Deploying Secure Red Team Infrastructure

Welcome to a new post, where we are going to see how to deploy a secure Red Team infrastructure. We will se how to deploy legit services to perform phishing and hide our C2 traffic through HTTPS protocol.

Disclaimer

The information provided in this post is intended for educational purposes only. The techniques, tools, and methodologies discussed are designed to help cybersecurity professionals and enthusiasts understand how to deploy a red team infrastructure in a controlled and lawful environment.

By accessing this content, you agree to use the information responsibly and only in environments where you have explicit authorization to perform testing or simulations. Unauthorized use of these techniques on systems without proper consent may violate local, national, or international laws, and such actions could lead to severe legal consequences.

Neither the author nor this post assumes any responsibility or liability for misuse of the information provided. Always prioritize ethical practices, respect for privacy, and compliance with applicable laws and regulations.

1. Initial information

The creation of this infrastructure has been done with Digital Ocean (the creation of the servers are not covered on this post). I’ve created 4 VPS servers that have different purposes:

1.1 Summary of the infrastructure

Since I want to learn how to deploy a fully operational red team infrastructure, I will deploy the following servers:

FunctionMinimal Setup
C2 Server (Havoc)1 VPS
Phishing Server/payloads1 VPS
Redirector for C21 VPS
Redirector for Phishing/payloads1 VPS

The perfect scenario would be 6 even 8. Something like this:

FunctionMinimal Setup
C2 Server (Havoc)1 VPS
Phishing Server1 VPS
Payload Server1 VPS
Long term C2 Server1 VPS
Redirector for C21 VPS
Redirector for Phishing/payloads1 VPS
Redirector for Payload Server1 VPS
Redirector for long term C2 Server1 VPS

1.2 Detailed infrastructure information

The physical requirements are the following:

NameRoleIPCPURAMStorageOSNotes
c2 serverC2 Serverx2 vCPUs2 GB20-40 GBUbuntu 22.04 LTSUpgrade to 4 vCPUs/4 GB RAM for >50 targets.
phishing serverPhishing Serverx1 vCPU1 GB25 GBUbuntu 22.04 LTSCDN recommended for large file payloads.
Redirector for C2Redirector for C2x1 vCPU1 GB25 GBUbuntu 22.04 LTSHigh-speed network connection is critical.
Redirector for phishingRedirector for phishingx1 vCPU1 GB25 GBUbuntu 22.04 LTSHigh-speed network connection is critical.

1.3 Selection of domain

For this part I will recommend you at least 2 domains one for the phishing phase and the other one for the C2 traffic:

DomainProvider
soft.example.comYour preference
mail.example.comYour preference
health.c2traffic.comYour preference

1.4 Final red team infrastructure

The final diagram about what we are going to have:

2. Initial set up for the servers

2.1 Update the servers

Initial update after the installation:

apt -y install update
apt -y upgrade

2.2 Installation of Havoc into the C2 Server – VPS1

For the people that does not know what is Havoc C2, you can find great information on Havoc’s github or from the Havoc’s documentation. Also, I recommend the blog of my buddy «P4P1», where he has very good reviews and walk-through posts.

The first step before installing havoc is establish a good firewall rules.

2.2.1 Firewall configuration

The default policy it will be drop. We will configure our firewall to be sure that we just accept the traffic that we want:

#!/bin/bash

# Flush existing rules
iptables -F
iptables -X

# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT

# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# Allow ICMP outbound (ping)
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Incoming

# Allow ICMP incoming (ping)
iptables -A INPUT -p icmp -s <ip-redirector-server> -j ACCEPT
iptables -A OUTPUT -p icmp -d <ip-redirector-server> -j ACCEPT

# Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -s <ip-redirector-server> -j ACCEPT

# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save

2.2.2 Havoc Installation

Install requirements:

sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev python3-dev libboost-all-dev mingw-w64 nasm

