Home > network, Pen Test, TTP > Domain Fronting

Domain Fronting

February 10, 2017 Leave a comment Go to comments

I came across a really interesting technique for using high-trust domains as redirectors to a censored/forbidden site.  During a security assessment, these could be setup to redirect C2 traffic from your target network to a server under your control (normally inaccessible).  The nuts and bolts of it are discussed in this write-up that’s almost two years old, but still relevant – https://www.bamsoftware.com/papers/fronting/.

The basic definition of Domain Fronting is a “general-purpose circumvention technique based on HTTPS that hides the true destination of a communication from a censor.”  Content delivery networks (CDN’s) allow users to create accounts with them that include a high-trust domain (Google, Microsoft, Amazon, and others).  You can use domain fronting by making the DNS query and SNI HTTPS destination host headers point to such a “high-trust” domain (e.g., a0.awsstatic.com), which can then forward it to the actual domain you want to visit encrypted within your HTTPS traffic as part of the HTTP Host Header.  Censors will be unable to block your traffic without some serious collateral damage that could prevent access to these otherwise “high-trust” domains.  This isn’t a free service, but it’s by no means cost prohibitive.

Recently Raphael Mudge provided a nice video and write-up of using this technique with Cobalt Strike.  Instead of paraphrasing it all, here are the links:

 

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: