Redirectors: A Red Teamer’s Introduction

November 20, 2023

Redirectors: A Red Teamer’s Introduction

Introduction

For as long as offensive computer network operations have occurred, whether performed by malicious actors or security consultants, attackers have made attempts to keep their infrastructure hidden and protected. At the most fundamental level, this typically involves the redirection of network traffic from the target’s network through a host or service that obscures the traffic’s final destination. In this blog post, we will take a high-level look at the purpose of redirectors and discuss their implementation.

Please note that the examples discussed represent the tip of the iceberg in terms of redirection, and this blog post should be considered a non-exhaustive primer.

Overview

Put simply, redirectors are systems that proxy traffic from a target network to private attack infrastructure. They serve multiple purposes, including to:

Prevent unauthorized access to attack infrastructure
Control the appearance of the infrastructure to the client
Protect the attack chain

Below is more information about these different purposes.

Prevent unauthorized access to the attack infrastructure:

Redirectors act as the demarcation line between the public internet and private attack infrastructure. Private attack infrastructure may include phishing or Command and Control (C2) servers, decoy web servers, staging servers, or any other component that must remain protected from unauthorized parties. Redirectors provide granular control over access to private attack infrastructure, allowing only the desired traffic to pass through.

Control the appearance of the infrastructure:

Given that a redirector establishes a boundary between the public internet and private attack infrastructure, it often is the only publicly visible infrastructure component and the nearest hop to the target environment. The redirector’s characteristics and appearance inform the target, and anyone who investigates the host, of the purpose and use of the host. Redirectors offer an opportunity to shape the perception and to deceive or mislead.

Protect the attack chain:

Redirectors are considered burnable components of attack infrastructure. If a redirector is identified and categorized as malicious, then it can be burned down and replaced with a new redirector. The new redirector can then be connected to the existing private attack infrastructure. The attack chain, although impacted by the burning of a domain, IP, or redirector, remains mostly intact, as the core components are hidden behind the redirector.

By segmenting and controlling traffic to private attack infrastructure via the use of redirectors, the more time-consuming and sensitive components to set up—such as C2 or phishing servers—remain protected and inaccessible to defenders.

Redirector Types

For the purposes of this blog post, let’s think of basic redirector types as existing on a spectrum of less to more filtering. Generally, this also correlates to less or more effort to configure and deploy. However, the level of effort on either end of the spectrum can be diminished through automation.

Figure 1 - Redirector Types

On the “less effort” and “less filtering” end of the spectrum, we have redirectors based on socat, iptables, or blind reverse proxies. These types of redirectors generally tend not to filter or apply rules to traffic. Instead, they blindly forward, or bend, traffic to a destination. Setup involves relatively little effort. However, there are implications related to the level of operational security they offer. With few filters, these redirectors will pass most traffic, including from Internet scanners or mail filtering solutions, right through to backend servers. Depending on the use case, this may be acceptable. However, it may increase the likelihood of identification and categorization of the redirector and/or backend assets as malicious.

On the “more effort” and “more filtering” end of the spectrum, we have redirectors built using reverse proxies that allow for filtering traffic based on specific conditions and rules. These redirectors may only pass traffic with specific User Agent strings to a backend C2 server, or they may redirect traffic from pre-defined IP ranges to a decoy web server. The intricacies of the configuration depend on the engagement requirements, the capabilities of the reverse proxy and beacon being used, and, lastly, the engineer’s imagination. More filters mean more control over how traffic is processed, which, if configured correctly, may improve the protection of infrastructure and decrease the likelihood that it is identified as malicious.

Implementation

There are many reverse proxies available to choose from, each with their own advantages and disadvantages. The following implementation will use Apache, a web server featuring robust reverse proxy configuration options. After describing the basic setup with Apache, we will add a CloudFront distribution in front of the redirector to demonstrate an additional layer of redirection. For the C2 framework, this example will use Cobalt Strike. However, the basic redirector configuration is generally C2 framework agnostic, and you may use the framework of your choosing. Please note that discussions of the C2 deployment and configuration are not in scope for this post.

