Possible Issue Host Header Breaks TLS Intercepting Proxies

[ghost]

I was using this beacon payload recently and ran into a small potential bug.

When you set the Host: code.jquery.com https://github.com/threatexpress/malleable-c2/blob/master/jquery-c2.4.0.profile#L250

When the SSL/TLS Proxy intercepts the requests, you may lose connections, since the Proxy sends traffic to the actual forged site.

I am not sure of the best way to over come this with malleable C2.

Have you encountered this before?

It seems that removing the host in the request fixes this.

Steps to Reproduce.
1. Connect Normally over HTTPS beacon. Should work fine.
2. On the host that is running the Beacon, Start a proxy like Fiddler, or Burp
3. The beacon is no longer responsive.

Feedback welcome, I may be missing something.

[andrewchiles]

Hey Casey,

Thanks for the issue! This is expected behavior for the HTTP HOST header and we should update the example to not spoof the host header by default to avoid issues.

Typically, the host header should only be set in a profile when performing domain fronting. Even then, when routed through an HTTP proxy, your host header will often be rewritten to point to the "correct" domain within the HTTP GET or CONNECT URL. In the context of domain fronting, this typically results in defenders seeing your domain fronting CDN endpoint in their proxy logs and not what you intended them to see.

Raffi has some detail on this issue in his blog post (https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/), excerpt below: