Domain Fronting

I came across a really interesting technique for using high-trust domains as redirectors to a censored/forbidden site.  During a security assessment, these could be setup to redirect C2 traffic from your target network to a server under your control (normally inaccessible).  The nuts and bolts of it are discussed in this write-up that’s almost two years old, but still relevant – https://www.bamsoftware.com/papers/fronting/.

The basic definition of Domain Fronting is a “general-purpose circumvention technique based on HTTPS that hides the true destination of a communication from a censor.”  Content delivery networks (CDN’s) allow users to create accounts with them that include a high-trust domain (Google, Microsoft, Amazon, and others).  You can use domain fronting by making the DNS query and SNI HTTPS destination host headers point to such a “high-trust” domain (e.g., a0.awsstatic.com), which can then forward it to the actual domain you want to visit encrypted within your HTTPS traffic as part of the HTTP Host Header.  Censors will be unable to block your traffic without some serious collateral damage that could prevent access to these otherwise “high-trust” domains.  This isn’t a free service, but it’s by no means cost prohibitive.

Recently Raphael Mudge provided a nice video and write-up of using this technique with Cobalt Strike.  Instead of paraphrasing it all, here are the links:

• High-reputation Redirectors and Domain Fronting
• Video: Domain Fronting and High-trust Redirectors with Cobalt Strike

 

Using RatProxy in Windows (Updated)

These instructions are largely copied from a post by SecureIdeas, but there were enough issues that I had to work through that I thought I’d post what was successful for me.   Using these instructions I was able to successfully install ratproxy on Windows XP SP3 and Windows 7 SP1, both 32-bit systems running in VMware Workstation.

Install Cygwin

1. Download the Cygwin installer from http://www.cygwin.com.
2. Run the Setup.exe installer.
3. Follow the on screen prompts, using the default is fine, until the Utilities screen appears.  Select the following packages:
   1. Select make from the devel package.
   2. Select gcc-core from the devel package.
   3. Search for “openssl” and select the following from the net package.
   • openssl-devel
   • libopenssl
   • openssl
4. Complete the installation.  This may take some time as it downloads all of the packages needed.

Install ratproxy

1. Download the package from http://code.google.com/p/ratproxy/.
2. Unzip the downloaded ratproxy distribution file into the Cygwin directory.  If cygwin was installed to C:\cygwin then ratproxy should be unzipped to C:\cygwin\ratproxy. 
3. Update Flare (used to decompile flash objects):
   1. For the latest instructions open the readme file in the \ratproxy\flare-dist directory.
   2. Open the URL for the Windows distribution and save the file.
   3. Unzip the file into the \ratproxy\flare-dist directory.
4. Open a Cygwin bash by double-clicking the C:\cygwin\Cygwin.bat file.
5. Navigate to the ratproxy directory.  If installed at C:\cygwin\ratproxy, type cd ../../ratproxy and press enter.
6. Type make and press enter.
   1. If you receive an error that looks like this: “ratproxy.c:1635: error: incompatible type for argument 2 of ‘waitpid'” the ratproxy.c file needs to be modified.
   2. Open ratproxy.c and modify line 1635 “while (waitpid(-1,&x,WNOHANG) > 0);” to be “while (waitpid(-1,(int*)&x,WNOHANG) > 0);“.
   3. run the make command again. This should run successfully.
7. Add cygwin to your path.
   1. Right-click “My Computer” and select “Properties”.
   2. Select “Advanced system settings” and then select “Environmental Variables”.
   3. Find the “Path” variable under “System Variables” and edit it.
   4. Add “;C:\Cygwin” (without the quotes) to the end of the “Variable Value”.

Before actually running ratproxy (after following the instructions on installing it), make sure that the following .dll files are in the ratproxy directory:

• cygcrypto-1.0.0.dll (if that’s the version of OpenSSL you installed)
• cyggcc_s-1.dll
• cygssl-1.0.0.dll
• cygwin1.dll
• cygz.dll

Simplify Running ratproxy

Also, I highly recommend using a batch file to simplify running the proxy, so you don’t have to remember which flags you like to use (just know that the batch file has to be located in the ratproxy directory, if you want it elsewhere, just create a shortcut).

Sample .bat file running RatProxy through Burp listening on 8080 (browser proxy points to RatProxy on 8081):

@echo off

rem default values
set logfilename=""
set domain=""

rem set base log file name and target domain
:setfilename
 set /p logfilename=Enter base log file name: 
 if %logfilename%=="" goto setfilename
 
:setDomain
 set /p domain=Enter target domain (www.domain.com): 
 if %domain%=="" goto setDomain

rem Run ratproxy
start "" "C:\cygwin\ratproxy\ratproxy.exe" ^
-w /cygdrive/c/temp/rp-logs/%logfilename%.log ^
-v /cygdrive/c/temp/rp-traces -d %domain% -p 8081 ^
-P 127.0.0.1:8080 -lextifscgjm

Logging Attack Traffic

When performing a test, it is important that you log all your activity so that you have proof of what you were doing, in case anything goes awry (and it is not your fault!). Here are a couple methods of logging activity:

• Wireshark: before you start capturing data, in the Capture Options window select “Use multiple files” and in the “Next file every” field specify the upper limit of the file size that you desire (a new file will be created once the current file reaches that limit) – see image below.

• Tshark (found in the c:\program files\wireshark directory): c:\program files\Wireshark\tshark.exe -i [interface] -w [base file name] -b filesize:[file size in KB]  -p [this flag restricts monitoring to current VM, otherwise all VM traffic will be captured]
  • This option doesn’t put as much strain on your machine as using Wireshark does

• tcpdump: tcpdump -i [interface, use ‘tcpdump -D’ to get list] -w [base file name] -C [file size in MB]
  • Another low resource option