Command & Control redirectors are pivots designed to separate communication between a target and C2 servers. They are designed to protect the C2 servers IP addresses from identification. Redirectors are what the target will see as malicious. Any IP address or Domain name associated with a redirector may be observed by the target. If a defender identifies malicious activity, they may block a redirector IP address, Redirectors should be treated as burnable. A Red Team operator can simply switch to an alternate redirector to pivot C2 traffic from the target to the new redirector.
Redirectors and C2 servers must be protected. Command and control servers must communicate with the target over the C2 channel, such as HTTP$ on port 443. This is not the only communication to a C2 server. An operator must use the C2 interface to control the server and issue commands. This must be protected. ACLs or other protections should be put in place to only allow access from the Red Team operators. A responsible Red Team will not let their C2 to be controlled by an outside party.
Command & Control Redirectors Features:
- Redirectors are pivots used to separate communication between a target and C2 servers (VPS services work great)
- Should be thought of as ‘burnable’.
- Multiple redirectors can be used to obfuscate communications.
- Must be protected from outside influence (Don’t get hacked).
Virtual Private Services such as Amazon EC2, Digital Ocean, and Linode are great solutions to create internet accessible redirectors. Redirector servers can be easily brought up or down. Most service providers offer an API that allows the deployment and destruction of redirectors to be scripted and automated.
A newer technique uses the concept of Domain Fronting by taking advantage of the trust in highly trusted CDNs.
Even ‘hacker’ software is not safe. In September 2016, a remote code execution flaw was found in Cobalt Strike 3.5. This allowed remote code execution on the C2 server via a malicious beacon.
There are several ways to redirect traffic, here are a couple of quick examples for Linux and Windows:
Create a cron job to start a socat script that redirects TCP 443 from the redirector to 10.10.10.10
crontab e @reboot /usr/bin/socat TCP-LISTEN:443,-Fork TCP:[email protected]:443&
Use the netsh command to create a persistent port redirection rule that redirects TCP 443 from the redirector to 1010.1010
netsh inter-Face portproxy add v4tov4 listenport=443 listenaddress=1O.2020.20 connectport=443 connectaddress=1O.1O,1O.1O
In the next pert, we will discuss C&C Tiers. You can also check our previous post about understanding Command & Control and introducing Command & Control tools.
Secure Your Organization’s Mind with Securemind.se