TryCloudFlare Infrastructure and Domain Fronting

Use TryCloudFlare's free service for reverse NAT tunnels, and at the same time, domain front to hide the real identity of the server.

CloudFlareD

Cloudflared is a service provided by Cloudflare, for similar functionality to Ngrok. Building out containers with Listening Posts, we usually don't have an IP address. Instead of purchasing another server to be used as a redirector, using Cloudflared may be a good alternative.

The reason why I'm not using services such as Ngrok and Heroku is usually that the reputation is not as strong as Cloudflare. Cloudflare is probably one of the most reputable Content Delivery Networks out there.

Basically, we can have a server, running anywhere in the world, which can connect to the Cloudflare network, and connect it to the network which then allows CloudFlare to connect back into your service and serve the website.

CloudFlared connections

A rough breakdown of what's happening.

As far as Unlucky Fella is concerned, he never connects to the bad blue sea. He only connects to the trusted Cloudflare network and IP addresses. Moreover, depending on where the Unlucky Fella is located, he probably gets different IP addresses to the closest lovely Cloudflare node. That'll make it more difficult for low detection maturity organizations to defend and block accurately.

Establishing the Cloudflared connection

Inside a Docker container with a C2 setup, all you have to do is install Cloudflared. Installation guide at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup

Pick out what installation file you're going to use and just install it.

Various installation file formats available.

Nowdays, I use a lot of ARM64, so I'll select that.

After installation, you can run cloudflared, I exposed my local port 443 which uses a self-signed certificate (never exposed to anyone but Cloudflare).

Run the command:

Output:

Once this is set up, you can use the URL to visit the C2 to make sure it works.

Trust me, it works.

And see the corresponding request in the C2 server logs:

Yes, it really works.

What next?

Domain Fronting using TryCloudFlare

Quick subfinder and httpx gives this:

A quick check shows that they're Frontable:

Extra added anonimity?

Technically you could hide the IP address from Cloudflare if you run a VPN on the Docker host/container, then run Cloudflared afterward. But hey, we're Red Teamers, so maybe that's going too far for a bit of extra unneeded anonymity.

Conclusions

Give Cloudflare tunnels a try, it can be useful for some projects and engagements if you need quick SSL deployed webpages.

Even if not, it's a good free way to punch through NAT.

Blue team? Maybe just block *.trycloudflare.com

PreviousCommand and ControlNextDomain Fronting using StackPath CDN

Last updated

Was this helpful?