Welcome to a new post, where we are going to see how to deploy a secure Red Team infrastructure. We will se how to deploy legit services to perform phishing and hide our C2 traffic through HTTPS protocol.
Disclaimer
The information provided in this post is intended for educational purposes only. The techniques, tools, and methodologies discussed are designed to help cybersecurity professionals and enthusiasts understand how to deploy a red team infrastructure in a controlled and lawful environment.
By accessing this content, you agree to use the information responsibly and only in environments where you have explicit authorization to perform testing or simulations. Unauthorized use of these techniques on systems without proper consent may violate local, national, or international laws, and such actions could lead to severe legal consequences.
Neither the author nor this post assumes any responsibility or liability for misuse of the information provided. Always prioritize ethical practices, respect for privacy, and compliance with applicable laws and regulations.
1. Initial information
The creation of this infrastructure has been done with Digital Ocean (the creation of the servers are not covered on this post). I’ve created 4 VPS servers that have different purposes:
1.1 Summary of the infrastructure
Since I want to learn how to deploy a fully operational red team infrastructure, I will deploy the following servers:
Function | Minimal Setup |
---|---|
C2 Server (Havoc) | 1 VPS |
Phishing Server/payloads | 1 VPS |
Redirector for C2 | 1 VPS |
Redirector for Phishing/payloads | 1 VPS |
The perfect scenario would be 6 even 8. Something like this:
Function | Minimal Setup |
---|---|
C2 Server (Havoc) | 1 VPS |
Phishing Server | 1 VPS |
Payload Server | 1 VPS |
Long term C2 Server | 1 VPS |
Redirector for C2 | 1 VPS |
Redirector for Phishing/payloads | 1 VPS |
Redirector for Payload Server | 1 VPS |
Redirector for long term C2 Server | 1 VPS |
1.2 Detailed infrastructure information
The physical requirements are the following:
Name | Role | IP | CPU | RAM | Storage | OS | Notes |
---|---|---|---|---|---|---|---|
c2 server | C2 Server | x | 2 vCPUs | 2 GB | 20-40 GB | Ubuntu 22.04 LTS | Upgrade to 4 vCPUs/4 GB RAM for >50 targets. |
phishing server | Phishing Server | x | 1 vCPU | 1 GB | 25 GB | Ubuntu 22.04 LTS | CDN recommended for large file payloads. |
Redirector for C2 | Redirector for C2 | x | 1 vCPU | 1 GB | 25 GB | Ubuntu 22.04 LTS | High-speed network connection is critical. |
Redirector for phishing | Redirector for phishing | x | 1 vCPU | 1 GB | 25 GB | Ubuntu 22.04 LTS | High-speed network connection is critical. |
1.3 Selection of domain
For this part I will recommend you at least 2 domains one for the phishing phase and the other one for the C2 traffic:
Domain | Provider |
---|---|
soft.example.com | Your preference |
mail.example.com | Your preference |
health.c2traffic.com | Your preference |
1.4 Final red team infrastructure
The final diagram about what we are going to have:
2. Initial set up for the servers
2.1 Update the servers
Initial update after the installation:
apt -y install update
apt -y upgrade
2.2 Installation of Havoc into the C2 Server – VPS1
For the people that does not know what is Havoc C2, you can find great information on Havoc’s github or from the Havoc’s documentation. Also, I recommend the blog of my buddy «P4P1», where he has very good reviews and walk-through posts.
The first step before installing havoc is establish a good firewall rules.
2.2.1 Firewall configuration
The default policy it will be drop. We will configure our firewall to be sure that we just accept the traffic that we want:
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
# Allow ICMP outbound (ping)
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Incoming
# Allow ICMP incoming (ping)
iptables -A INPUT -p icmp -s <ip-redirector-server> -j ACCEPT
iptables -A OUTPUT -p icmp -d <ip-redirector-server> -j ACCEPT
# Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -s <ip-redirector-server> -j ACCEPT
# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save
2.2.2 Havoc Installation
Install requirements:
sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev python3-dev libboost-all-dev mingw-w64 nasm
Update go:
apt-get update
wget <https://go.dev/dl/go1.21.0.linux-amd64.tar.gz>
tar -xvf go1.21.0.linux-amd64.tar.gz
mv go /usr/local
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
source ~/.profile
Clone the repository:
git clone https://github.com/HavocFramework/Havoc.git
Install go dependencies:
cd Havoc/teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
Fom root directory of havoc compile the server:
make ts-build
Execute the server:
./havoc server --profile ./profiles/havoc.yaotl -v --debug &
Expose Havoc port locally through SSH tunnel:
ssh -N -L 0.0.0.0:40056:127.0.0.1:40056 root@167.71.14.172
Connect with havoc client:
./havoc client
2.3 Installation of GoPhish for phishing – VPS2
I decided to install GoPhish because is very simple to use with a friendly user interface. If you want to know more about it, you can check information on GoPhish’s github or on GoPhish’s documentation.
