Using SSH Tunneling to secure C2 infra

Pesky AV vendors keep scanning my stuff >:C

Why do I need to protect my C2 infra?

Because scanner monkeys (and sometimes pesky security vendors) like to scan the internet for certain C2 signatures e.g. Cobalt Strike teamservers and investigate them by trying to access their offensive capabilities such as system profilers and stagers. One such example is these people who went and started fingerprinting Cobalt Strike teamservers using an anomalous space in NanoHTTPD. Or the time I woke up to this monstrosity:

and this:

User : me *
Computer Name : W7SB64-01
External IP : 184.185.5.53
Internal IP : 172.16.28.12
Arch : x64, @CodeX

Which according to this blackhat article is Comodo messing with my beacons >:C

Securing my teamservers

Whitelist IP Ranges

The most simple way to prevent random stuff from getting to my teamserver was to whitelist IP ranges I expected traffic to come from. So normally I would whitelist the IP ranges of say, a country or state I expected some callbacks to come from. That way, if random security vendors (Or these guys) start masscanning the internet, my IP won't even be contactable.

Disable Payload staging

So the first thing I did was disable payload staging. Since anyone can easily use this feature to grab a copy of your artifacts, payload staging can be an OPSEC concern. According to the official Cobalt Strike documentation, this can be done by setting host_stage to false in the Malleable C2 profile. I know, not being able to stage an entire beacon in a 12kb binary is a little bit sad, but at least AV vendors arent able to instantly get a copy of my artifacts, and building detections for my artifact kit profiles. But then, theres also another way of detecting team servers: by logging in normally

SSH Tunneling

This is the response when you try to login to a non Cobalt Strike server with the Cobalt Strike client:

But this is what you get if you try logging into a real teamserver with an incorrect password:

I'm not entirely sure how efficient it would be to fingerprint teamservers this way, but I dont want ANYBODY trying to fingerprint my box as a Cobalt Strike teamserver (maybe because I borrowed this box from a friend, and he really doesnt want his IP to get blacklisted as a teamserver). So, what can I do to prevent login attempts?

I could just use a nonstandard port that isnt 50050 for my login, but there's still the chance that someone stumbles across it while scanning a larger port range. So, I decided to use a very simple trick to prevent people from being able to try to login: SSH tunneling. So by setting up iptables rules to block all traffic to my login port from 0.0.0.0, and a rule that allows traffic to that port from 127.0.0.1. This way, outsiders who try to connect to it will just get connection refused.

All I need to do to login, is create an SSH tunnel from the server to my box with the following command:

ssh user@my.ip.here -L 50050:127.0.0.1:50050

Now everything I send to 127.0.0.1:50050 will actually go to my.ip.here:50050 thanks to that SSH tunnel, so I can login normally with the Cobalt Strike client!

You can further combine this with redirectors to further keep vendors away from your teamserver:

pageCobalt Strike Redirectors
PreviousCobalt Strike RedirectorsNextPhishing

Last updated