Before getting started, there are several requirements for this demonstration:

An Amazon Web Services (AWS) account with the ability to deploy EC2s and create CloudFront distributions
At least one domain with the ability to set the domain’s A Record
C2 team server software such as Cobalt Strike, Sliver, etc.

For the purposes of this demonstration, we are setting up a Cobalt Strike team server on an AWS EC2 instance. However, given that during live engagements, team servers can end up hosting data from the target network. It is preferrable that the team server be hosted on a server owned by your organization.

EC2 Provisioning

Using your preferred method, whether via the AWS console, Terraform or otherwise, provision two EC2 instances of the Linux distribution of your choosing: one for the redirector and one for the team server.

Create a security group for each EC2 instance, as we will apply different rules for each resource. Initially, configure the security groups to allow traffic inbound only from the operator’s IP.

Figure 2 - Initial Redirector Security Group Rules

Apache Installation and Initial Configuration

On the redirector EC2 instance, install Apache along with several Apache modules that will be required for the configuration:


```

apt-get install apache2

systemctl stop apache2.service

a2enmod ssl proxy remoteip rewrite proxy_http

```

Certbot Installation and Execution
Certbot is a tool that obtains TLS certificates from Let’s Encrypt. We will use Certbot’s HTTP-01 Challenge type to obtain a certificate, which requires that:

The A Record for your domain points to the IP address where Certbot is being executed
Certbot is able to start up and expose a web server (hence disabling the Apache service above), as well as receive inbound HTTP traffic

Before installing and running Certbot, modify the redirector security group rules to allow inbound traffic from anywhere to port 80.

Figure 3 - Security Group Modification Prior to Running Certbot

Next, add the IP address of the redirector as the A Record for the domain being used for the redirector.

Figure 4 - A Record Entry for Redirector Domain

Once those steps are complete, install and run Certbot by executing the following:


````

apt-get install certbot

# replace example.com with your domain

certbot certonly --standalone --preferred-challenges http -d exampledomain.com 
--register-unsafely-without-email --agree-tos

```

Given a successful Certbot run, a response similar to the following screenshot should be displayed.

Figure 5 - Certbot Run

Once the certificate files have been obtained, remove the AWS security group rule that permitted traffic inbound on port 80.

Apache Site Configuration

The heart of the redirector configuration is found in the Apache site configuration file. The site file defines the desired behavior for network traffic that reaches the redirector as well as the TLS configuration, specifying which certificate files to use and whether to perform TLS verification.

Within the /etc/apache/sites-available/ directory, create a configuration file called domain.com.conf where domain is the name of the domain being used for your redirector.

The first step is to redirect unencrypted inbound traffic on port 80 to port 443. Using Apache’s VirtualHost directive, define the following block (replace exampledomain.com with the domain being used for the redirector):


```

     <VirtualHost *:80>
 
    ServerName exampledomain.com

    RewriteEngine On

    RewriteCond %{HTTPS} off

    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]



    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    </VirtualHost>

```

The above block will redirect traffic to port 443, which will be handled by the block below. In the following VirtualHost directive, Apache is instructed to proxy all traffic to “exampledomain.com,” or the domain you selected for your redirector. In order for this to pass traffic to the team server domain, we will need to modify the /etc/hosts file on the redirector to resolve “exampledomain.com” to the IP address of the team server. We are using this method because it allows us to reuse the TLS certificates obtained via Certbot instead of needing a second domain and second set of certificates.


```

    <VirtualHost *:443>

    ServerName exampledomain.com

    RemoteIPHeader X-Forwarded-For


    ProxyPass / https://exampledomain.com/

    ProxyPassReverse / https://exampledomain.com/


    SSLProxyEngine On

    SSLProxyVerify none

    SSLProxyProtocol TLSv1.2


    SSLCertificateFile /etc/letsencrypt/live/exampledomain.com/fullchain.pem

    SSLCertificateKeyFile /etc/letsencrypt/live/exampledomain.com/privkey.pem


    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    </VirtualHost>

```

Next, add an entry to /etc/hosts pointing DNS lookups for your domain to the IP of the team server. When Apache uses the ProxyPass directives to proxy the traffic to the specified domain, it will then reference the redirector’s /etc/hosts file.

