This wiki is intended to provide a resources for setting up a resilient Red Team infrastructure. It was made to complement Steve Borosh (@424f424f) and Jeff Dimmock's (@bluscreenofjeff) BSides NoVa 2017 talk "Doomsday Preppers: Fortifying Your Red Team Infrastructure" (slides)

If you have an addition you'd like to make, please submit a Pull Request or file an issue on the repo.

THANK YOU to all of the authors of the content linked to in this wiki!

Table of Contents

• Design Considerations
  • Functional Segregation
  • Using Redirectors
  • Sample Design
  • Further Resources
• Domains
  • Categorization and Blacklist Checking Resources
• Redirectors
  • SMTP
    • Remove previous server headers
    • Configure a catch-all address
• DNS
  • socat
  • iptables
• HTTP(S)
  • socat vs mod_rewrite
  • Payloads and Web Redirection
  • C2 Redirection
  • Other Apache mod_rewrite Resources
• Modifying C2 Traffic
  • Cobalt Strike
  • Empire
• Domain Fronting
  • Further Resources
• Securing Infrastructure
• General Tips

Design Considerations

Functional Segregation

When designing a red team infrastructure that needs to stand up to an active response or last for a long-term engagement (weeks, months, years), it’s important to segregate each asset based on function. This provides resilience and agility against the Blue Team when campaign assets start getting detected. For example, if an assessment’s phishing email is identified, the Red Team would only need to create a new SMTP server and payload hosting server, rather than a whole teamserver setup.

Consider segregating these functions on different assets:

• Phishing SMTP
• Phishing payloads
• Long-term command and control (C2)
• Short-term C2

Each of these functions will likely be required for each social engineering campaign. Since active incident response is typical in a Red Team assessment, a new set of infrastructure should be implemented for each campaign.

Using Redirectors

To further resilience and concealment, every back-end asset (i.e. teamserver) should have a redirector placed in front of it. The goal is to always have a host between our target and our backend servers. Setting up the infrastructure in this manner makes rolling fresh infrastructure much quicker and easier - no need to stand up a new teamserver, migrate sessions, and reconnect non-burned assets on the backend.

Common redirector types:

• SMTP
• Payloads
• Web Traffic
• C2 (HTTP(S), DNS, etc)

Each redirector type has multiple implementation options that best fit different scenarios. These options are discussed in further detail in the Redirectors section of the wiki. Redirectors can be VPS hosts, dedicated servers, or even apps running on a Platform-as-a-Service instance.

Sample Design

Here is a sample design, keeping functional segregation and redirector usage in mind:

Further Resources

• A Vision for Distributed Red Team Operations - Raphael Mudge (@armitagehacker)

• Infrastructure for Ongoing Red Team Operations - Raphael Mudge

• Advanced Threat Tactics (2 of 9): Infrastructure - Raphael Mudge

• Cloud-based Redirectors for Distributed Hacking - Raphael Mudge

• 6 Red Team Infrastructure Tips - Alex Rymdeko-Harvey (@killswitch-gui)

Domains

Domain reputation will vary greatly depending on the products your target is using, as well as their configuration. As such, choosing a domain that will work on your target is not an exact science. Open source intelligence gathering (OSINT) will be critical in helping make a best guess at the state of controls and which resources to check domains against. Luckily, online advertisers face the same problems and have created some solutions we can leverage.

expireddomains.net is a search engine for recently expired or dropped domains. It provides search and advanced filtering, such as age of expiration, number of backlinks, number of Archive.org snapshots, SimilarWeb score. Using the site, we can register pre-used domains, which will come with domain age, that look similar to our target, look similar to our impersonation, or simply are likely to blend in on our target’s network.

When choosing a domain for C2 or data exfiltration, consider choosing a domain categorized as Finance or Healthcare. Many organizations will not perform SSL middling on those categories due to the possibility of legal or data sensitivity issues.

The tool CatMyFish by Charles Hamilton(@Mr-Un1k0d3r) automates searches and web categorization checking with expireddomains.net and BlueCoat. It can be modified to apply more filters to searches or even perform long term monitoring of assets you register.

Another tool, DomainHunter by Joe Vest (@joevest) & Andrew Chiles (@andrewchiles), builds on what CatMyFish did and returns BlueCoat and IBM X-Force categorization, domain age, alternate available TLDs, Archive.org links, and an HTML report. Check out the blog post about the tool's release for more details.

Categorization and Blacklist Checking Resources

• McAfee
• Fortiguard
• Symantec + BlueCoat
• SenderBase
• MultiBL
• MXToolBox - Blacklists

Redirectors

SMTP

“Redirector” may not be the best word to describe what we’re going to accomplish, but the goal is the same as with our other redirection. We want to remove any traces of our phishing origination from the final email headers and provide a buffer between the victim and our backend server. Ideally, the SMTP redirector will be quick to setup and easy to decommission.

There are two key actions we want to configure an SMTP redirector to perform:

Remove previous server headers

Add the following line to the end of /etc/mail/sendmail.mc:

define(`confRECEIVED_HEADER',`by $j ($v/$Z)$?r with $r$. id $i; $b')dnl

Add to the end of /etc/mail/access:

IP-to-TeamServer *TAB* RELAY
Phish-Domain *TAB* RELAY

Removing Sender’s IP Address From Email’s Received From Header

Configure a catch-all address

This will relay any email received to *@phishdomain.com to a chosen email address. This is highly useful to receive any responses or bounce-backs to a phishing email.

echo PHISH-DOMAIN >> /etc/mail/local-host-names

Add the following line right before //Mailer Definitions// (towards the end) of /etc/mail/sendmail.mc:

FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl

Add the following line to the end of /etc/mail/virtusertable:

@phishdomain.com          external-relay-address

Note: The two fields should be tab-separated

DNS

socat

socat can be used to redirect incoming DNS packets on port 53 to our teamserver. While this method works, some user’s have reported staging issues with Cobalt Strike and or latency issues using this method.

Redirecting Cobalt Strike DNS Beacons - Steve Borosh

iptables

iptables DNS forwarding rules have been found to work well with Cobalt Strike. There does not seem to be any of the issues that socat has handling this type of traffic.

An example DNS redirector rule-set is below.

iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination ip:53
iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl net.ipv4.ip_forward=1

Also, change "FORWARD" chain policy to "ACCEPT"

HTTP(S)

socat vs mod_rewrite

socat provides a ‘dumb pipe’ redirection. Any request socat receives on the specified source interface/port is redirected to the destination IP/port. There is no filtering or conditional redirecting. Apache mod_rewrite, on the other hand, provides a number of methods to strengthen your phishing and increase the resilience of your testing infrastructure. mod_rewrite has the ability to perform conditional redirection based on request attributes, such as URI, user agent, query string, operating system, and IP. Apache mod_rewrite uses htaccess files to configure rulesets for how Apache should handle each incoming request. Using these rules, you could, for instance, redirect requests to your server with the default wget user agent to a legitimate page on your target's website. In short, if your redirector needs to perform conditional redirection or advanced filtering, use Apache mod_rewrite. Otherwise, socat redirection with optional iptables filtering will suffice.

Payloads and Web Redirection

When serving payload and web resources, we want to minimize the ability for incident responders to review files and increase the chances of successfully executing the payload, whether to establish C2 or gather intelligence.

• Strengthen Your Phishing with Apache mod_rewrite - Jeff Dimmock
• Invalid URI Redirection with Apache mod_rewrite - Jeff Dimmock
• Operating System Based Redirection with Apache mod_rewrite - Jeff Dimmock
• Combatting Incident Responders with Apache mod_rewrite - Jeff Dimmock
• Expire Phishing Links with Apache RewriteMap - Jeff Dimmock
• Apache mod_rewrite Grab Bag - Jeff Dimmock

C2 Redirection

The intention behind redirecting C2 traffic is twofold: obscure the backend teamserver and appear to be a legitimate website if browsed to by an incident responder. Through the use of Apache mod_rewrite and customized C2 profiles, we can reliably filter the real C2 traffic from investigative traffic.

• Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite - Jeff Dimmock

Other Apache mod_rewrite Resources

• mod-rewrite-cheatsheet.com
• Official Apache 2.4 mod_rewrite Documentation
• Apache mod_rewrite Introduction
• An In-Depth Guide to mod_rewrite for Apache

Modifying C2 Traffic

Cobalt Strike

Cobalt Strike modifies its traffic with Malleable C2 profiles. Profiles provide highly-customizable options for modifying how your server’s C2 traffic will look on the wire. Malleable C2 profiles can be used to strengthen incident response evasion, impersonate known adversaries, or masquerade as legitimate internal applications used by the target.

• Malleable C2 Profiles - GitHub
• Malleable Command and Control Documentation - cobaltstrike.com
• Cobalt Strike 2.0 - Malleable Command and Control - Raphael Mudge
• Cobalt Strike 3.6 - A Path for Privilege Escalation - Raphael Mudge
• A Brave New World: Malleable C2 - Will Schroeder (@harmj0y)
• How to Write Malleable C2 Profiles for Cobalt Strike - Jeff Dimmock

Empire

Empire uses Communication Profiles, which provide customization options for the GET request URIs, user agent, and headers. The profile consists of each element, separated by the pipe character, and set with the set DefaultProfile option in the listeners context menu.

Here is a sample default profile:

"/CWoNaJLBo/VTNeWw11212/|Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*|Accept-Language:en-en"

Alternatively, the DefaultProfile can be set by modifying the file ``/setup/setup_database.py` before Empire’s initial setup. This will change the default Communication Profile that Empire will use.

• Default Empire Communication Profiles (in Empire GitHub repo)
• How to Make Communication Profiles for Empire - Jeff Dimmock

Domain Fronting

Domain Fronting is a technique used by censorship evasion services and apps to route traffic through legitimate and highly-trusted domains. Popular services that support Domain Fronting include Google App Engine, Amazon CloudFront, and Microsoft Azure. In a nutshell, traffic uses the DNS and SNI name of the trusted service provider, Google is used in the example below. When the traffic is received by the Edge Server (ex: located at gmail.com), the packet is forwarded to the Origin Server (ex: phish.appspot.com) specified in the packet’s Host header. Depending on the service provider, the Origin Server will either directly forward traffic to a specified domain, which we’ll point to our teamserver, or a proxy app will be required to perform the final hop forwarding.

For more detailed information about how Domain Fronting works, see the whitepaper Blocking-resistant communication through domain fronting and the TOR Project’s meek documentation

Further Resources

• High-reputation Redirectors and Domain Fronting - Raphael Mudge
• Empire Domain Fronting Chris Ross (@xorrior)
• Domain Fronting via Cloudfront Alternate Domains - Vincenty Yiu (@vysecurity)
• Escape and Evasion Egressing Restricted Networks - Tom Steele (@_tomsteele) and Chris Patten

Securing Infrastructure

Attack infrastructure can be attacked just the same as any other internet-connected host, and it should be considered HIGHLY sensitive due to the data in use and connections into target environments.

In 2016, remote code execution vulnerabilities were disclosed on the most common attack tools:

• 2016 Metasploit RCE Static Key Deserialization
• 2017 Metasploit Meterpreter Dir Traversal Bugs
• Empire Fails - Will Schroeder
• Cobalt Strike 3.5.1 Important Security Update - Raphael Mudge

iptables should be used to filter unwanted traffic and restrict traffic between required infrastructure elements. For example, if a Cobalt Strike teamserver will only serve assets to an Apache redirector, iptables rules should only allow port 80 from the redirector’s source IP. This is especially important for any management interfaces, such as SSH or Cobalt Strike’s default port 50050. Also consider blocking non-target country IPs.

chattr can be used on teamservers to prevent cron directories from being modified. Using chattr, you can restrict any user, including root, from modifying a file until the chattr attribute is removed.

SSH should be limited to public-key authentication only and configured to use limited-rights users for initial login. For added security, consider adding multi-factor authentication to SSH.

Update! No securing list is complete without a reminder to regularly update systems and apply hot-fixes as needed to remediate vulnerabilities.

Of course, this list is not exhaustive of what you can do to secure a teamserver. Follow common hardening practices on all infrastructure:

• Red Hat Enterprise Linux 6 Security Guide
• Debian Documentation on Hardening
• Securing Debian Manual
• 20 Linux Server Hardening Security Tips - nixCraft
• SANS Linux Security Checklists

General Tips

• Document everything - Running a complex Red Team infrastructure means many moving parts. Be sure to document each asset’s function and where its traffic is sent.

• Split assets among different service providers and regions - Infrastructure assets should be spread across multiple service providers and geographic regions. Blue Team members may raise monitoring thresholds against providers identified as actively performing an attack and may even outright block a given service provider. Note: keep international privacy laws in mind if sending encrypted or sensitive data across borders.

• Monitor logs - All logs should be monitored throughout the engagement: SMTP logs, Apache logs, tcpdump on socat redirectors, iptables logs (specific to traffic forwarding or targeted filtering), weblogs, Cobalt Strike/Empire/MSF logs. Forward logs to a central location, such as with rsyslog, for easier monitoring.

• Fingerprint incident response - If possible, try to passively or actively fingerprint IR actions before the assessment starts. For example, send a mediocre phishing email to the target (using unrelated infrastructure) and monitor traffic that infrastructure receives. IR team investigations can disclose a good deal of information about how the team operates and what infrastructure they use. If this can be determined ahead of the assessment, it can be filtered or redirected outright.