Update go:

apt-get update
wget <https://go.dev/dl/go1.21.0.linux-amd64.tar.gz>
tar -xvf go1.21.0.linux-amd64.tar.gz
mv go /usr/local
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
source ~/.profile

Clone the repository:

git clone https://github.com/HavocFramework/Havoc.git

Install go dependencies:

cd Havoc/teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go

Fom root directory of havoc compile the server:

make ts-build

Execute the server:

./havoc server --profile ./profiles/havoc.yaotl -v --debug &

Expose Havoc port locally through SSH tunnel:

ssh -N -L 0.0.0.0:40056:127.0.0.1:40056 root@167.71.14.172

Connect with havoc client:

./havoc client

2.3 Installation of GoPhish for phishing – VPS2

I decided to install GoPhish because is very simple to use with a friendly user interface. If you want to know more about it, you can check information on GoPhish’s github or on GoPhish’s documentation.

2.3.1 Firewall rules

As we did with the C2 Server, we will deploy a strict firewall rules:

#!/bin/bash

# Flush existing rules
iptables -F
iptables -X

# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Enable log
#iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT

# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# Allow ICMP outbound (ping)
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow outbound SMTP on port 465 (SMTP over SSL)
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp --sport 465 -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Incoming

# Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -s <phishing-redirector-ip> -j ACCEPT

# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save

2.3.2 SMTP Inbox account creation in our provider

The first thing we will do is creating some email accounts into the provider where we bought out domains. We are gonna use the provider’s email servers to send the email doing the authentication with that user:

2.3.3 Installation of GoPhish

To be able to install GoPhish we will need to install in the server golang-go:

apt -y install golang-go

Download GoPhish:

wget <https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip>

Create GoPhish directory:

mkdir GoPish

Unzip GoPhish inside the directory:

unzip gophish-v0.12.1-linux-64bit.zip

Inside of GoPhish add executable rights to the binary gopish:

chmod +x gophish

Since, GoPhish runs as script, we will need to create it as service to be able to run it as a service. First, we will create the following folder:

mkdir /var/log/gophish

Create the following script inside /etc/systemd/system/gophish.service:

[Unit]
Description=GoPhish Service
After=network.target

[Service]
ExecStart=/root/GoPhish/gophish
Type=simple
User=root
WorkingDirectory=/root/GoPhish
Restart=always
PIDFile=/var/run/gophish.pid

[Install]
WantedBy=multi-user.target

Make it executable:

chmod +x gophish

Reload systemd:

sudo systemctl daemon-reload

Add the script in the system:

sudo systemctl enable gophish

Start the service:

systemctl start gophish

Create the tunnel to be able to access the platform:

ssh -N -L 0.0.0.0:3333:127.0.0.1:3333 root@134.122.121.230

Get access with the credentials configured:

Once inside, we will create a profile to be able to send emails pointing to our relay server that we will configure on the next point:

2.4 C2 redirector deployment – VPS3

The functionality of this server will be basically to hide the real C2 server IP. The communications are going to be through this server and always encrypted.

2.4.1 Firewall rules

As we have done with the rest of server, we will set up a strict firewall rules to just accept the traffic between the servers:

#!/bin/bash

# Flush existing rules
iptables -F
iptables -X

# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT

# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Allow Incoming traffic

# Allow ICMP incoming (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save

2.4.2 Creating domains for the C2 traffic

In your domain provider you will create one A register and CNAME:

2.4.3 NGINX as Proxy Server to redirect the HTTP/S traffic to our C2 Server

We will use nginx as proxy server. Installation of nginx:

apt install nginx

Enable nginx:

systemctl enable nginx

Start nginx:

systemctl start nginx

Create file config for the domain:

nano /etc/nginx/sites-available/health.c2traffic.es

Configuration:

server {
    listen 80;
    listen [::]:80;

    server_name health.c2traffic.es www.health.c2traffic.es;

    location / {
        proxy_pass https://c2-server-ip/;
        include proxy_params;
    }
}