2.3.1 Firewall rules
As we did with the C2 Server, we will deploy a strict firewall rules:
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Enable log
#iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
# Allow ICMP outbound (ping)
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow outbound SMTP on port 465 (SMTP over SSL)
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp --sport 465 -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Incoming
# Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -s <phishing-redirector-ip> -j ACCEPT
# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save
2.3.2 SMTP Inbox account creation in our provider
The first thing we will do is creating some email accounts into the provider where we bought out domains. We are gonna use the provider’s email servers to send the email doing the authentication with that user:
2.3.3 Installation of GoPhish
To be able to install GoPhish we will need to install in the server golang-go:
apt -y install golang-go
Download GoPhish:
wget <https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip>
Create GoPhish directory:
mkdir GoPish
Unzip GoPhish inside the directory:
unzip gophish-v0.12.1-linux-64bit.zip
Inside of GoPhish add executable rights to the binary gopish:
chmod +x gophish
Since, GoPhish runs as script, we will need to create it as service to be able to run it as a service. First, we will create the following folder:
mkdir /var/log/gophish
Create the following script inside /etc/systemd/system/gophish.service:
[Unit]
Description=GoPhish Service
After=network.target
[Service]
ExecStart=/root/GoPhish/gophish
Type=simple
User=root
WorkingDirectory=/root/GoPhish
Restart=always
PIDFile=/var/run/gophish.pid
[Install]
WantedBy=multi-user.target
Make it executable:
chmod +x gophish
Reload systemd:
sudo systemctl daemon-reload
Add the script in the system:
sudo systemctl enable gophish
Start the service:
systemctl start gophish
Create the tunnel to be able to access the platform:
ssh -N -L 0.0.0.0:3333:127.0.0.1:3333 root@134.122.121.230
Get access with the credentials configured:
Once inside, we will create a profile to be able to send emails pointing to our relay server that we will configure on the next point:
2.4 C2 redirector deployment – VPS3
The functionality of this server will be basically to hide the real C2 server IP. The communications are going to be through this server and always encrypted.
2.4.1 Firewall rules
As we have done with the rest of server, we will set up a strict firewall rules to just accept the traffic between the servers:
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Incoming traffic
# Allow ICMP incoming (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save
2.4.2 Creating domains for the C2 traffic
In your domain provider you will create one A register and CNAME:
2.4.3 NGINX as Proxy Server to redirect the HTTP/S traffic to our C2 Server
We will use nginx as proxy server. Installation of nginx:
apt install nginx
Enable nginx:
systemctl enable nginx
Start nginx:
systemctl start nginx
Create file config for the domain:
nano /etc/nginx/sites-available/health.c2traffic.es
Configuration:
server {
listen 80;
listen [::]:80;
server_name health.c2traffic.es www.health.c2traffic.es;
location / {
proxy_pass https://c2-server-ip/;
include proxy_params;
}
}
Make available the configuration;
sudo ln -s /etc/nginx/sites-available/health.c2traffic.es /etc/nginx/sites-enabled/
Install certbot:
snap install --classic certbot
Sync certbot to the system:
ln -s /snap/bin/certbot /usr/bin/certbot
Generate certificates with let’s encrypt:
certbot --nginx -d health.c2traffic.es -d www.health.c2traffic.es -v
Final nginx configuration with HTTPS:
server {
# Redirect all HTTP traffic to HTTPS
listen 80;
listen [::]:80;
server_name health.c2traffic.es www.health.c2traffic.es;
return 301 https://$host$request_uri;
}
server {
# Listen for HTTPS traffic
listen 443 ssl;
listen [::]:443 ssl;
server_name health.c2traffic.es www.health.c2traffic.es;
# SSL Certificates (managed by Certbot)
ssl_certificate /etc/letsencrypt/live/health.c2traffic.es/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/health.c2traffic.es/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Proxy settings
location / {
proxy_pass https://167.71.14.172/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Optional: Timeouts for the proxied server
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_send_timeout 90;
# Optional: Security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
}
# Optional: Custom error pages (e.g., for 404 or 50x errors)
error_page 404 /404.html;
location = /404.html {
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
internal;
}
}
Enable auto renew:
systemctl start snap.certbot.renew.service
2.5 Relay Server with postfix -VPS4
This server will be responsible of the emails and responsible of hide the phishing server behind the relay server’s IP.
