Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • CloudFlareD
  • CloudFlared connections
  • Establishing the Cloudflared connection
  • Domain Fronting using TryCloudFlare
  • Extra added anonimity?
  • Conclusions

Was this helpful?

  1. Red Team
  2. Command and Control

TryCloudFlare Infrastructure and Domain Fronting

Use TryCloudFlare's free service for reverse NAT tunnels, and at the same time, domain front to hide the real identity of the server.

PreviousCommand and ControlNextDomain Fronting using StackPath CDN

Last updated 3 years ago

Was this helpful?

CloudFlareD

Cloudflared is a service provided by Cloudflare, for similar functionality to Ngrok. Building out containers with Listening Posts, we usually don't have an IP address. Instead of purchasing another server to be used as a redirector, using Cloudflared may be a good alternative.

The reason why I'm not using services such as Ngrok and Heroku is usually that the reputation is not as strong as Cloudflare. Cloudflare is probably one of the most reputable Content Delivery Networks out there.

Basically, we can have a server, running anywhere in the world, which can connect to the Cloudflare network, and connect it to the network which then allows CloudFlare to connect back into your service and serve the website.

CloudFlared connections

As far as Unlucky Fella is concerned, he never connects to the bad blue sea. He only connects to the trusted Cloudflare network and IP addresses. Moreover, depending on where the Unlucky Fella is located, he probably gets different IP addresses to the closest lovely Cloudflare node. That'll make it more difficult for low detection maturity organizations to defend and block accurately.

Establishing the Cloudflared connection

Pick out what installation file you're going to use and just install it.

Nowdays, I use a lot of ARM64, so I'll select that.

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
dpkg -i cloudflared-linux-arm64.deb

After installation, you can run cloudflared, I exposed my local port 443 which uses a self-signed certificate (never exposed to anyone but Cloudflare).

Run the command:

cloudflared tunnel --url https://localhost:443 --no-tls-verify

Output:

root@3bdc15ad8136:~/cobaltstrike# cloudflared tunnel --url https://localhost:443 --no-tls-verify
2021-08-08T10:50:39Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2021-08-08T10:50:39Z INF Version 2021.8.1
2021-08-08T10:50:39Z INF GOOS: linux, GOVersion: devel +11087322f8 Fri Nov 13 03:04:52 2020 +0100, GoArch: arm64
2021-08-08T10:50:39Z INF Settings: map[no-tls-verify:true url:https://localhost:443]
2021-08-08T10:50:39Z INF cloudflared will not automatically update if installed by a package manager.
2021-08-08T10:50:39Z INF Initial protocol h2mux
2021-08-08T10:50:39Z INF Starting metrics server on 127.0.0.1:37741/metrics
2021-08-08T10:50:40Z INF Connection established connIndex=0 location=SJC
2021-08-08T10:50:43Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:43Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:43Z INF |  Your free tunnel has started! Visit it:                        |
2021-08-08T10:50:43Z INF |    https://basis-continually-variables-trips.trycloudflare.com  |
2021-08-08T10:50:43Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:43Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T10:50:44Z INF Connection established connIndex=1 location=HKG
2021-08-08T10:50:44Z INF Connection established connIndex=2 location=SJC
2021-08-08T10:50:45Z INF Connection established connIndex=3 location=HKG
2021-08-08T10:50:47Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:47Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:47Z INF |  Your free tunnel has started! Visit it:                        |
2021-08-08T10:50:47Z INF |    https://basis-continually-variables-trips.trycloudflare.com  |
2021-08-08T10:50:47Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:47Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T10:50:48Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 1:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:48Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:48Z INF |  Your free tunnel has started! Visit it:                        |
2021-08-08T10:50:48Z INF |    https://basis-continually-variables-trips.trycloudflare.com  |
2021-08-08T10:50:48Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:48Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T10:50:50Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 1:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 3:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:50Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:50Z INF |  Your free tunnel has started! Visit it:                        |
2021-08-08T10:50:50Z INF |    https://basis-continually-variables-trips.trycloudflare.com  |
2021-08-08T10:50:50Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:50Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T11:13:32Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: readLoopPeekFailLocked: remote error: tls: user canceled" cfRay=67b850e0d8d31969-HKG originService=https://localhost:443
2021-08-08T11:13:34Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: user canceled" cfRay=67b850ede8a21943-HKG originService=https://localhost:443

Once this is set up, you can use the URL to visit the C2 to make sure it works.

And see the corresponding request in the C2 server logs:

What next?