Make available the configuration;

sudo ln -s /etc/nginx/sites-available/health.c2traffic.es /etc/nginx/sites-enabled/

Install certbot:

snap install --classic certbot

Sync certbot to the system:

ln -s /snap/bin/certbot /usr/bin/certbot

Generate certificates with let’s encrypt:

certbot --nginx -d health.c2traffic.es -d www.health.c2traffic.es -v

Final nginx configuration with HTTPS:

server {
    # Redirect all HTTP traffic to HTTPS
    listen 80;
    listen [::]:80;
    server_name health.c2traffic.es www.health.c2traffic.es;

    return 301 https://$host$request_uri;
}

server {
    # Listen for HTTPS traffic
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name health.c2traffic.es www.health.c2traffic.es;

    # SSL Certificates (managed by Certbot)
    ssl_certificate /etc/letsencrypt/live/health.c2traffic.es/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/health.c2traffic.es/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Proxy settings
    location / {
        proxy_pass https://167.71.14.172/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Optional: Timeouts for the proxied server
        proxy_read_timeout 90;
        proxy_connect_timeout 90;
        proxy_send_timeout 90;

        # Optional: Security headers
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-XSS-Protection "1; mode=block";
    }

    # Optional: Custom error pages (e.g., for 404 or 50x errors)
    error_page 404 /404.html;
    location = /404.html {
        internal;
    }
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        internal;
    }
}

Enable auto renew:

systemctl start snap.certbot.renew.service

2.5 Relay Server with postfix -VPS4

This server will be responsible of the emails and responsible of hide the phishing server behind the relay server’s IP.

2.5.1 Firewall rules

As we did before, we are going to implement strict rules:

#!/bin/bash

# Flush existing rules
iptables -F
iptables -X

# Default policy: DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Enable log
#iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Outbound

# Allow outbound DNS (UDP and TCP to port 53)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT

# Allow outbound HTTP and HTTPS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# Allow outbound SMTP connections to any IP on port 465
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT

# Allow outbound SMTP on port 587 (modern SMTP submission)
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --sport 587 -j ACCEPT

# Allow ICMP outbound (ping)
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Incoming

# Allow incoming SMTP traffic on port 465 from the trusted IP
iptables -A INPUT -p tcp --dport 465 -s <phishing-server-ip> -j ACCEPT

# Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow related and established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
netfilter-persistent save

2.5.2 Postfix Relay Configuration

Install postfix:

sudo apt -y install postfix

Choose internet site:

Set up your domain, the one are you going to use for the phishing emails:

Configure the DNS:

Configure SPF, DKIM and DMARC:

Inside /etc/postfix/master.cf we will configure the server to listen on 465,so, we will need to uncomment the following lines because most of the provider don’t allow access throuth the ports 25:

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

Inside /etc/postfix/main.cf we will configure our smtp relay:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See <http://www.postfix.org/COMPATIBILITY_README.html> -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ubuntu-rd-smtp
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname

# Modified to authenticate
mydestination = $myhostname, mail.phishing.domain, phishing.domain, hostname, localhost.localdomain, localhost

# Relayhost configuration
relayhost = [provider.smtp.server]:587

# Enable TLS encryption
smtp_tls_security_level = encrypt
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

# Use the CA certificate bundle to verify the relay server's certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# Authentication settings (if needed by your relay)
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login

# Remove unwanted headers
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

masquerade_domains = phishing.domain
remote_header_rewrite_domain = phishing.domain
append_dot_mydomain = yes

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 your-public-ips
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
inet_protocols = all

Create file with credentials /etc/postfix/sasl_passwd:

[smtp-provider-server]:587 support@phishing.domain:password

Change the permissions and create a hash database:

chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

Create file to delete the headers “smtp_header_checks”:

/^Received:.*/              IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^Mime-Version:/        IGNORE

Compile the headers rule:

sudo postmap /etc/postfix/smtp_header_checks

Include the checks into master.cf:

