Domain fronting support

[ScriptIdiot]

May I know if domain fronting is supported in this case? Tried to change the host header but then it shows this error upon execution:

thread 'main' panicked at 'called Result::unwrap() on an Err value: Custom { kind: ConnectionRefused, error: "Failed to make post request" }', src/profiles/mod.rs:117:49
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

*Run on linux

Thanks!

[t94j0]

I haven't tried domain fronting with this agent, but I don't think there's an option to change the host header in the options of this agent. How did you attempt to change the host header?

[ScriptIdiot]

During the generation of payload, I was able to add host header to attempt to achieve domain fronting, which is working in merlin agent

[t94j0]

Gotcha. The Host header should be there based on this code. It looks like you're getting a ConnectionRefused error, so it looks like the domain front you're connecting to is unavailable. Are you sure you can connect to the target domain/ip?

[ScriptIdiot]

Yeah, I am pretty sure. Tried to establish C2 without domain front, and the exact same setting with domain front worked by using merlin agent.

[MEhrn00]

I believe I have tracked down the issue. The HTTP library tetanus is using is minreq and minreq will insert the callback url into the Host header before establishing the HTTP connection. The library will not check for duplicates so it will include two Host headers but pick the Host specified in the HTTP Headers section of the payload generation for the HTTP connection and ignore the callback host.

This is obviously not great behavior at all and I will need to use a different library which supports arbitrarily setting the Host header. I will look into it this weekend.

[jeffmcjunkin]

For what it's worth, between this and #1 tetanus is getting damn close to a viable top-tier C2. The only two three wish list items I'd have left are the following:

1. .NET Assembly injection support
2. Beacon Object File support (likely via https://github.com/trustedsec/COFFLoader)
3. DNS C2 channel support

The first two get a lot of existing functionality for free (via projects like https://github.com/trustedsec/CS-Situational-Awareness-BOF and https://github.com/Flangvik/SharpCollection), while the third makes operations possible in a pretty restricted environment.

[MEhrn00]

Update on this: I am in the process of doing a rewrite for Tetanus. I currently have domain fronting support, beacon object file support and reflective DLL loading support on the road map among other things. I can see about integrating a DNS C2 profile and .NET assembly injection but it depends on when I can get the current items on my road map complete.

I will leave this issue open until the rewrite is finished. This is just to acknowledge the suggestions 👍🏻

[jeffmcjunkin]

Oooh, today I learned of https://github.com/hakaioffsec/coffee, which may be of interest as an easier path to implementing Beacon Object Files.

In other news, is there any rough planned timeframe for the rewrite / release?