NOT AN ISSUE, just a question

[cpu0x00]

hey man, awesome work , the project is just a life saver and a masterpiece :fire:

the routing part is well explained or im just not smart enough :sweat_smile: , but i don't get how the networking thing work for example why am i setting the binding port to 8080, and RedGaurd is listening localhost and teamserver listener is running on another interface how it is seeing the traffic?

that take us to the other point, how do i run RedGuard on a re-director server that is not the teamserver , is the redirection of traffic happens with RedGuard or i still need to configure iptables routing??

thanks in advance.

[wikiZ]

Hello Sir, the RG port can be set to any port. If the TeamServer and RG are at a server, it is set to 127.0.0.1. You can understand it as a proxy server. Based on this, you can set up related settings and online ports in your C2. You do n’t need to perform iptables configuration alone. Thank you for your support!

[cpu0x00]

thanks with the quick response sir, i made this quick and dirty explanation for if someone faced the same problem

• in RG config:

  • HostTarget = {"360.net":"http://127.0.0.1:9001","360.com":"https://127.0.0.1:4444"}
  • Port_HTTPS = :443
  • Port_HTTP = :489

• this part: http://127.0.0.1:9001 is where the C2 actual teamserver ip and bind port, host header must match 360.net or whatever is there

• this part: Port_HTTP = :489 this is the port of RedGaurd which the beacon will send traffic to, to be filtered and inspected and then RedGaurd will redirect the recieved on this port to http://teamserver:9001

applying this with CobaltStrike

• on listener creation there is 4 important sections

  • HTTP Host stager

  • HTTP Port C2

  • HTTP Port bind

  • HTTP Host Header

  • HTTP Host stager:HTTP Port C2 -> this where the beacon will send traffic to from the compromised host

  • HTTP Port bind -> this is the port the teamserver will listen for incoming traffic on

  • HTTP Host Header -> 360.net

  • now applying this on RG:

    • we need traffic to be sent to RG for inspection before it reaches our C2 so HTTP Host stager:HTTP Port C2 will be the ip and port of the server that RG is listening on persay thats 10.10.10.5:489

    • HTTP Port bind will be 9001 the same port configured on RG HostTarget parameter above, assuming the CS ip is 10.10.10.6 then HostTarget will be: HostTarget = {"360.net":"http://10.10.10.6:9001","360.com":"https://10.10.10.6:4444"}

    • now the beacon will send http traffic to: 10.10.10.5:489 RG will inspect and filter and redirect to http://10.10.10.6:9001

    • same with https traffic

feel free to close the issue sir

[wikiZ]

Thank you for supporting the RedGuard project.