C2_Infrastruture

Table of Contents

Building a Secure C2 Infrastructure with HAProxy

Introduction

In adversary simulation and red teaming, setting up a resilient and stealthy Command and Control (C2) infrastructure is critical. This guide walks through building a C2 infrastructure using multiple servers, with HAProxy as a traffic manager. HAProxy will listen on port 443, inspect the SNI field, and determine where to forward traffic on the loopback adapter. Then, SSH remote forwarding will be used to tunnel traffic back to the C2 server.

This setup enhances operational security (OPSEC) by:

  • Masking C2 traffic behind legitimate-looking front-end services.
  • Controlling traffic routing using SNI routing.
  • Utilizing remote port forwarding for secure communication.

Software & Tools

We will need the following tools installed on the respective machines:

Frontend Server (HAProxy)

  • Ubuntu/Debian-based OS
  • haproxy
  • openssh-server

C2 Server

  • Your C2 framework (e.g., Sliver, Mythic, Cobalt Strike)
  • openssh-server

Installing the Required Tools

Install HAProxy

On the frontend server, install HAProxy & OpenSSH Server:

sudo apt update && sudo apt install haproxy -y
sudo systemctl enable haproxy
sudo systemctl start haproxy

sudo apt install openssh-server -y
sudo systemctl enable ssh
sudo systemctl start ssh

Configuring HAProxy for SNI-based Routing

Configure HAProxy

Open the HAProxy configuration file & paste:

sudo vim /etc/haproxy/haproxy.cfg

global
    log /dev/log local0
    log /dev/log local1 notice
    maxconn 1000
    daemon

defaults
    log global
    option httplog
    option dontlognull
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend https_frontend
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend c2_redirect if { req.ssl_sni -i c2.example.com }
    use_backend web_redirect if { req.ssl_sni -i legit.example.com }

backend c2_redirect
    mode tcp
    server c2 127.0.0.1:50050 send-proxy-v2

backend web_redirect
    mode tcp
    server web 127.0.0.1:8080

Restart the HAProxy service:

sudo systemctl restart haproxy

Setting Up SSH Remote Forwarding

To tunnel traffic from the frontend server to the C2 server, use SSH remote forwarding.

On the C2 Server

Run the following command:

ssh -R 50050:127.0.0.1:50050 user@frontend-server

This command forwards traffic from port 50050 on the frontend to the C2 server.

To make this persistent, edit ~/.ssh/config on the C2 server:

Host frontend-server
    User user
    Port 22
    ServerAliveInterval 60
    RemoteForward 50050 127.0.0.1:50050

sudo systemctl restart ssh