RedCaddy

C2 redirector base on caddy

Table of content

• Overview
• Feature
• Note
• Quick start
• Step by step
• References

Overview

Generate caddyfile with c2 malleable profiles

Feature

• Block IP by GEOIP country
• Allow requests by header matcher
• User-agent & IP blacklist
• Support multiple redirection
• TeamServer port warden

Note

• The "redwarden_parser.py" under modules is from RedWarden by mgeeky
• Plenty of inspiration from this article: 🇬🇧 Carrying the Tortellini's golf sticks
• IP Blacklists from RedGuard's IP Blacklists
• User-Agent Blacklists from mitchellkrogza's UA blacklists
• self-signed-cert.py modified from CarbonCopy

Quick start

• Generate self-signed certificate
• Build the custom caddy with specific modules (optional)
• Make sure set trust_x_forwarded_for "true"; already enabled in C2 malleable profile
• Copy your C2 malleable profile into RedCaddy
• Add your redirect rules into files (E.g chains.list)
• Finally, generate Caddyfile with the ugly python script.

Step by step

• 1. Generate self-signed certificates with "self-signed-cert.py" :
  python3 self-signed-cert.py -t [Https Server]
  As you can see, localhost.* are generated in core/cert-out
  

• 2. Enable set trust_x_forwarded_for "true"; in C2 malleable profile
  

• 3. Host & Referer headers needed to define in each client blocks of C2 malleable profile
  ⚠️ Note: the fake sub-domain must exists in self-signed certificates SAN (subject alternative name) attribute
  

• 4. Copy the C2 profile into RedCaddy
  I use threatexpress‘s jquery-c2.4.3.profile as demonstrate
  

• 5. Edit redirection rules in "chains.list"
  443:https:192.168.128.64:10001 means incomming from port *:443 redirect to localhost https://192.168.128.64:10001 (C2 backend)
  

  Q: What is "warden"?
  A: Warden is a whitelist function feature to protect your teamserver port, this will generate a random link with random secure strings. The user without ability connect to teamserver before trigged it ("warden" behind 443 means handling the link on port 443).

• 6. Pass arguments the generator.py needed, then hit enter.
  python3 generator.py -f geacon_jd_pro.profile -r forward-chains.list -c CN -vps-ip 1.1.1.1

• 7. Finally, run caddy with caddyfile just generated :)
  sudo ./run.sh

• 8. Optional: Build the custom caddy with specific modules

git clone https://github.com/XiaoliChan/RedCaddy-core.git
cd cmd/caddy
go get github.com/aksdb/caddy-cgi/v2
go get github.com/porech/caddy-maxmind-geolocation
CGO_ENABLED=0 go build
upx --best --lzma caddy

• Q: Why not use json or yaml format?
  A: Sorry, I don't know how to write caddyfile in json/yaml format.

• Q: Can response 404 with unmatch routes?
  A: Well, caddy can't do this ¯\(ツ)/¯.

Reference

• Malleable C2 Profile parser
• 🇬🇧 Carrying the Tortellini's golf sticks
• Cobalt stagger
• How to create self-signed certificates
• Caddy access control