๐Ÿ”C2 HTTP Redictor

A C2 redirector is a host that forwards traffic to a real C2 server, acting as a reverse proxy. It's considered best practice to not expose a C2 server directly, so redirectors receive and filter incoming traffic based on specific rules.

Covenant is an open source .NET command and control framework that can run on Windows, MacOS, and Linux. It's designed to be a collaborative C2 for red teamers and make .NET tradecraft easier.

Install Linux Host (Redirector)

We have installed the Covenant C2 on AWS Windows Instance. Now we will use a different linux instance as our C2 redirector.

Click on Launch Instance

Enter a name under Names and Tags section

Select Ubuntu under Applications and OS Images section  

Generate a new key pair under Key pair (login) section

Select Allow HTTPS traffic from internet

Select Allow HTTP traffic from the internet

Click on Launch instance

Connect to the instance using SSH

Click on Instance id 

Click on Connect  

Click on SSH Client tab

Copy the SSH command and paste it to the terminal

Create a Listener on the C2 Server (AWS Windows Instance)

Open Covenenant C2 on the AWS windows instance

Click on Listener from the side menu

Click on Create button

Enter a Name

Change the ConnectAddress field to the redirector public IP (AWS Linux public ip address)

Select CustomHttpProfile under HttpProfile Section

Click on Create

Setting up HTTP server (Redirector Machine)

sudo apt install apache2

sudo a2enmod rewrite proxy proxy_http proxy_connect

a2ensite 000-default.conf

sudo service apache2 restart

Changing the configuration file (Redirector Machine)

nano /etc/apache2/sites-available/000-default.conf

# Add the below lines after CustomLog line

ProxyRequests Off
ProxyPass /en-us/index.html http://<C2 Server IP>/en-us/index.html
ProxyPassReverse /en-us/index.html http://<C2 Server IP>/en-us/index.html
ProxyPass /en-us/docs.html http://<C2 Server IP>//en-us/docs.html
ProxyPassReverse /en-us/docs.html http://<C2 Server IP>//en-us/docs.html
ProxyPass /en-us/test.html http://<C2 Server IP>//en-us/test.html
ProxyPassReverse /en-us/test.html http://<C2 Server IP>//en-us/test.html

# Save and Restart Apache2 
service apache2 restart

Note: The links such as /en-us/index.html are the default links generated by covenant C2. You can view the links from:

Listeners -> Profiles -> CustomHttpProfile

Testing the C2 Server with HTTP Redierctor Setup

Generate a powershell launcher

In the covenant C2 go to Launchers tab

Select Powershell

Select the listener from the drop down menu

Click on Generate

Send the payload to the victim and when the victim runs the payload we will be able to get the connection back.

End

When the victim runs the netstat command, he will only see the redirector ip address, when he visits that ip address it will show the default apache2 webpage. Now the real C2 is hidden from victim and even if victim blocks the redirector ip address then we can use an another machine as a redirector.

REFERENCES

PreviousC2 In The CloudNextHavoc C2

Last updated