Pushing it to its limits

[ghost]

Can I add multiple comma separated ports after teaserver_url? Like 1.1.1.1:8080,9090,4444? Thx promise would be last issue.

[mgeeky]

Unfortunately no. I don't frankly understand the reasoning or use case behind such syntax.

[ghost]

I mean if I have 3 listeners over http for example, one on port 8080, the second on 7777 and the third on 9999, can red warden accept multiple ports to protect on the same teamserver?

[mgeeky]

Well I guess you could try adding multiple teamserver entries, in following manner:

teamserver_url:
- 127.0.0.1:8080
- 127.0.0.1:7777
- 127.0.0.1:9999

Then, in default behavior RedWarden will pick a teamserver at random while determining where to deliver your packet. You probably don't want that. You can also precisely specify which listening port should deliver its packet where:

port:
  - 80/http
  - 443/https

teamserver_url:
- 80:127.0.0.1:8080
- 443:127.0.0.1:7777

But this inport: logic in teamserver_url entries is quite buggy, I'm not very proud of it. So beware, there be dragons if you want to try it.

[ghost]

ok perfect thx, we can close :)

[ghost]

hi, everything is working ok. did you please test the inport options for multiple ports? is there any way you upload a example-config for domain fronting.(if you have tested it of course). i have tried to use domain fronting teamserver, but no beacon back. I think its a port problem, because cdn communicate primary on 80 and 443, and in this case those ports are used by Redwarden. when I generate stageless payload, its bind to 7777 for example. here is the schema:

1) Rewarden is listening on 80 and 443 2) my teamserver is listening on 7777 3) stageless payload will of course inherite the port 7777 when generating it an will callback to different cdn.example.com(a list of cdns).

4) launching the exe, >>> no beacon back. and nothing on the logs of redwarden which means that the transactions are ok.(if it wasn't red will complains and explains).

thx :)))

[mgeeky]

Hmmm, I think that in your scenario you'll want to have RedWarden listen on 80 and 443 but then redirect traffic to the 127.0.0.1:7777 (assuming your Teamserver is bound on the same server as the RedWarden).

So the config can be something along the lines of:

port:
- 80/http
- 443/https

teamserver_url:
- 127.0.0.1:7777

If you have no beacon back, you can try plugging in debug: True, verbose: True and trace: True in your YAML and then closely observe RedWarden's logs.

• Is there anything going on in RedWarden when you execute your Beacon?
• Are there any inbound requests reaching RedWarden?
• If there are, what's happenning to them? Does RedWarden drops them? If yes, why does it drop them?
• If there is an inbound request on your RedWarden, but the proxy is dropping that request because it deviates from what is in Malleable C2 Profile - find out what has changed and why. Maybe you can either disable some of the RedWarden policies or attempt to repair some of the headers with protect_these_headers_from_tampering setting.

If there are not requests reaching RedWarden instance, then there must be something wrong about your CDN.

I would advise to:

1. Check whether you've disabled Caching - set requests/assets cache policy to Don't Cache for all URLs (URL matches: /* do: don't cache - something alike).
2. Purge your CDNs cache. Should anything be cached already, you don't want that.

Let me know if that helps. Should you still be coping with your issues, it may be helpful to provide me with anonymized YAML config and malleable C2 profile and an excerpt from logs.

Regards, Mariusz.

[ghost]

i have Red and cobaltstrike on the same server yes.

i have an inport for two listeners. 1) a normal http listener ( which works perfectly) 1) a second listener for domain fronting.

port:

• 80/http
• 443/https

teamserver_url:

• 80:127.0.0.1:8665 > for http listner and is perfectly functioning.
• 443:127.0.0.1:7777> https fronted

Redwarden always picks the first when I'm trying to spawn https fronted.

its reconizing the patterns and accepted them but warned me with this :

