Produced|MS08067 Laboratory (www.ms08067.com)
Thousand Miles Encyclopedia
Coupon m.fenfaw.cnDomain Fronting is based on HTTPS general evasion technology, also known as domain front-end network attack technology. This is a technology used to hide the control of server traffic by teams such as Metasploit and Cobalt Strike, so as to bypass the checker or firewall detection to a certain extent. Large vendors such as Amazon, Google, Akamai and other large vendors will provide some domain front-end technical services.
The following examples will use Amazon to provide CloudFront (CDN) services.
background
Set up multiple website services in a virtual host. In order to facilitate us to distinguish them, we can access them by IP+Port name, etc., but if it is SSL/TLS. According to the working principle of HTTPS, when a browser visits an HTTPS site, it first establishes an SSL connection with the server.
The first step in establishing a connection is to request the server's certificate. When the server sends the certificate, it does not know which domain name the browser is visiting, so it cannot send different certificates according to different domain names. Therefore, an extension called SNI is introduced. SNI is to solve the SSL/TLS extension of multiple domain names and certificates used by a server. The method is to fill in the Host information in the Client Hello.
The key idea of the domain front end is to use different domain names in different communication layers. It is a technology that hides the real endpoints of the connection to avoid Internet censorship. When operating at the application layer, the domain front allows users to connect to the blocked service via HTTPS, while on the surface it seems to be communicating with another completely different site.
The principle of this technology is to use different domain names at different communication layers . A harmless domain name is used in the plaintext DNS request and TLS server name indication (SNI) to initiate the connection, and the blocked domain name to be connected is only sent after the encrypted HTTPS connection is created, carrying another malicious in the Host header C2 domain name (Host header is not visible to the inspector, but is visible to the front-end server that receives HTTPS requests).
Demo
In Amazon CloudFront is a content delivery network service. It provides users with a global distributed cache for files hosted on their servers. This reduces the load on the client's server and allows the CDN to provide cached content from the requester's data center. When the client connects to CloudFront, it determines the domain name the client wants to request based on the HOST header. Before doing the domain When setting up an attack, just pick a trusted domain name in CloudFront, such as "https://docs.telemetry.mozilla.org", which seems to be a legal whitelisted domain name, and use it as a front domain name to avoid firewall review.
Apply for an account with Amazon CloudFront and create a CloudFront, write your own C&C controller domain name such as Godsong.test in "Origin Domain Name", and other settings according to your needs.
After the application is completed, a random domain name xxx.cloudfront.net style will be automatically distributed, and the random domain name issued will be pointed to the real C2 server. When the user accesses this domain name, it will be resolved to the real C&C server.
Because the domain name pre-position uses a legal pre-domain name as bait, when using HTTPS links, DNS requests are also legal domain names, and the request for modification in the HOST is directed to our C&C server, which is equivalent to forwarding traffic after requesting a legal domain name. Go to the transit web.
CloudFront assigned me a domain name, which was forwarded to my C&C address, and a notepad named 6.txt was stored on the original C&C server Web with the address https://www.godsong.test/6.txt .
Visit the domain name https://d305blu4121c3m.cloudfront.net/6.txt issued by Aws, and the original traffic forwarding can be returned, indicating that the test is successful.
Use the legal whitelist as the front domain name, and modify the Host point to our C&C domain name.
wget -U demo -q -O- docs.telemetry.mozilla.org/6.txt --header
"Host:d305blu4121c3m.cloudfront.net"
The following figure shows the successful use of Mozilla's whitelist domain technology to hide real malicious traffic.
In actual applications, you can use Cobalt Strike, Empire, Metasploit and other tools to modify its configuration files to control traffic transmission. The following uses Cobalt Strike to demonstrate, set up a Profile extension and specify the Host header as d305blu4121c3m.cloudfront.net.
Create a listener, the host writes Cloudfront.net to distribute the domain name and listens on port 80.
The Beacon transmitter uses whitelisted domain names as follows:
After the malicious program runs, Wireshark is used to capture transmission traffic packets. As shown in the figure, you can see that the related request is as follows. In this way, the real C&C server address is hidden. The Host header of the transmission traffic packet viewed in Wireshark also points to our Cloudfront server, which conceals the real attacker address to a certain extent.
Summary : Domain Fronting technology. Because the domain we see is only the front-end server domain, it is difficult to distinguish whether it is a normal domain name or a malicious domain name. In fact, malicious traffic must enter the controlled end server, and then it will be generated on the controlled server. Some malicious fingerprints, the size and time of network data packets, use this method to observe malicious feature detection and so on.
references
[1]https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1542139101.pdf
Figure 2, Figure 6 quotes this article
[2]http://www.ert7.com /service/knowledge/3999.html
Please contact the author and indicate the source for reprinting!
The Ms08067 security laboratory focuses on the popularization and training of cyber security knowledge. The team has published "Web Security Attack and Defense: Penetration Testing Practice Guide", "Intranet Security Attack and Defense: Penetration Testing Practice Guide", "Python Security Attack and Defense: Penetration Testing Practice Guide", "Java Code Security Audit (Introduction)" and other books.
The team official account regularly shares technical dry goods about CTF shooting range, intranet penetration, and APT, starting from scratch, focusing on actual combat, and is committed to being a practical dry goods sharing public account.
Official website: https://www.ms08067.com/
Scan the QR code below to join the lab VIP community. After
joining, invite to join the internal VIP group. The internal WeChat group is permanently valid!
