Open ScriptIdiot opened 2 years ago
t94j0
commented
2 years ago I haven't tried domain fronting with this agent, but I don't think there's an option to change the host header in the options of this agent. How did you attempt to change the host header?
ScriptIdiot
commented
2 years ago During the generation of payload, I was able to add host header to attempt to achieve domain fronting, which is working in merlin agent
t94j0
commented
2 years ago Gotcha. The Host header should be there based on this code. It looks like you're getting a ConnectionRefused error, so it looks like the domain front you're connecting to is unavailable. Are you sure you can connect to the target domain/ip?
ScriptIdiot
commented
2 years ago Yeah, I am pretty sure. Tried to establish C2 without domain front, and the exact same setting with domain front worked by using merlin agent.
MEhrn00
commented
2 years ago I believe I have tracked down the issue. The HTTP library tetanus is using is minreq and minreq will insert the callback url into the Host header before establishing the HTTP connection. The library will not check for duplicates so it will include two Host headers but pick the Host specified in the HTTP Headers section of the payload generation for the HTTP connection and ignore the callback host.
This is obviously not great behavior at all and I will need to use a different library which supports arbitrarily setting the Host header. I will look into it this weekend.
jeffmcjunkin
commented
1 year ago For what it's worth, between this and #1 tetanus is getting damn close to a viable top-tier C2. The only ~two~ three wish list items I'd have left are the following:
The first two get a lot of existing functionality for free (via projects like https://github.com/trustedsec/CS-Situational-Awareness-BOF and https://github.com/Flangvik/SharpCollection), while the third makes operations possible in a pretty restricted environment.
MEhrn00
commented
1 year ago Update on this: I am in the process of doing a rewrite for Tetanus. I currently have domain fronting support, beacon object file support and reflective DLL loading support on the road map among other things. I can see about integrating a DNS C2 profile and .NET assembly injection but it depends on when I can get the current items on my road map complete.
I will leave this issue open until the rewrite is finished. This is just to acknowledge the suggestions 👍🏻
jeffmcjunkin
commented
1 year ago Oooh, today I learned of https://github.com/hakaioffsec/coffee, which may be of interest as an easier path to implementing Beacon Object Files.
In other news, is there any rough planned timeframe for the rewrite / release?
May I know if domain fronting is supported in this case? Tried to change the host header but then it shows this error upon execution:
thread 'main' panicked at 'called
Result::unwrap()on anErrvalue: Custom { kind: ConnectionRefused, error: "Failed to make post request" }', src/profiles/mod.rs:117:49 note: run withRUST_BACKTRACE=1environment variable to display a backtrace*Run on linux
Thanks!