Infrastructure

Nebula

Install:

$ sudo mkdir -p /opt/nebula/certs
$ sudo eget -s linux/amd64 --download-only "slackhq/nebula" --to /opt/nebula && cd /opt/nebula
$ sudo tar -xzvf nebula-linux-amd64.tar.gz && sudo rm nebula-linux-amd64.tar.gz
$ sudo mv nebula-cert certs && cd certs

Make certs for the lighthouse, teamserver and proxy (redirector):

$ sudo ./nebula-cert ca -name 'hax0r1337, Inc.'
$ sudo ./nebula-cert sign -name lighthouse -ip "10.10.13.1/24"
$ sudo ./nebula-cert sign -name teamserver -ip "10.10.13.2/24" -groups "teamservers"
$ sudo ./nebula-cert sign -name proxy1 -ip "10.10.13.37/24" -groups "proxies"

Configs:

lighthouse.yml

pki:
  ca: /opt/nebula/certs/ca.crt
  cert: /opt/nebula/certs/lighthouse.crt
  key: /opt/nebula/certs/lighthouse.key

static_host_map:
  "10.10.13.1": ["<LIGHTHOUSE_IP>:4242"]

lighthouse:
  am_lighthouse: true

listen:
  host: 0.0.0.0
  port: 4242

punchy:
  punch: true

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:

logging:
  level: info
  format: text

firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000

  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    - port: any
      proto: icmp
      host: any
    
    - port: 4789
      proto: any
      host: any

    - port: 22
      proto: any
      cidr: 10.10.13.0/24

teamserver.yml

pki:
  ca: /opt/nebula/certs/ca.crt
  cert: /opt/nebula/certs/teamserver.crt
  key: /opt/nebula/certs/teamserver.key

static_host_map:
  "10.10.13.1": ["<LIGHTHOUSE_IP>:4242"]

lighthouse:
  am_lighthouse: false
  interval: 60
  hosts:
    - "10.10.13.1"

listen:
  host: 0.0.0.0
  port: 4242

punchy:
  punch: true

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:

logging:
  level: info
  format: text

firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000

  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    - port: any
      proto: icmp
      host: any

    - port: any
      proto: tcp
      group: proxies

    - port: 80
      proto: any
      host: any

    - port: 443
      proto: any
      host: any

    - port: 4789
      proto: any
      host: any

    - port: 22
      proto: any
      cidr: 10.10.13.0/24

proxy1.yml

pki:
  ca: /opt/nebula/certs/ca.crt
  cert: /opt/nebula/certs/proxy1.crt
  key: /opt/nebula/certs/proxy1.key

static_host_map:
  "10.10.13.1": ["<LIGHTHOUSE_IP>:4242"]

lighthouse:
  am_lighthouse: false
  interval: 60
  hosts:
    - "10.10.13.1"

listen:
  host: 0.0.0.0
  port: 4242

punchy:
  punch: true

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:

logging:
  level: info
  format: text

firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000

  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    - port: any
      proto: icmp
      host: any

    - port: 80
      proto: any
      host: any

    - port: 443
      proto: any
      host: any

    - port: 4789
      proto: any
      host: any

    - port: 22
      proto: any
      cidr: 10.10.13.0/24

Systemd unit:

/etc/systemd/system/nebula.service

[Unit]
Description=nebula
Wants=basic.target
After=basic.target network.target

[Service]
SyslogIdentifier=nebula
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/opt/nebula/nebula -config /opt/nebula/<CONFIG>.yml
Restart=always

[Install]
WantedBy=multi-user.target

Caddy

Install from apt:

$ sudo apt install debian-keyring debian-archive-keyring apt-transport-https -y
$ curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
$ curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt | sudo tee /etc/apt/sources.list.d/caddy-stable.list
$ sudo apt update
$ sudo apt install caddy -y

Install from a release:

$ eget -qs linux/amd64 "caddyserver/caddy" --to /tmp/caddy.deb
$ sudo dpkg -i /tmp/caddy.deb && rm /tmp/caddy.deb

Configure and run:

$ sudo rm /etc/caddy/Caddyfile && sudo vi /etc/caddy/Caddyfile
$ sudo systemctl restart caddy
$ sudo systemctl status caddy

Manually requesting Let's Encrypt certificate:

$ sudo apt install certbot -y
$ sudo certbot certonly --standalone -d example.com --register-unsafely-without-email --agree-tos
$ sudo mkdir -p /opt/caddy/ssl
$ sudo cp /etc/letsencrypt/live/example.com/{fullchain.pem,privkey.pem} /opt/caddy/ssl
$ sudo chown -R caddy:caddy /opt/caddy

Config sample to act as a reverse proxy:

/etc/caddy/Caddyfile

{
    log
    #debug
    admin off
    #default_sni example.com
    #auto_https disable_redirects
    servers {
        protocols h1
    }
}

(logging) {
    log {
        output file /var/log/caddy-{args.0}-access.log {
            roll_size 1Mib
            roll_uncompressed
            roll_local_time
            roll_keep 24
            roll_keep_for 7d
        }
    }
}

(proxy-upstream) {
    @ua_denylist {
        header User-Agent curl*
        #not header User-Agent *hax0r*
    }

    @ip_denylist {
        remote_ip 8.8.8.8/32
    }
        
    header {
        -Server
        +X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
        +X-Content-Type-Options "nosniff"
    }

    #redir @ua_denylist https://legit.com{uri} permanent

    respond @ua_denylist "Forbidden" 403 {
        close
    }
        
    respond @ip_denylist "Forbidden" 403 {
        close
    }

    reverse_proxy https://10.10.13.2:31337 {
        header_up Host {upstream_hostport}
        header_up X-Forwarded-Host {host}
        header_up X-Forwarded-Port {port}
        transport http {
            tls_insecure_skip_verify
        }
    }
}

https://example.com {
    import logging all
    #tls /opt/caddy/ssl/fullchain.pem /opt/caddy/ssl/privkey.pem

    handle /files/* {
        file_server {
            # There should be this "files" directory in root
            root /home/snovvcrash/www
            #browse
        }
    }

    handle {
        import proxy-upstream
    }
}

Domain Fronting

https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/

Faslty

Tools

autossh

https://linux.die.net/man/1/autossh

Create and maintain an SSH tunnel from the team server to redirector proxy1 in the background:

(teamserver)$ autossh -M 0 -f -N proxy1

~/snovvcrash/.ssh/config

Host proxy1
    HostName 10.10.13.37
    User snovvcrash
    Port 22
    IdentityFile /home/snovvcrash/.ssh/id_proxy1
    RemoteForward 8443 localhost:443
    ServerAliveInterval 30
    ServerAliveCountMax 3

Last updated 2 years ago