Figure 6 - Example Hosts File

Then, enable the site and restart the Apache service:


```

a2ensite domain.com

systemctl restart apache2.service

```

Command and Control Server Configuration

At the beginning of the walkthrough, we created two EC2s, including one for the redirector and one for the team server. This blog post assumes that the reader can successfully install and configure the C2 framework of their choosing. For the purposes of this demonstration, we have deployed a team server running Cobalt Strike.

Prior to opening the firewall rules to allow traffic in from the redirector, the certificate material from the redirector must be copied to the team server. Depending on your C2 framework, the certificate fullchain and private key files may be added to your C2 configuration in different ways. Once the certificate material has been added, modify the team server security group rules to allow HTTPS traffic inbound from the redirector IP.

Figure 7 – Team Server Security Group Rules

Using your C2 framework, create a listener and payload that are configured to use the previously configured redirector domain name as the HTTPS host.

Figure 8 - Cobalt Strike Listener

Assuming that you are executing the test payload on a Windows VM running on your host, there is no need to add additional firewall rules. However, if you are executing the payload from another workstation with a different IP, adjust the security group rules accordingly.

Once the payload has been executed on the redirector, there should now be an entry in the Apache access.log file indicating that an HTTP request has been made.

Figure 9 - Apache Access Log on Redirector

On your C2 team server, you should see an established session. If the C2 framework being used supports the X-Forwarded-For header, then the client’s origin IP should be available.

Figure 10 - Cobalt Strike Beacon Callback

To summarize, a payload has been executed, a request has been made to the domain hosted on the redirector, and, finally, the request has been passed through the reverse proxy on the redirector to the backend team server. The team server only allows traffic in from the redirector and from operator IPs, thus making it inaccessible to prying eyes. This setup provides the team server with some degree of protection, although it does not filter out unwanted traffic from reaching the team server.

CloudFront Redirection

As an added layer of redirection, and to help with issues related to domain categorization, content delivery networks (CDNs) can be used to redirect traffic. Building on the example just discussed, CloudFront can be easily integrated without any adjustments to the redirector configuration itself. In general, there are two steps to take:

Create and configure a CloudFront distribution, as illustrated in this blog post, that points to the previously configured domain
Modify the C2 profile to include the CloudFront distribution URL instead of the domain

Figure 11 - CloudFront Distribution Details

Figure 12 - CloudFront Distribution Origins

Before generating and executing a new payload, the firewall rules on the redirector need to be modified to allow traffic in from CloudFront. Within AWS security groups, there is a feature that enables users to add firewall rules for dynamically managed lists of resources that AWS maintains. Specifically useful in this scenario is a managed prefix list for all CloudFront IPs. This list enables operators to allow HTTPS traffic in from a dynamic list of CloudFront IPs, while preventing other traffic from reaching the redirector.

Figure 13 - AWS Managed Prefix

Once the appropriate managed prefix has been added to the firewall rules, generate and execute the new payload using the CloudFront URL as the C2 URI. If configured correctly, the Apache access.log on the redirector should show traffic from CloudFront and the team server should show a new beacon.

Figure 14 - Apache Access Log on Redirector

Figure 15 - Cobalt Strike Beacon Callback via CloudFront Domain

Take note that due to the addition of the X-Forwarded-For header on the redirector, the external IP of the beacon displays the real client origin IP.

To summarize, a payload has been executed, a request has been made to a CloudFront distribution, the CloudFront distribution has forwarded the request to the specified domain, and the request has been passed through the reverse proxy on the redirector to the backend team server.

Next Steps

The redirector setup discussed in this post is about as simple as it can get outside of using socat or iptables. From here, an operator could add a myriad of rules defining the paths, User-Agent strings, or other characteristics that are required for traffic to be passed to the backend team server. An operator could also build in deceptive rewrites that seek to control the narrative around the purpose of the exposed infrastructure. For further information on associated TTPs, please reference the following resources:

By:

Optiv General

No license, express or implied, to any intellectual property or other content is granted or intended hereby.

This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.

Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.

Complaints / questions should be directed to Legal@optiv.com

Optiv Security: Secure greatness.^®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.