TryCloudFlare Infrastructure and Domain Fronting

Use TryCloudFlare's free service for reverse NAT tunnels, and at the same time, domain front to hide the real identity of the server.

CloudFlareD

Cloudflared is a service provided by Cloudflare, for similar functionality to Ngrok. Building out containers with Listening Posts, we usually don't have an IP address. Instead of purchasing another server to be used as a redirector, using Cloudflared may be a good alternative.

The reason why I'm not using services such as Ngrok and Heroku is usually that the reputation is not as strong as Cloudflare. Cloudflare is probably one of the most reputable Content Delivery Networks out there.

Basically, we can have a server, running anywhere in the world, which can connect to the Cloudflare network, and connect it to the network which then allows CloudFlare to connect back into your service and serve the website.

CloudFlared connections

A rough breakdown of what's happening.

As far as Unlucky Fella is concerned, he never connects to the bad blue sea. He only connects to the trusted Cloudflare network and IP addresses. Moreover, depending on where the Unlucky Fella is located, he probably gets different IP addresses to the closest lovely Cloudflare node. That'll make it more difficult for low detection maturity organizations to defend and block accurately.

Establishing the Cloudflared connection

Inside a Docker container with a C2 setup, all you have to do is install Cloudflared. Installation guide at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup

Pick out what installation file you're going to use and just install it.

Various installation file formats available.

Nowdays, I use a lot of ARM64, so I'll select that.

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
dpkg -i cloudflared-linux-arm64.deb

After installation, you can run cloudflared, I exposed my local port 443 which uses a self-signed certificate (never exposed to anyone but Cloudflare).

Run the command:

cloudflared tunnel --url https://localhost:443 --no-tls-verify

Output:

[email protected]:~/cobaltstrike# cloudflared tunnel --url https://localhost:443 --no-tls-verify
2021-08-08T10:50:39Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2021-08-08T10:50:39Z INF Version 2021.8.1
2021-08-08T10:50:39Z INF GOOS: linux, GOVersion: devel +11087322f8 Fri Nov 13 03:04:52 2020 +0100, GoArch: arm64
2021-08-08T10:50:39Z INF Settings: map[no-tls-verify:true url:https://localhost:443]
2021-08-08T10:50:39Z INF cloudflared will not automatically update if installed by a package manager.
2021-08-08T10:50:39Z INF Initial protocol h2mux
2021-08-08T10:50:39Z INF Starting metrics server on 127.0.0.1:37741/metrics
2021-08-08T10:50:40Z INF Connection established connIndex=0 location=SJC
2021-08-08T10:50:43Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:43Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:43Z INF | Your free tunnel has started! Visit it: |
2021-08-08T10:50:43Z INF | https://basis-continually-variables-trips.trycloudflare.com |
2021-08-08T10:50:43Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:43Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T10:50:44Z INF Connection established connIndex=1 location=HKG
2021-08-08T10:50:44Z INF Connection established connIndex=2 location=SJC
2021-08-08T10:50:45Z INF Connection established connIndex=3 location=HKG
2021-08-08T10:50:47Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:47Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:47Z INF | Your free tunnel has started! Visit it: |
2021-08-08T10:50:47Z INF | https://basis-continually-variables-trips.trycloudflare.com |
2021-08-08T10:50:47Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:47Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T10:50:48Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 1:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:48Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:48Z INF | Your free tunnel has started! Visit it: |
2021-08-08T10:50:48Z INF | https://basis-continually-variables-trips.trycloudflare.com |
2021-08-08T10:50:48Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:48Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T10:50:50Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 1:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 3:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
2021-08-08T10:50:50Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:50Z INF | Your free tunnel has started! Visit it: |
2021-08-08T10:50:50Z INF | https://basis-continually-variables-trips.trycloudflare.com |
2021-08-08T10:50:50Z INF +-----------------------------------------------------------------+
2021-08-08T10:50:50Z INF Route propagating, it may take up to 1 minute for your new route to become functional
2021-08-08T11:13:32Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: readLoopPeekFailLocked: remote error: tls: user canceled" cfRay=67b850e0d8d31969-HKG originService=https://localhost:443
2021-08-08T11:13:34Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: user canceled" cfRay=67b850ede8a21943-HKG originService=https://localhost:443

Once this is set up, you can use the URL to visit the C2 to make sure it works.

Trust me, it works.

And see the corresponding request in the C2 server logs:

Yes, it really works.

What next?

Domain Fronting using TryCloudFlare

Quick subfinder and httpx gives this:

https://bryant-hey-scores-confused.trycloudflare.com
https://brands-celebrities-framing-religions.trycloudflare.com
https://aye-complaint-cap-tooth.trycloudflare.com
https://blonde-appropriate-aware-telecom.trycloudflare.com
https://alpha-bent-beds-initially.trycloudflare.com
https://basically-analysts-understood-climbing.trycloudflare.com
https://associates-boulevard-compare-headline.trycloudflare.com
https://ceremony-dir-phrases-coordinated.trycloudflare.com
https://believe-proud-answered-aerial.trycloudflare.com
https://allah-assigned-canal-lbs.trycloudflare.com
https://austria-chronic-static-donate.trycloudflare.com
https://contest-split-wheel-girl.trycloudflare.com
https://answering-aluminium-viewer-colorado.trycloudflare.com
https://creativity-eligible-concert-info.trycloudflare.com
https://crop-chamber-random-style.trycloudflare.com
https://clothes-respected-par-secretary.trycloudflare.com
https://discuss-videos-adds-imaging.trycloudflare.com
https://deutschland-maui-procedures-mark.trycloudflare.com
https://bull-bibliography-specialty-avi.trycloudflare.com
https://envelope-replace-consultancy-diagram.trycloudflare.com
https://forty-advertisement-flags-slight.trycloudflare.com
https://flex-fountain-pics-brooks.trycloudflare.com
https://confirmation-pb-voices-indianapolis.trycloudflare.com
https://folk-corn-explosion-radius.trycloudflare.com
https://helpful-others-bits-beautiful.trycloudflare.com
https://gulf-holocaust-grace-microwave.trycloudflare.com
https://headquarters-taiwan-boulevard-sentences.trycloudflare.com
https://good-synthetic-chancellor-automated.trycloudflare.com
https://hiv-co-object-loose.trycloudflare.com
https://invited-insider-thomas-mcdonald.trycloudflare.com
https://horse-expo-pierre-banana.trycloudflare.com
https://images-completing-griffin-title.trycloudflare.com
https://guyana-senator-ab-impose.trycloudflare.com
https://jonathan-started-buyers-honduras.trycloudflare.com
https://leaving-nicaragua-violations-connect.trycloudflare.com
https://increasing-novel-shorter-prefix.trycloudflare.com
https://intermediate-sheffield-conclusions-gender.trycloudflare.com
https://fence-small-rendered-permits.trycloudflare.com
https://itunes-cardiovascular-apparel-checks.trycloudflare.com
https://lexus-asbestos-singapore-efficiently.trycloudflare.com
https://landing-racial-reviewing-kathy.trycloudflare.com
https://measuring-baby-thumbnails-solomon.trycloudflare.com
https://mhz-right-quickly-pharmaceutical.trycloudflare.com
https://measure-any-desperate-gourmet.trycloudflare.com
https://muslims-formation-produce-assumptions.trycloudflare.com
https://nicole-history-error-characterization.trycloudflare.com
https://partial-wma-singing-training.trycloudflare.com
https://nationwide-taking-knew-desktops.trycloudflare.com
https://photographic-faster-powerful-compatibility.trycloudflare.com
https://portsmouth-blonde-jam-flight.trycloudflare.com
https://portion-warranties-faith-somehow.trycloudflare.com
https://pick-rob-tomatoes-bl.trycloudflare.com
https://pulling-frank-instance-risk.trycloudflare.com
https://possible-earlier-lauren-alexander.trycloudflare.com
https://rec-carroll-publication-milton.trycloudflare.com
https://procedure-sheffield-yr-resulted.trycloudflare.com
https://reaching-cycling-items-agricultural.trycloudflare.com
https://related-annotated-realized-earlier.trycloudflare.com
https://sally-requesting-heating-independent.trycloudflare.com
https://replacement-her-lexmark-baghdad.trycloudflare.com
https://producer-sm-sec-un.trycloudflare.com
https://shops-charm-whom-roland.trycloudflare.com
https://slope-carroll-shaved-cruise.trycloudflare.com
https://sand-catherine-gc-digital.trycloudflare.com
https://terrorists-gauge-forgotten-impressive.trycloudflare.com
https://seasonal-races-explicitly-athletic.trycloudflare.com
https://unsubscribe-obtained-level-free.trycloudflare.com
https://warming-beverly-opportunity-seafood.trycloudflare.com
https://wow-phone-method-cuisine.trycloudflare.com

A quick check shows that they're Frontable:

curl https://slope-carroll-shaved-cruise.trycloudflare.com --header "Host: basis-continually-variables-trips.trycloudflare.com" --user-agent "NeverGon..."

Extra added anonimity?

Technically you could hide the IP address from Cloudflare if you run a VPN on the Docker host/container, then run Cloudflared afterward. But hey, we're Red Teamers, so maybe that's going too far for a bit of extra unneeded anonymity.

Conclusions

Give Cloudflare tunnels a try, it can be useful for some projects and engagements if you need quick SSL deployed webpages.

Even if not, it's a good free way to punch through NAT.

Blue team? Maybe just block *.trycloudflare.com