COULD NOT FETCH RESPONSE FROM REMOTE AGENT: HTTPSConnectionPool(host='MY-VPS-IP', port=8665): Max retries exceeded with url: /Recite/v6.17/1C24NY6B3O (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')])"))) [ERROR] 2021-10-02/18:44:50: Exception occured while reverse-proxy fetching resource : URL(https://MY-VPS-IP:8665/Recite/v6.17/1C24NY6B3O). Exception: (HTTPSConnectionPool(host='MY-VPS-IP', port=8665): Max retries exceeded with url: /Recite/v6.17/1C24NY6B3O (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')])")))).

as you see it picks up the first listner complaining about SSL which is normal because http is simply HTTP. This is what happens when it try to spawn HTTPS FRONTED LISTNER.

thanks , I'll try to figure it out. I could test with one listner (fronted), but I wanted to test its limits(2 listeners with 2 different transactions).

[mgeeky]

Shiet, yup, it looks like you've just met dragons I've talked about (the enormous mess left in the code resulting in me now not knowing what the hell is going on there). Sorry about that!

I think that there must be some flawed logic deciding whether a HTTPS packet should be handled by which listener. Initially I wanted to offer way for defining multiple profiles bound to specific listeners. I started coding that.

But after a while I realised that offering this kind of configuration is fundamentally wrong because we should aim for infrastructures having dedicated proxies responsible for a single kind of traffic. I'm not sure whether proxies such as nginx (when it's configured as proxy), squid etc support handling various listeners and multiplexing inbound traffic.

That led to me dropping further implementation and remaining code, with all its bad smells left there as is.

So anyway, I guess that you really did push it to the limit and I have no better answer :(

Just please do stick with the golden use flow and try to work with a few listeners all muxing into a single profile & teamserver :)

Feel free to open another bug report when you'll be able to kina isolate the issue we're talking here. I'm happy to work on it but it's gonna be so much easier to have the bug cleanly described with some minimalistic profile/config.

Kind regards, Mariusz.

[ghost]

Yep i think i met the dragons: To summerize: 1)inport plugin(the idea and Logic are ok but...) 2)if we use variants of the same malleable c2, it would complain , doesnt handle variants. 3) i will test tomorrow inport Logic To point to another vps and see the logs and behaviour. And even with all of this, it rocks. I just canot imagine my c2s without RadWarden. :))) Le 3 oct. 2021 à 01:22 +0100, Mariusz B. @.***>, a écrit :

Shiet, yup, it looks like you've just met dragons I've talked about (the enormous mess left in the code resulting in me now not knowing what the hell is going on there). Sorry about that! I think that there must be some flawed logic deciding whether a HTTPS packet should be handled by which listener. Initially I wanted to offer way for defining multiple profiles bound to specific listeners. I started coding that. But after a while I realised that offering this kind of configuration is fundamentally wrong because we should aim for infrastructures having dedicated proxies responsible for a single kind of traffic. I'm not sure whether proxies such as nginx (when it's configured as proxy), squid etc support handling various listeners and multiplexing inbound traffic. So anyway, I guess that you really did push it to the limit and I have no better answer :( Just please do stick with the golden use flow and try to work with a few listeners all muxing into a single profile & teamserver :) Feel free to open another bug report when you'll be able to kina isolate the issue we're talking here. I'm happy to work on it but it's gonna be so much easier to have the bug cleanly described with some minimalistic profile/config. Kind regards, Mariusz. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[mgeeky]

What do you mean by doesnt handle variants - I was quite sure it does? Can you share a minimalistic problematic profile so that I can troubleshoot it?

[ghost]

Handles variants, OH yes. after tweaking the malleable c2 , I have tested with 3 variants. RedWarden handles it eaaaasssyy. good measure: test with c2lint then passing it to RED.

***** the inport logic is the DRAGONS. its needs time to be fixed.

for all the rest , everything is perfectly working.

[mgeeky]

I'll keep an eye on these inport related issues. Will try to revisit that logic and improve it a bit.

Thanks a lot for your feedback @fendi1989 ! Really appreciate that.

Regards, M.