search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.46k stars 2.82k forks source link

Can't make https domain fronting work #1074

Closed Ph4k3r closed 6 years ago

Ph4k3r commented 6 years ago

Empire Version

dev

OS Information (Linux flavor, Python version)

Kali 64

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

HTTP domain fronting is working, with the following configuration:

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        http                             Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Headers           True        Host: a0.awsstatic.com           Headers for the control server.
  Host              True        http://xxxxx.cloudfront Hostname/IP for staging.
                                .net:80
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True       xxxxx Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        80                               Port for the listener.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php

But when it comes to HTTPS, it's just not working:

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        https                            Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0;rv:11.0) like Gecko
  Headers           True        Host: a0.awsstatic.com           Headers for the control server.
  Host              True        https://xxx:80
  CertPath          False       /home/ec2-user/dev/data/         Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        xxxx Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        443                              Port for the listener.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php

Screenshot of error, embedded text output, or Pastebin link to the error

A lot of retransmissions on wireshark, and If i exchange the "Headers" field with "Host" fields(for HTTPS domain fronting), it's not fronting.

Any additional information

There're no blogs about 2.5 domain fronting with SSL on the webs.... So sad!

DakotaNelson commented 6 years ago

This might help: https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/

If I had to guess, it looks like your Host setting is still using port 80, which might be a problem (doubly so if your listening serve is running on 80). I don't have that much experience with fronting, though, so take that with a huge grain of salt.

Ph4k3r commented 6 years ago

@DakotaNelson Hi there, I checked the link you gave, but seems not solving my problem. How about this: which EXACTLY option will set to Host and Which should be set to headers?

I think I should set Host to a0.awsstatic.com

And set Headers to my xxxx.cloudfront.net

Hope empire could progress on this quickly.

xorrior commented 6 years ago

@Ph4k3r This post may help also: https://www.xorrior.com/Empire-Domain-Fronting/. You need to set the Host header within the profile as shown in the blog post. Also consider that modifying the host header does not work in Win7/ .NET v2|3. Domain . I would also review #971 and #533.

ThePirateWhoSmellsOfSunflowers commented 6 years ago

Not related but may be useful for future reference: Google disables “domain fronting” capability