TryCloudFlare Infrastructure and Domain Fronting
Use TryCloudFlare's free service for reverse NAT tunnels, and at the same time, domain front to hide the real identity of the server.

CloudFlareD

Cloudflared is a service provided by Cloudflare, for similar functionality to Ngrok. Building out containers with Listening Posts, we usually don't have an IP address. Instead of purchasing another server to be used as a redirector, using Cloudflared may be a good alternative.
The reason why I'm not using services such as Ngrok and Heroku is usually that the reputation is not as strong as Cloudflare. Cloudflare is probably one of the most reputable Content Delivery Networks out there.
Basically, we can have a server, running anywhere in the world, which can connect to the Cloudflare network, and connect it to the network which then allows CloudFlare to connect back into your service and serve the website.

CloudFlared connections

A rough breakdown of what's happening.
As far as Unlucky Fella is concerned, he never connects to the bad blue sea. He only connects to the trusted Cloudflare network and IP addresses. Moreover, depending on where the Unlucky Fella is located, he probably gets different IP addresses to the closest lovely Cloudflare node. That'll make it more difficult for low detection maturity organizations to defend and block accurately.

Establishing the Cloudflared connection

Inside a Docker container with a C2 setup, all you have to do is install Cloudflared. Installation guide at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup
Pick out what installation file you're going to use and just install it.
Various installation file formats available.
Nowdays, I use a lot of ARM64, so I'll select that.
1
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
2
dpkg -i cloudflared-linux-arm64.deb
Copied!
After installation, you can run cloudflared, I exposed my local port 443 which uses a self-signed certificate (never exposed to anyone but Cloudflare).
Run the command:
1
cloudflared tunnel --url https://localhost:443 --no-tls-verify
Copied!
Output:
1
[email protected]:~/cobaltstrike# cloudflared tunnel --url https://localhost:443 --no-tls-verify
2
2021-08-08T10:50:39Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
3
2021-08-08T10:50:39Z INF Version 2021.8.1
4
2021-08-08T10:50:39Z INF GOOS: linux, GOVersion: devel +11087322f8 Fri Nov 13 03:04:52 2020 +0100, GoArch: arm64
5
2021-08-08T10:50:39Z INF Settings: map[no-tls-verify:true url:https://localhost:443]
6
2021-08-08T10:50:39Z INF cloudflared will not automatically update if installed by a package manager.
7
2021-08-08T10:50:39Z INF Initial protocol h2mux
8
2021-08-08T10:50:39Z INF Starting metrics server on 127.0.0.1:37741/metrics
9
2021-08-08T10:50:40Z INF Connection established connIndex=0 location=SJC
10
2021-08-08T10:50:43Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
11
2021-08-08T10:50:43Z INF +-----------------------------------------------------------------+
12
2021-08-08T10:50:43Z INF | Your free tunnel has started! Visit it: |
13
2021-08-08T10:50:43Z INF | https://basis-continually-variables-trips.trycloudflare.com |
14
2021-08-08T10:50:43Z INF +-----------------------------------------------------------------+
15
2021-08-08T10:50:43Z INF Route propagating, it may take up to 1 minute for your new route to become functional
16
2021-08-08T10:50:44Z INF Connection established connIndex=1 location=HKG
17
2021-08-08T10:50:44Z INF Connection established connIndex=2 location=SJC
18
2021-08-08T10:50:45Z INF Connection established connIndex=3 location=HKG
19
2021-08-08T10:50:47Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
20
2021-08-08T10:50:47Z INF +-----------------------------------------------------------------+
21
2021-08-08T10:50:47Z INF | Your free tunnel has started! Visit it: |
22
2021-08-08T10:50:47Z INF | https://basis-continually-variables-trips.trycloudflare.com |
23
2021-08-08T10:50:47Z INF +-----------------------------------------------------------------+
24
2021-08-08T10:50:47Z INF Route propagating, it may take up to 1 minute for your new route to become functional
25
2021-08-08T10:50:48Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 1:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
26
2021-08-08T10:50:48Z INF +-----------------------------------------------------------------+
27
2021-08-08T10:50:48Z INF | Your free tunnel has started! Visit it: |
28
2021-08-08T10:50:48Z INF | https://basis-continually-variables-trips.trycloudflare.com |
29
2021-08-08T10:50:48Z INF +-----------------------------------------------------------------+
30
2021-08-08T10:50:48Z INF Route propagating, it may take up to 1 minute for your new route to become functional
31
2021-08-08T10:50:50Z INF Each HA connection's tunnel IDs: map[0:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 1:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 2:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g 3:a1e94g4lhp39dshlv9z9n2e5npf3ulavsps4avfcve9vvqacuf4g]
32
2021-08-08T10:50:50Z INF +-----------------------------------------------------------------+
33
2021-08-08T10:50:50Z INF | Your free tunnel has started! Visit it: |
34
2021-08-08T10:50:50Z INF | https://basis-continually-variables-trips.trycloudflare.com |
35
2021-08-08T10:50:50Z INF +-----------------------------------------------------------------+
36
2021-08-08T10:50:50Z INF Route propagating, it may take up to 1 minute for your new route to become functional
37
2021-08-08T11:13:32Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: readLoopPeekFailLocked: remote error: tls: user canceled" cfRay=67b850e0d8d31969-HKG originService=https://localhost:443
38
2021-08-08T11:13:34Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: user canceled" cfRay=67b850ede8a21943-HKG originService=https://localhost:443
Copied!
Once this is set up, you can use the URL to visit the C2 to make sure it works.
Trust me, it works.
And see the corresponding request in the C2 server logs:
Yes, it really works.
What next?

