RedCaddy
C2 redirector base on caddy
Table of content
Overview
Generate caddyfile with c2 malleable profiles
Feature
- Block IP by GEOIP country
- Allow requests by header matcher
- User-agent & IP blacklist
- Support multiple redirection
- TeamServer port warden
Note
- The "redwarden_parser.py" under modules is from RedWarden by mgeeky
- Plenty of inspiration from this article:
🇬🇧 Carrying the Tortellini's golf sticks - IP Blacklists from RedGuard's IP Blacklists
- User-Agent Blacklists from mitchellkrogza's UA blacklists
- self-signed-cert.py modified from CarbonCopy
Quick start
- Generate self-signed certificate
- Build the custom caddy with specific modules (optional)
- Make sure
set trust_x_forwarded_for "true";
already enabled in C2 malleable profile - Copy your C2 malleable profile into RedCaddy
- Add your redirect rules into files (E.g chains.list)
- Finally, generate Caddyfile with the ugly python script.
Step by step
-
1. Generate self-signed certificates with "self-signed-cert.py" :
python3 self-signed-cert.py -t [Https Server]
As you can see,localhost.*
are generated incore/cert-out
-
2. Enable
set trust_x_forwarded_for "true";
in C2 malleable profile
-
3. Host & Referer headers needed to define in each client blocks of C2 malleable profile
⚠️ Note: the fake sub-domain must exists in self-signed certificates SAN (subject alternative name) attribute
-
4. Copy the C2 profile into RedCaddy
I use threatexpress‘s jquery-c2.4.3.profile as demonstrate
-
5. Edit redirection rules in "chains.list"
443:https:192.168.128.64:10001
means incomming from port *:443 redirect to localhosthttps://192.168.128.64:10001
(C2 backend)
Q: What is "warden"?
A: Warden is a whitelist function feature to protect your teamserver port, this will generate a random link with random secure strings. The user without ability connect to teamserver before trigged it ("warden" behind 443 means handling the link on port 443). -
6. Pass arguments the generator.py needed, then hit enter.
python3 generator.py -f geacon_jd_pro.profile -r forward-chains.list -c CN -vps-ip 1.1.1.1
-
7. Finally, run caddy with caddyfile just generated :)
sudo ./run.sh
-
8. Optional: Build the custom caddy with specific modules
git clone https://github.com/XiaoliChan/RedCaddy-core.git
cd cmd/caddy
go get github.com/aksdb/caddy-cgi/v2
go get github.com/porech/caddy-maxmind-geolocation
CGO_ENABLED=0 go build
upx --best --lzma caddy
-
Q: Why not use json or yaml format?
A: Sorry, I don't know how to write caddyfile in json/yaml format. -
Q: Can response 404 with unmatch routes?
A: Well, caddy can't do this ¯\(ツ)/¯.