Home > network, Pen Test, TTP > Domain Fronting

Domain Fronting

February 10, 2017 Leave a comment Go to comments

I came across a really interesting technique for using high-trust domains as redirectors to a censored/forbidden site.  During a security assessment, these could be setup to redirect C2 traffic from your target network to a server under your control (normally inaccessible).  The nuts and bolts of it are discussed in this write-up that’s almost two years old, but still relevant – https://www.bamsoftware.com/papers/fronting/.

The basic definition of Domain Fronting is a “general-purpose circumvention technique based on HTTPS that hides the true destination of a communication from a censor.”  Content delivery networks (CDN’s) allow users to create accounts with them that include a high-trust domain (Google, Microsoft, Amazon, and others).  You can use domain fronting by making the DNS query and SNI HTTPS destination host headers point to such a “high-trust” domain (e.g., a0.awsstatic.com), which can then forward it to the actual domain you want to visit encrypted within your HTTPS traffic as part of the HTTP Host Header.  Censors will be unable to block your traffic without some serious collateral damage that could prevent access to these otherwise “high-trust” domains.  This isn’t a free service, but it’s by no means cost prohibitive.

Recently Raphael Mudge provided a nice video and write-up of using this technique with Cobalt Strike.  Instead of paraphrasing it all, here are the links:

 

Categories: network, Pen Test, TTP Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: