RedWarden:一款功能強大的Cobalt Strike C2反向代理
VSole2023-01-15 16:09:39
關于RedWarden
RedWarden是一款功能強大的Cobalt Strike C2反向代理,可以幫助廣大研究人員通過數據包審查和CobaltStrike的Malleable配置關聯分析實現針對藍隊、反病毒產品、終端安全響應系統(EDR)以及掃描器的抵御和對抗。
紅隊研究人員一直都在研究如何對抗事件響應工具的誤導,尤其是涉及到C2重定向網絡的時候。那么RedWarden將這些想法整合到了一個輕量級實用程序中,并能夠模仿Apache2作為簡單HTTP(s)反向代理。
RedWarden運行機制
工具概述
RedWarden可以充當HTTP/HTTPS反向代理,并對入站C2 HTTP請求施加若干限制,選擇將哪些數據包定向到Teamserver以及需要丟棄哪些數據包,類似于Apache2的mod_rewrite中強制執行的.htaccess文件限制。
RedWarden的創建是為了解決C2重定向器層上的IR/AV/EDRs/沙盒規避問題,它的目的是取代經典的Apache2+mod_rewrite設置。
根據以下三種策略,無效數據包可能會被錯誤路由:
- 重定向:將節點重定向至其他網站;
- 重置:直接中斷TCP連接;
- 代理:從其他網站獲取響應,盡可能模仿被克隆/劫持的網站。
上述配置已在配置文件中設置好:
# # What to do with the request originating not conforming to Beacon, whitelisting or # ProxyPass inclusive statements: # - 'redirect' it to another host with (HTTP 301), # - 'reset' a TCP connection with connecting client # - 'proxy' the request, acting as a reverse-proxy against specified action_url # (may be dangerous if client fetches something it shouldn't supposed to see!) # # Valid values: 'reset', 'redirect', 'proxy'. # # Default: redirect # drop_action: redirect (向右滑動、查看更多)
下面的樣例中顯示了將一個節點重定向至https://googole.com的輸出結果:
工具要求
該程序的當前版本僅支持在Linux系統上運行,并且支持多進程執行。需要安裝openssl系統命令,用于生成SSL證書。最后,使用Python3 的pip命令安裝所需的依賴組件:
bash $ sudo pip3 install -r requirements.txt
工具使用
最精簡版本的RedWarden配置文件config.yaml包含下列內容:
port: - 80/http - 443/https profile: jquery-c2.3.14.profile ssl_cacert: /etc/letsencrypt/live/attacker.com/fullchain.pem ssl_cakey: /etc/letsencrypt/live/attacker.com/privkey.pem teamserver_url: - 1.2.3.4:8080 drop_action: reset (向右滑動、查看更多)
接下來,需要在程序運行時提供配置文件的路徑:
bash$ sudo python3 RedWarden.py -c config.yaml [INFO] 19:21:42: Loading 1 plugin... [INFO] 19:21:42: Plugin "malleable_redirector" has been installed. [INFO] 19:21:42: Preparing SSL certificates and keys for https traffic interception... [INFO] 19:21:42: Using provided CA key file: ca-cert/ca.key [INFO] 19:21:42: Using provided CA certificate file: ca-cert/ca.crt [INFO] 19:21:42: Using provided Certificate key: ca-cert/cert.key [INFO] 19:21:42: Serving http proxy on: 0.0.0.0, port: 80... [INFO] 19:21:42: Serving https proxy on: 0.0.0.0, port: 443... [INFO] 19:21:42: [REQUEST] GET /jquery-3.3.1.min.js [INFO] 19:21:42: == Valid malleable http-get request inbound. [INFO] 19:21:42: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080] [INFO] 19:21:42: [RESPONSE] HTTP 200 OK, length: 5543 [INFO] 19:21:45: [REQUEST] GET /jquery-3.3.1.min.js [INFO] 19:21:45: == Valid malleable http-get request inbound. [INFO] 19:21:45: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080] [INFO] 19:21:45: [RESPONSE] HTTP 200 OK, length: 5543 [INFO] 19:21:46: [REQUEST] GET / [...] [ERROR] 19:24:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile. [...] [INFO] 19:24:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212 [INFO] 19:24:48: [REQUEST] GET /jquery-3.3.1.min.js [INFO] 19:24:48: == Valid malleable http-get request inbound. [INFO] 19:24:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080] [...] (向右滑動、查看更多)
上面的輸出中包含一行指向未授權、不兼容C2配置的入站請求,它會被丟棄:
[...] [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile. [...] (向右滑動、查看更多)
工具運行截圖
項目地址
RedWarden:https://github.com/mgeeky/RedWarden
VSole
網絡安全專家