-o header_checks=regexp:/etc/postfix/smtp_header_checks

Restart the service:

systemctl restart postfix

Test send emails:

echo "Test email" | mail -s "Test Subject" -r "support <support@phishing.domain>" your-email@gmail.com

2.5.3 Nginx Proxy Server to redirect the phishing traffic

Install nginx:

apt install nginx

Enable nginx:

systemctl enable nginx

Start nginx:

systemctl start nginx

Create file config for the domain:

nano /etc/nginx/sites-available/phishing.domain

Configuration:

server {
    listen 80;
    listen [::]:80;

    server_name phishing.domain www.phishing.domain;

    location / {
        proxy_pass http://ip-phishing-server/;
        include proxy_params;
    }
}

Make available the configuration;

sudo ln -s /etc/nginx/sites-available/phishing.domain /etc/nginx/sites-enabled/

Install certbot:

snap install --classic certbot

Sync certbot to the system:

ln -s /snap/bin/certbot /usr/bin/certbot

Generate certificates:

certbot --nginx -d phishing.domain -d www.phishing.domain

Final nginx configuration:

server {
    # Redirect all HTTP traffic to HTTPS
    listen 80;
    listen [::]:80;
    server_name phishing.domain www.phishing.domain;

    return 301 https://$host$request_uri;
}

server {
    # Listen for HTTPS traffic
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name phishing.domain www.phishing.domain;

    # SSL Certificates (managed by Certbot)
    ssl_certificate /etc/letsencrypt/live/phishing.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/phishing.domain/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Proxy settings for all other paths
    location / {
        proxy_pass http://phishing-server-ip/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Optional: Timeouts for the proxied server
        proxy_read_timeout 90;
        proxy_connect_timeout 90;
        proxy_send_timeout 90;

        # Optional: Security headers
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-XSS-Protection "1; mode=block";
    }

    # Serve local files for /download/ to deliver the C2 payloads
    location /download/ {
        root /var/www/html/;
        autoindex on;                       # Optional: Enable directory listing
        autoindex_exact_size off;           # Optional: Human-readable file sizes
        autoindex_format html;              # Optional: HTML format for listing
    }

    # Optional: Custom error pages (e.g., for 404 or 50x errors)
    error_page 404 /404.html;
    location = /404.html {
        internal;
    }
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        internal;
    }
}

Enable auto renew:

systemctl start snap.certbot.renew.service

3. SSH Fail2Ban for ALL the servers

Install Fail2Ban:

apt -y install fail2ban

Enable the service:

systemctl enable fail2ban

Start the service:

systemctl start fail2ban

Start new configuration copying the conf file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the configuration file:

nano /etc/fail2ban/jail.local

Modify the following values:

bantime  = 1d
findtime  = 10m
maxretry = 3

In case that your are using IPTABLES as firewall, then, the following configuration should be pointing iptables:

Then, we will enable the protection for the SSH service:

enabled = true

Restart the service:

systemctl restart fail2ban

After sometime check the IPs banned:

fail2ban-client get sshd ignoreip

4. Proof of Concept

The proof of concept does not include how to avoid EDR or AV. We will focus on the delivery of the payload through phishing and how the infrastructure has been deployed. Also, we will see how to perform a phishing with GoPhish, where we will simulate two different scenarios where the user receives an email where he should introduce his credentials and other case is, basically, that the user need to download a critical update but in reality the Havoc agent to control the objective.

During the process of this proof of concept we will check also the headers of the email and the traffic generated by our C2 agent to see that everything is encrypted.

I hope you enjoy this PoC:

5. Conclusion

As you can see, deploy a red team infrastructure is not that easy and it is much complex when you want to deploy it secure. Also, I would say that we can add more secure improvement to our infrastructure like adding one more server like syslog with a dashboard to collect all the log and be more active monitoring our infrastructure. Obviously, we should deploy all the software customized for our necessity.


Thanks for visiting the post. I hope you enjoy the port and the video. Remember to follow me on my social networks:

Linkedin

Twitter

Github

Hack The Box

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.