Domain Fronting using TryCloudFlare

Quick subfinder and httpx gives this:

https://bryant-hey-scores-confused.trycloudflare.com
https://brands-celebrities-framing-religions.trycloudflare.com
https://aye-complaint-cap-tooth.trycloudflare.com
https://blonde-appropriate-aware-telecom.trycloudflare.com
https://alpha-bent-beds-initially.trycloudflare.com
https://basically-analysts-understood-climbing.trycloudflare.com
https://associates-boulevard-compare-headline.trycloudflare.com
https://ceremony-dir-phrases-coordinated.trycloudflare.com
https://believe-proud-answered-aerial.trycloudflare.com
https://allah-assigned-canal-lbs.trycloudflare.com
https://austria-chronic-static-donate.trycloudflare.com
https://contest-split-wheel-girl.trycloudflare.com
https://answering-aluminium-viewer-colorado.trycloudflare.com
https://creativity-eligible-concert-info.trycloudflare.com
https://crop-chamber-random-style.trycloudflare.com
https://clothes-respected-par-secretary.trycloudflare.com
https://discuss-videos-adds-imaging.trycloudflare.com
https://deutschland-maui-procedures-mark.trycloudflare.com
https://bull-bibliography-specialty-avi.trycloudflare.com
https://envelope-replace-consultancy-diagram.trycloudflare.com
https://forty-advertisement-flags-slight.trycloudflare.com
https://flex-fountain-pics-brooks.trycloudflare.com
https://confirmation-pb-voices-indianapolis.trycloudflare.com
https://folk-corn-explosion-radius.trycloudflare.com
https://helpful-others-bits-beautiful.trycloudflare.com
https://gulf-holocaust-grace-microwave.trycloudflare.com
https://headquarters-taiwan-boulevard-sentences.trycloudflare.com
https://good-synthetic-chancellor-automated.trycloudflare.com
https://hiv-co-object-loose.trycloudflare.com
https://invited-insider-thomas-mcdonald.trycloudflare.com
https://horse-expo-pierre-banana.trycloudflare.com
https://images-completing-griffin-title.trycloudflare.com
https://guyana-senator-ab-impose.trycloudflare.com
https://jonathan-started-buyers-honduras.trycloudflare.com
https://leaving-nicaragua-violations-connect.trycloudflare.com
https://increasing-novel-shorter-prefix.trycloudflare.com
https://intermediate-sheffield-conclusions-gender.trycloudflare.com
https://fence-small-rendered-permits.trycloudflare.com
https://itunes-cardiovascular-apparel-checks.trycloudflare.com
https://lexus-asbestos-singapore-efficiently.trycloudflare.com
https://landing-racial-reviewing-kathy.trycloudflare.com
https://measuring-baby-thumbnails-solomon.trycloudflare.com
https://mhz-right-quickly-pharmaceutical.trycloudflare.com
https://measure-any-desperate-gourmet.trycloudflare.com
https://muslims-formation-produce-assumptions.trycloudflare.com
https://nicole-history-error-characterization.trycloudflare.com
https://partial-wma-singing-training.trycloudflare.com
https://nationwide-taking-knew-desktops.trycloudflare.com
https://photographic-faster-powerful-compatibility.trycloudflare.com
https://portsmouth-blonde-jam-flight.trycloudflare.com
https://portion-warranties-faith-somehow.trycloudflare.com
https://pick-rob-tomatoes-bl.trycloudflare.com
https://pulling-frank-instance-risk.trycloudflare.com
https://possible-earlier-lauren-alexander.trycloudflare.com
https://rec-carroll-publication-milton.trycloudflare.com
https://procedure-sheffield-yr-resulted.trycloudflare.com
https://reaching-cycling-items-agricultural.trycloudflare.com
https://related-annotated-realized-earlier.trycloudflare.com
https://sally-requesting-heating-independent.trycloudflare.com
https://replacement-her-lexmark-baghdad.trycloudflare.com
https://producer-sm-sec-un.trycloudflare.com
https://shops-charm-whom-roland.trycloudflare.com
https://slope-carroll-shaved-cruise.trycloudflare.com
https://sand-catherine-gc-digital.trycloudflare.com
https://terrorists-gauge-forgotten-impressive.trycloudflare.com
https://seasonal-races-explicitly-athletic.trycloudflare.com
https://unsubscribe-obtained-level-free.trycloudflare.com
https://warming-beverly-opportunity-seafood.trycloudflare.com
https://wow-phone-method-cuisine.trycloudflare.com

A quick check shows that they're Frontable:

curl https://slope-carroll-shaved-cruise.trycloudflare.com --header "Host: basis-continually-variables-trips.trycloudflare.com" --user-agent "NeverGon..."

Extra added anonimity?

Technically you could hide the IP address from Cloudflare if you run a VPN on the Docker host/container, then run Cloudflared afterward. But hey, we're Red Teamers, so maybe that's going too far for a bit of extra unneeded anonymity.

Conclusions

Give Cloudflare tunnels a try, it can be useful for some projects and engagements if you need quick SSL deployed webpages.

Even if not, it's a good free way to punch through NAT.

Blue team? Maybe just block *.trycloudflare.com

Inside a Docker container with a C2 setup, all you have to do is install Cloudflared. Installation guide at

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup
A rough breakdown of what's happening.
Various installation file formats available.
Trust me, it works.
Yes, it really works.