top of page
Search
  • Writer's pictureotw

Command & Control Series Part III (Installing your Redirector)




In the dynamic landscape of cybersecurity operations, the use of Command and Control (C2) servers stands as a critical component for orchestrating coordinated tasks across compromised systems. However, directly interacting with a C2 can often leave an operator exposed to detection and countermeasures. This is where the strategic implementation of a redirector plays a pivotal role.


A redirector acts as an intermediary, designed to conceal the true endpoint of a C2 by channeling the communication through seemingly benign relay points. By using a redirector, threat actors can obfuscate their traffic, thereby complicating the defensive efforts to trace malicious activities back to the source.


The redirector not only masks the C2 traffic to evade network defenses but also adds a layer of resilience, ensuring that the core infrastructure remains hidden and operative despite adversarial disruptions. In this post, we'll delve into how a redirector can be set up using Apache2, an adaptable and robust platform that provides the necessary features to construct a deceptive front, safeguarding your C2 behind a veil of regular internet noise. In this article, we are going to install our own Redirector to interact with our C2.


In this case, I'm using Ubuntu but it works for other Linux distributions as well. Go to your terminal and execute the following commands:

  1. sudo a2enmod rewrite proxy proxy_http proxy_connect


This line runs multiple a2enmod commands, which are scripts specific to Apache on Debian-based systems for enabling modules within Apache’s configuration. But let me explain to you what is this command.

  • rewrite: This is a module that allows for the rewriting of URLs according to specified rules. This capability is particularly useful for conditionally redirecting traffic. In the context of a C2 redirector, you might use rewrite rules to only redirect traffic that meets certain criteria, effectively making your C2 communications less conspicuous.

  • proxy: This module provides basic support for running Apache as either a reverse proxy or a forward proxy. A reverse proxy takes requests from the internet and forwards them to servers in an internal network. In C2 operations, a reverse proxy can forward traffic to a hidden C2 server, while the proxy itself can be configured to minimize suspicious patterns in traffic that might be detected by defensive measures.

  • proxy_http: This module extends Apache’s proxying capabilities over HTTP and HTTPS. For a C2 redirector, it’s vital because it allows the forwarding of client requests to the actual C2 server over these common web protocols.

  • proxy_connect: This module enables the use of the CONNECT method, typically used for tunneling through a proxy server. This method is important for setting up SSL connections through the proxy, which can be a necessary part of securely managing C2 communications without revealing the traffic content to intermediate network security appliances.


2. sudo a2ensite 000-default.conf


a2ensite: is yet another script that enables a site within Apache. 000-default.conf is the default virtual host configuration file in Apache. When this command is executed, it creates a symbolic link for this configuration file from the sites-available directory (/etc/apache2/sites-available/) to the sites-enabled directory (/etc/apache2/sites-enabled/), which tells Apache to load this configuration on startup.


3. sudo sudo service apache2 restart



4. sudo vim /etc/apache2/sites-enabled/000-default.conf


This command opens the 000-default.conf file in vim, which is a highly configurable text editor. It allows you to modify the configuration of the default virtual host for the Apache server.



Inside you will write the following lines:




ProxyRequests Off: This directive disables forward (standard) proxy requests, meaning that the server will not proxy arbitrary requests from clients. This is typically set to 'Off' for a reverse proxy, which is what you're configuring here. A reverse proxy is intended to proxy requests to predefined destinations (in this case, the C2 server), rather than acting as a general-purpose proxy server.


ProxyPass /en-us/index.html http://xxx.xxx.xxx.xxx/en-us/index.html: This line sets up a proxy pass rule. When the Apache server receives a request for /en-us/index.html, it will forward this request to http://xxx.xxx.xxx.xxx/en-us/index.html, where xxx.xxx.xxx.xxx is the IP address of your Covenant C2 server. This means that anyone who navigates to /en-us/index.html on the Apache server will be served the content from the Covenant server instead, without direct exposure of the C2 server's IP address.


ProxyPassReverse /en-us/index.html http://xxx.xxx.xxx.xxx/en-us/index.html: The ProxyPassReverse directive is used in conjunction with ProxyPass and is crucial for handling HTTP headers of responses coming from the C2 server. When responses are sent back to the client, this directive rewrites any headers referring to the C2 server's internal IP address so that they point to the proxy server's address instead. This ensures that the client's experience remains seamless and that the actual location of the C2 server remains hidden.


ProxyPass /en-us/docs.html http://xxx.xxx.xxx.xxx/en-us/docs.html and ProxyPassReverse /en-us/docs.html http://xxx.xxx.xxx.xxx/en-us/docs.html: These directives are similar to the previous ProxyPass and ProxyPassReverse directives but apply to the /en-us/docs.html path. Each pair is responsible for proxying a different path on the server, allowing you to have multiple proxied pages, each possibly serving a different function or hosting different content relevant to the operation of the C2 server.


ProxyPass /en-us/test.html http://xxx.xxx.xxx.xxx/en-us/test.html and ProxyPassReverse /en-us/test.html http://xxx.xxx.xxx.xxx/en-us/test.html: Again, these directives serve the same purpose as the earlier ProxyPass and ProxyPassReverse pairs but are applied to the /en-us/test.html path. They direct traffic destined for that path to the corresponding path on the C2 server.


These configurations essentially turn your Apache server into a specialized reverse proxy for your Covenant C2 server, with the goal of obfuscating the origin of the C2 communications. It is designed to make the traffic appear as if it is directed to and coming from the proxy server, thereby helping to mask the presence and location of the actual C2 server.


That is it, you are ready to operate. Next time I will show you how to use your Covenant C2 Server with this Redirector.


Also, make sure you check:


Smouk out!


If you liked what you saw, you might be interested in our Hacking Infrastructure course, or perhaps you'd like to consider becoming part of our community by becoming a Subscriber PRO.






























































4,313 views2 comments

Recent Posts

See All

2 Comments


lucyj7537
lucyj7537
6 days ago

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp him on…

Like

Hello Everyone, we sell loaded and programmed ATM cards that can be used in withdrawing cash at any ATM stand. We sell this cards to interested buyers worldwide. you can contact us with this address for further information....Email: garryfrank226 @ gmail . com.....whatsapp number..+1(332) 242 - 5663.

Like
bottom of page