2.5.1 Firewall rules
As we did before, we are going to implement strict rules:
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Enable log
#iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Outbound
# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
# Allow outbound SMTP connections to any IP on port 465
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Allow outbound SMTP on port 587 (modern SMTP submission)
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --sport 587 -j ACCEPT
# Allow ICMP outbound (ping)
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Incoming
# Allow incoming SMTP traffic on port 465 from the trusted IP
iptables -A INPUT -p tcp --dport 465 -s <phishing-server-ip> -j ACCEPT
# Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save
2.5.2 Postfix Relay Configuration
Install postfix:
sudo apt -y install postfix
Choose internet site:
Set up your domain, the one are you going to use for the phishing emails:
Configure the DNS:
Configure SPF, DKIM and DMARC:
Inside /etc/postfix/master.cf we will configure the server to listen on 465,so, we will need to uncomment the following lines because most of the provider don’t allow access throuth the ports 25:
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
Inside /etc/postfix/main.cf we will configure our smtp relay:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See <http://www.postfix.org/COMPATIBILITY_README.html> -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ubuntu-rd-smtp
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
# Modified to authenticate
mydestination = $myhostname, mail.phishing.domain, phishing.domain, hostname, localhost.localdomain, localhost
# Relayhost configuration
relayhost = [provider.smtp.server]:587
# Enable TLS encryption
smtp_tls_security_level = encrypt
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# Use the CA certificate bundle to verify the relay server's certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Authentication settings (if needed by your relay)
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login
# Remove unwanted headers
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
masquerade_domains = phishing.domain
remote_header_rewrite_domain = phishing.domain
append_dot_mydomain = yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 your-public-ips
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
inet_protocols = all
Create file with credentials /etc/postfix/sasl_passwd:
[smtp-provider-server]:587 support@phishing.domain:password
Change the permissions and create a hash database:
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
Create file to delete the headers “smtp_header_checks”:
/^Received:.*/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^Mime-Version:/ IGNORE
Compile the headers rule:
sudo postmap /etc/postfix/smtp_header_checks
Include the checks into master.cf:
-o header_checks=regexp:/etc/postfix/smtp_header_checks
Restart the service:
systemctl restart postfix
Test send emails:
echo "Test email" | mail -s "Test Subject" -r "support <support@phishing.domain>" your-email@gmail.com
2.5.3 Nginx Proxy Server to redirect the phishing traffic
Install nginx:
apt install nginx
Enable nginx:
systemctl enable nginx
Start nginx:
systemctl start nginx
Create file config for the domain:
nano /etc/nginx/sites-available/phishing.domain
Configuration:
server {
listen 80;
listen [::]:80;
server_name phishing.domain www.phishing.domain;
location / {
proxy_pass http://ip-phishing-server/;
include proxy_params;
}
}
Make available the configuration;
sudo ln -s /etc/nginx/sites-available/phishing.domain /etc/nginx/sites-enabled/
Install certbot:
snap install --classic certbot
Sync certbot to the system:
ln -s /snap/bin/certbot /usr/bin/certbot
Generate certificates:
certbot --nginx -d phishing.domain -d www.phishing.domain
Final nginx configuration:
server {
# Redirect all HTTP traffic to HTTPS
listen 80;
listen [::]:80;
server_name phishing.domain www.phishing.domain;
return 301 https://$host$request_uri;
}
server {
# Listen for HTTPS traffic
listen 443 ssl;
listen [::]:443 ssl;
server_name phishing.domain www.phishing.domain;
# SSL Certificates (managed by Certbot)
ssl_certificate /etc/letsencrypt/live/phishing.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/phishing.domain/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Proxy settings for all other paths
location / {
proxy_pass http://phishing-server-ip/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Optional: Timeouts for the proxied server
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_send_timeout 90;
# Optional: Security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
}
# Serve local files for /download/ to deliver the C2 payloads
location /download/ {
root /var/www/html/;
autoindex on; # Optional: Enable directory listing
autoindex_exact_size off; # Optional: Human-readable file sizes
autoindex_format html; # Optional: HTML format for listing
}
# Optional: Custom error pages (e.g., for 404 or 50x errors)
error_page 404 /404.html;
location = /404.html {
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
internal;
}
}
Enable auto renew:
systemctl start snap.certbot.renew.service
3. SSH Fail2Ban for ALL the servers
Install Fail2Ban:
apt -y install fail2ban
Enable the service:
systemctl enable fail2ban
Start the service:
systemctl start fail2ban
Start new configuration copying the conf file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the configuration file:
nano /etc/fail2ban/jail.local
Modify the following values:
bantime = 1d
findtime = 10m
maxretry = 3
In case that your are using IPTABLES as firewall, then, the following configuration should be pointing iptables:
Then, we will enable the protection for the SSH service:
enabled = true
Restart the service:
systemctl restart fail2ban
After sometime check the IPs banned:
fail2ban-client get sshd ignoreip
4. Proof of Concept
The proof of concept does not include how to avoid EDR or AV. We will focus on the delivery of the payload through phishing and how the infrastructure has been deployed. Also, we will see how to perform a phishing with GoPhish, where we will simulate two different scenarios where the user receives an email where he should introduce his credentials and other case is, basically, that the user need to download a critical update but in reality the Havoc agent to control the objective.
During the process of this proof of concept we will check also the headers of the email and the traffic generated by our C2 agent to see that everything is encrypted.
I hope you enjoy this PoC:
5. Conclusion
As you can see, deploy a red team infrastructure is not that easy and it is much complex when you want to deploy it secure. Also, I would say that we can add more secure improvement to our infrastructure like adding one more server like syslog with a dashboard to collect all the log and be more active monitoring our infrastructure. Obviously, we should deploy all the software customized for our necessity.
Thanks for visiting the post. I hope you enjoy the port and the video. Remember to follow me on my social networks:
Github
Hack The Box