Domain Fronting using TryCloudFlare

Quick subfinder and httpx gives this:
1
https://bryant-hey-scores-confused.trycloudflare.com
2
https://brands-celebrities-framing-religions.trycloudflare.com
3
https://aye-complaint-cap-tooth.trycloudflare.com
4
https://blonde-appropriate-aware-telecom.trycloudflare.com
5
https://alpha-bent-beds-initially.trycloudflare.com
6
https://basically-analysts-understood-climbing.trycloudflare.com
7
https://associates-boulevard-compare-headline.trycloudflare.com
8
https://ceremony-dir-phrases-coordinated.trycloudflare.com
9
https://believe-proud-answered-aerial.trycloudflare.com
10
https://allah-assigned-canal-lbs.trycloudflare.com
11
https://austria-chronic-static-donate.trycloudflare.com
12
https://contest-split-wheel-girl.trycloudflare.com
13
https://answering-aluminium-viewer-colorado.trycloudflare.com
14
https://creativity-eligible-concert-info.trycloudflare.com
15
https://crop-chamber-random-style.trycloudflare.com
16
https://clothes-respected-par-secretary.trycloudflare.com
17
https://discuss-videos-adds-imaging.trycloudflare.com
18
https://deutschland-maui-procedures-mark.trycloudflare.com
19
https://bull-bibliography-specialty-avi.trycloudflare.com
20
https://envelope-replace-consultancy-diagram.trycloudflare.com
21
https://forty-advertisement-flags-slight.trycloudflare.com
22
https://flex-fountain-pics-brooks.trycloudflare.com
23
https://confirmation-pb-voices-indianapolis.trycloudflare.com
24
https://folk-corn-explosion-radius.trycloudflare.com
25
https://helpful-others-bits-beautiful.trycloudflare.com
26
https://gulf-holocaust-grace-microwave.trycloudflare.com
27
https://headquarters-taiwan-boulevard-sentences.trycloudflare.com
28
https://good-synthetic-chancellor-automated.trycloudflare.com
29
https://hiv-co-object-loose.trycloudflare.com
30
https://invited-insider-thomas-mcdonald.trycloudflare.com
31
https://horse-expo-pierre-banana.trycloudflare.com
32
https://images-completing-griffin-title.trycloudflare.com
33
https://guyana-senator-ab-impose.trycloudflare.com
34
https://jonathan-started-buyers-honduras.trycloudflare.com
35
https://leaving-nicaragua-violations-connect.trycloudflare.com
36
https://increasing-novel-shorter-prefix.trycloudflare.com
37
https://intermediate-sheffield-conclusions-gender.trycloudflare.com
38
https://fence-small-rendered-permits.trycloudflare.com
39
https://itunes-cardiovascular-apparel-checks.trycloudflare.com
40
https://lexus-asbestos-singapore-efficiently.trycloudflare.com
41
https://landing-racial-reviewing-kathy.trycloudflare.com
42
https://measuring-baby-thumbnails-solomon.trycloudflare.com
43
https://mhz-right-quickly-pharmaceutical.trycloudflare.com
44
https://measure-any-desperate-gourmet.trycloudflare.com
45
https://muslims-formation-produce-assumptions.trycloudflare.com
46
https://nicole-history-error-characterization.trycloudflare.com
47
https://partial-wma-singing-training.trycloudflare.com
48
https://nationwide-taking-knew-desktops.trycloudflare.com
49
https://photographic-faster-powerful-compatibility.trycloudflare.com
50
https://portsmouth-blonde-jam-flight.trycloudflare.com
51
https://portion-warranties-faith-somehow.trycloudflare.com
52
https://pick-rob-tomatoes-bl.trycloudflare.com
53
https://pulling-frank-instance-risk.trycloudflare.com
54
https://possible-earlier-lauren-alexander.trycloudflare.com
55
https://rec-carroll-publication-milton.trycloudflare.com
56
https://procedure-sheffield-yr-resulted.trycloudflare.com
57
https://reaching-cycling-items-agricultural.trycloudflare.com
58
https://related-annotated-realized-earlier.trycloudflare.com
59
https://sally-requesting-heating-independent.trycloudflare.com
60
https://replacement-her-lexmark-baghdad.trycloudflare.com
61
https://producer-sm-sec-un.trycloudflare.com
62
https://shops-charm-whom-roland.trycloudflare.com
63
https://slope-carroll-shaved-cruise.trycloudflare.com
64
https://sand-catherine-gc-digital.trycloudflare.com
65
https://terrorists-gauge-forgotten-impressive.trycloudflare.com
66
https://seasonal-races-explicitly-athletic.trycloudflare.com
67
https://unsubscribe-obtained-level-free.trycloudflare.com
68
https://warming-beverly-opportunity-seafood.trycloudflare.com
69
https://wow-phone-method-cuisine.trycloudflare.com
Copied!
A quick check shows that they're Frontable:
1
curl https://slope-carroll-shaved-cruise.trycloudflare.com --header "Host: basis-continually-variables-trips.trycloudflare.com" --user-agent "NeverGon..."
Copied!

Extra added anonimity?

Technically you could hide the IP address from Cloudflare if you run a VPN on the Docker host/container, then run Cloudflared afterward. But hey, we're Red Teamers, so maybe that's going too far for a bit of extra unneeded anonymity.

Conclusions

Give Cloudflare tunnels a try, it can be useful for some projects and engagements if you need quick SSL deployed webpages.
Even if not, it's a good free way to punch through NAT.
Blue team? Maybe just block *.trycloudflare.com