tetanus icon indicating copy to clipboard operation
tetanus copied to clipboard

Published 20 hours ago verified publisher icon MythicAgents

Domain fronting support

Open ScriptIdiot opened this issue 3 years ago • 8 comments

May I know if domain fronting is supported in this case? Tried to change the host header but then it shows this error upon execution:

thread 'main' panicked at 'called Result::unwrap() on an Err value: Custom { kind: ConnectionRefused, error: "Failed to make post request" }', src/profiles/mod.rs:117:49 note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

*Run on linux

Thanks!

ScriptIdiot avatar Apr 21 '22 14:04 ScriptIdiot

I haven't tried domain fronting with this agent, but I don't think there's an option to change the host header in the options of this agent. How did you attempt to change the host header?

t94j0 avatar Apr 21 '22 17:04 t94j0

During the generation of payload, I was able to add host header to attempt to achieve domain fronting, which is working in merlin agent

image

ScriptIdiot avatar Apr 21 '22 17:04 ScriptIdiot

Gotcha. The Host header should be there based on this code. It looks like you're getting a ConnectionRefused error, so it looks like the domain front you're connecting to is unavailable. Are you sure you can connect to the target domain/ip?

t94j0 avatar Apr 21 '22 17:04 t94j0

Yeah, I am pretty sure. Tried to establish C2 without domain front, and the exact same setting with domain front worked by using merlin agent.

ScriptIdiot avatar Apr 21 '22 17:04 ScriptIdiot

I believe I have tracked down the issue. The HTTP library tetanus is using is minreq and minreq will insert the callback url into the Host header before establishing the HTTP connection. The library will not check for duplicates so it will include two Host headers but pick the Host specified in the HTTP Headers section of the payload generation for the HTTP connection and ignore the callback host.

This is obviously not great behavior at all and I will need to use a different library which supports arbitrarily setting the Host header. I will look into it this weekend.

MEhrn00 avatar Apr 21 '22 18:04 MEhrn00

For what it's worth, between this and #1 tetanus is getting damn close to a viable top-tier C2. The only ~two~ three wish list items I'd have left are the following:

  1. .NET Assembly injection support
  2. Beacon Object File support (likely via https://github.com/trustedsec/COFFLoader)
  3. DNS C2 channel support

The first two get a lot of existing functionality for free (via projects like https://github.com/trustedsec/CS-Situational-Awareness-BOF and https://github.com/Flangvik/SharpCollection), while the third makes operations possible in a pretty restricted environment.

jeffmcjunkin avatar Jan 05 '23 23:01 jeffmcjunkin

Update on this: I am in the process of doing a rewrite for Tetanus. I currently have domain fronting support, beacon object file support and reflective DLL loading support on the road map among other things. I can see about integrating a DNS C2 profile and .NET assembly injection but it depends on when I can get the current items on my road map complete.

I will leave this issue open until the rewrite is finished. This is just to acknowledge the suggestions 👍🏻

MEhrn00 avatar Feb 24 '23 18:02 MEhrn00

Oooh, today I learned of https://github.com/hakaioffsec/coffee, which may be of interest as an easier path to implementing Beacon Object Files.

In other news, is there any rough planned timeframe for the rewrite / release?

jeffmcjunkin avatar Sep 22 '23 19:09 jeffmcjunkin