Closed ghost closed 4 years ago
Hey Casey,
Thanks for the issue! This is expected behavior for the HTTP HOST
header and we should update the example to not spoof the host header by default to avoid issues.
Typically, the host header should only be set in a profile when performing domain fronting. Even then, when routed through an HTTP proxy, your host header will often be rewritten to point to the "correct" domain within the HTTP GET
or CONNECT
URL. In the context of domain fronting, this typically results in defenders seeing your domain fronting CDN endpoint in their proxy logs and not what you intended them to see.
Raffi has some detail on this issue in his blog post (https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/), excerpt below:
I was using this beacon payload recently and ran into a small potential bug.
When you set the Host: code.jquery.com https://github.com/threatexpress/malleable-c2/blob/master/jquery-c2.4.0.profile#L250
When the SSL/TLS Proxy intercepts the requests, you may lose connections, since the Proxy sends traffic to the actual forged site.
I am not sure of the best way to over come this with malleable C2.
Have you encountered this before?
It seems that removing the host in the request fixes this.
Feedback welcome, I may be missing something.