pointing out that there has been an unauthorized, not compliant with our C2 profile inbound request, which got dropped due to incompatible User-Agent string presented:
|
||||||
@ -51,13 +61,14 @@ The above output contains a line pointing out that there has been an unauthorize
|
|||||||
[...]
|
[...]
|
||||||
```
|
```
|
||||||
|
|
||||||
### Others
|
### TODO:
|
||||||
|
|
||||||
TODO:
|
- Add some unique beacons tracking logic to offer flexilibity of refusing staging and communication processes at the proxy's own discretion
|
||||||
- Add some tracking logic of unique beacons to offer flexilibity of refusing staging and communication processes at the proxy's own discretion
|
- Introduce day of time constraint when offering redirection capabilities
|
||||||
- Test it thoroughly with several enterprise-grade EDRs, Sandboxes and others to eliminate replay attack avenues
|
- Keep track of metadata/ID payloads to better distinguish connecting peers and avoid replay attack consequences
|
||||||
|
- Test it thoroughly with several enterprise-grade EDRs, Sandboxes and others
|
||||||
- Add Proxy authentication and authorization logic on CONNECT/relay.
|
- Add Proxy authentication and authorization logic on CONNECT/relay.
|
||||||
|
- Add Mobile users targeted redirection
|
||||||
|
|
||||||
### Author
|
### Author
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user