0x00 brief introduction

This should be called domain pre Technology ：

Approximate illustration ：

• Attack traffic passed CDN Nodes forward traffic to real C2 The server
• CDN node ip By identifying the requested Host Head for flow rotation
• It can effectively avoid some safety equipment , It also has certain anti traceability function , Because the traffic has gone CDN On

I read some articles before , But the boss didn't write in some places because he thought it was simple and willing , I wrote some when I built it myself , It's a note of mine , I feel more detailed , More suitable for beginners .

0x01 Resources required

1. cobaltstrike 4.0
2. VPS（cs The server ）
3. domain name
4. CDN
5. Foreign agent

0x02 Domain name free application

To apply for the address ：https://www.freenom.com/

The key is free and without filing

Choose to apply for a free domain name

Be careful ：

To hang up an agent , Then set the address of the personal information to the address of the agent , It's impossible to apply unsuccessfully

0x03 free CDN Get ready

To apply for the address ：https://dash.cloudflare.com/

Register and login settings by yourself CDN

0x04 Domain name and CDN Linkage setting

land CDN, Add the site as the domain name you just applied for

add to A Record , Point to VPS Of IP Address

 type 	 name 	  Content 	           TTL	 Agent status 	
A    test 10.1.1.111（VPS Address ）    Automatically     Has represented 

Then this address is test.xxxxx.tk

• 1
• 2
• 3
• 4

remember Cloudflare Name server , This is to be set to the domain name ！

Find your own domain name —— Manage domain names ——nameservers

Choose to use your own domain name resolution ：Use custom nameservers (enter below)

Nameserver 1、2 All written CDN Address provided

In order to respond to our commands in real time : We need to modify the caching rules ：

Make sure these two items are on

0x05 C2 Certificate configuration

First select the certificate mode ： Completely

Download the certificate

The generation was saved successfully , What I keep is com.pem,com.key

stay VPS Generate on CS Available profiles

Use the following command to regenerate cobalstrike.store：

openssl pkcs12 -export -in server.pem -inkey server.key -out spoofdomain.p12 -name  domain name  -passout pass: password 

Example ：
openssl pkcs12 -export -in com.pem -inkey com.key -out spoofdomain.p12 -name test.xxxxx.tk -passout pass:zzz123456

• 1
• 2
• 3
• 4

Use the following command to create a certificate ：

keytool -importkeystore -deststorepass  password  -destkeypass  password  -destkeystore new.store -srckeystore spoofdomain.p12 -srcstoretype PKCS12 -srcstorepass  password  -alias  domain name 

Example
keytool -importkeystore -deststorepass zzz123456 -destkeypass zzz123456 -destkeystore new.store -srckeystore spoofdomain.p12 -srcstoretype PKCS12 -srcstorepass zzz123456 -alias test.xxxxx.tk

• 1
• 2
• 3
• 4

The resulting new.store file ,（ by cobalstrike.store substitute ）

0x06 C2.profile To configure

Use the following items directly :

https://github.com/FortyNorthSecurity/C2concealer

 
  

 
  

   
1
  

Usage method ：

 Installation command ：
chmod u+x install.sh
./install.sh
 Use command :
C2concealer --variant 1 --hostname test.domain.tk

 
  

 
  

   
1
   
2
   
3
   
4
   
5
  

Choose here 3

Because of what we use CDN Certificate given , Then input /home/cs/new.store, This is just generated new.store The absolute path to .

Random names will eventually be generated profile

Successfully generated

Finally, let's talk about the generated random number .profile, Copied to the cs Under the table of contents .

0x07 start-up C2

use c2lint Check , The following is through ：

./c2lint ca730a6d.profile

 
  

 
  

   
1
  

After the check is successful , modify teamserver To configure

vim teamserver

 
  

 
  

   
1
  

Modify the contents of the last line

javax.net.ssl.keyStore=./new.store （ Certificate generated new.store File address ）   -Djavax.net.ssl.keyStorePassword=zzz123456（ The password of the above certificate ）

 
  

 
  

   
1
  

start-up C2

./teamserver 192.168.1.1 password123456 ./C2.profile

 
  

 
  

   
1
  

0x08 To configure CS

Configure a listener

To configure a powershell go online , Be careful to check SSL

0x09 Successful launch

Successful launch

0x10 summary

This construction is based on free websites , But in practice, I found , This CDN Or sometimes it's not very stable , If you have conditions, you can change to a good one , But be careful to turn off the cache .