In the dynamic landscape of cybersecurity operations, the use of Command and Control (C2) servers stands as a critical component for orchestrating coordinated tasks across compromised systems. However, directly interacting with a C2 can often leave an operator exposed to detection and countermeasures. This is where the strategic implementation of a redirector plays a pivotal role.
A redirector acts as an intermediary, designed to conceal the true endpoint of a C2 by channeling the communication through seemingly benign relay points. By using a redirector, threat actors can obfuscate their traffic, thereby complicating the defensive efforts to trace malicious activities back to the source.
The redirector not only masks the C2 traffic to evade network defenses but also adds a layer of resilience, ensuring that the core infrastructure remains hidden and operative despite adversarial disruptions. In this post, we'll delve into how a redirector can be set up using Apache2, an adaptable and robust platform that provides the necessary features to construct a deceptive front, safeguarding your C2 behind a veil of regular internet noise. In this article, we are going to install our own Redirector to interact with our C2.
In this case, I'm using Ubuntu but it works for other Linux distributions as well. Go to your terminal and execute the following commands:
sudo a2enmod rewrite proxy proxy_http proxy_connect
This line runs multiple a2enmod commands, which are scripts specific to Apache on Debian-based systems for enabling modules within Apache’s configuration. But let me explain to you what is this command.
rewrite: This is a module that allows for the rewriting of URLs according to specified rules. This capability is particularly useful for conditionally redirecting traffic. In the context of a C2 redirector, you might use rewrite rules to only redirect traffic that meets certain criteria, effectively making your C2 communications less conspicuous.
proxy: This module provides basic support for running Apache as either a reverse proxy or a forward proxy. A reverse proxy takes requests from the internet and forwards them to servers in an internal network. In C2 operations, a reverse proxy can forward traffic to a hidden C2 server, while the proxy itself can be configured to minimize suspicious patterns in traffic that might be detected by defensive measures.
proxy_http: This module extends Apache’s proxying capabilities over HTTP and HTTPS. For a C2 redirector, it’s vital because it allows the forwarding of client requests to the actual C2 server over these common web protocols.
proxy_connect: This module enables the use of the CONNECT method, typically used for tunneling through a proxy server. This method is important for setting up SSL connections through the proxy, which can be a necessary part of securely managing C2 communications without revealing the traffic content to intermediate network security appliances.
2. sudo a2ensite 000-default.conf
a2ensite: is yet another script that enables a site within Apache. 000-default.conf is the default virtual host configuration file in Apache. When this command is executed, it creates a symbolic link for this configuration file from the sites-available directory (/etc/apache2/sites-available/) to the sites-enabled directory (/etc/apache2/sites-enabled/), which tells Apache to load this configuration on startup.
3. sudo sudo service apache2 restart
4. sudo vim /etc/apache2/sites-enabled/000-default.conf
This command opens the 000-default.conf file in vim, which is a highly configurable text editor. It allows you to modify the configuration of the default virtual host for the Apache server.
Inside you will write the following lines:
ProxyRequests Off: This directive disables forward (standard) proxy requests, meaning that the server will not proxy arbitrary requests from clients. This is typically set to 'Off' for a reverse proxy, which is what you're configuring here. A reverse proxy is intended to proxy requests to predefined destinations (in this case, the C2 server), rather than acting as a general-purpose proxy server.
ProxyPass /en-us/index.html http://xxx.xxx.xxx.xxx/en-us/index.html: This line sets up a proxy pass rule. When the Apache server receives a request for /en-us/index.html, it will forward this request to http://xxx.xxx.xxx.xxx/en-us/index.html, where xxx.xxx.xxx.xxx is the IP address of your Covenant C2 server. This means that anyone who navigates to /en-us/index.html on the Apache server will be served the content from the Covenant server instead, without direct exposure of the C2 server's IP address.
ProxyPassReverse /en-us/index.html http://xxx.xxx.xxx.xxx/en-us/index.html: The ProxyPassReverse directive is used in conjunction with ProxyPass and is crucial for handling HTTP headers of responses coming from the C2 server. When responses are sent back to the client, this directive rewrites any headers referring to the C2 server's internal IP address so that they point to the proxy server's address instead. This ensures that the client's experience remains seamless and that the actual location of the C2 server remains hidden.
ProxyPass /en-us/docs.html http://xxx.xxx.xxx.xxx/en-us/docs.html and ProxyPassReverse /en-us/docs.html http://xxx.xxx.xxx.xxx/en-us/docs.html: These directives are similar to the previous ProxyPass and ProxyPassReverse directives but apply to the /en-us/docs.html path. Each pair is responsible for proxying a different path on the server, allowing you to have multiple proxied pages, each possibly serving a different function or hosting different content relevant to the operation of the C2 server.
ProxyPass /en-us/test.html http://xxx.xxx.xxx.xxx/en-us/test.html and ProxyPassReverse /en-us/test.html http://xxx.xxx.xxx.xxx/en-us/test.html: Again, these directives serve the same purpose as the earlier ProxyPass and ProxyPassReverse pairs but are applied to the /en-us/test.html path. They direct traffic destined for that path to the corresponding path on the C2 server.
These configurations essentially turn your Apache server into a specialized reverse proxy for your Covenant C2 server, with the goal of obfuscating the origin of the C2 communications. It is designed to make the traffic appear as if it is directed to and coming from the proxy server, thereby helping to mask the presence and location of the actual C2 server.
That is it, you are ready to operate. Next time I will show you how to use your Covenant C2 Server with this Redirector.
Also, make sure you check:
If you liked what you saw, you might be interested in our Hacking Infrastructure course, or perhaps you'd like to consider becoming part of our community by becoming a Subscriber PRO.