Redirectors/Relays

"It’s 2021, disable staging and don’t expose C2 server ports directly to the internet" - @HackingLZ​
A redirector or a relay is a network widget that listens for incoming connections and forwards them to another host or port. This is an operational security best practice so that you never expose your Command and Control (C2) server to everyone on the Internet. Instead, your payload should be configured to connect to the redirector/relay so that anyone looking at the network connections sees the redirector/relay and not your C2 server. If a defender/Blue Team blocks your redirector, your C2 server is still accessible.
A lot has been written about redirectors. Here are a few references:
Redirect rules: https://github.com/0xZDH/redirect.rules​
Hosting and hiding your C2 with Docker and Socat: https://khast3x.club/posts/2020-02-09-C2-Protection-Socat-Docker/​
Introduction to Modern Routing For Red Team Infrastructure - using Traefik, Matasploit, Covenant, and Docker: https://khast3x.club/posts/2020-02-14-Intro-Modern-Routing-Traefik-Metasploit-Docker/​
AWS Lambda Redirector: https://blog.xpnsec.com/aws-lambda-redirector/​
Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs: https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/​
Azure C2 Relay: https://www.trustedsec.com/blog/front-validate-and-redirect/​
Servers are Over-rated (Azure and AWS): https://redteamer.tips/servers-are-overrated-bypassing-corporate-proxies-abusing-serverless-for-fun-and-profit/​
Cloudflare Worke

Attack Infrastructure - Previous

Resources

Next - Detection

Basics

Last modified 6mo ago

Copy link