
Domain Fronting with Meterpreter - wolframio
https://bitrot.sh/post/30-11-2017-domain-fronting-with-meterpreter/
======
Tepix
I had a closer look at this technique after reading the article.

The cool thing about this hack is that even in the TLS Server Name Indication
(SNI) extension, the front domain name shows up, and only the (encrypted) HTTP
Host header shows the true covert destination.

The paper "Blocking-resistant communication through domain fronting"
([https://www.bamsoftware.com/papers/fronting/](https://www.bamsoftware.com/papers/fronting/))
is very interesting.

One thing that I'm left wondering is if the front domain owners will be at
risk being blocked if domain fronting is being done with their domain. If so
they may ask the CDN companies to block this routing behaviour.

------
creeble
Not sure I understand the point of the article. How is this different from
what CloudFlare does (for free)?

~~~
j_s
If you're not clear on what domain fronting offers, it is basically a chance
to hide traffic by sending it to a popular domain (the unencrypted TLS SNI
destination), but traffic is routed elsewhere within that provider's network
(via the encrypted HTTP Host header). It takes extra work for providers to
shut it down (since SSL termination is usually separate from load balancing),
and support is generally left enabled (kind of "don't ask don't tell" at the
personal-use scale) because of anti-censorship benefits.

I believe the main point is that support is being integrated into Meterpreter,
an exploit framework. The end result will be that even script-kiddie style
attacks can spend $10 on a domain (or perhaps a free trial of GAE/Azure/AWS)
to auto-magically use this technique to add another layer hiding their command
& control servers from non-LEO/government defenders. (Meterpreter may be late
to the party compared to similar tools.)

It is another step in the cat & mouse game, where techniques like this are
usually first used by APT-level actors, someone rediscovers or documents it,
it goes mainstream and eventually gains enough notoriety to be shut down.

There were a pair of discussions on the technqiue when Signal added support
about a year ago:
[https://news.ycombinator.com/item?id=13245970](https://news.ycombinator.com/item?id=13245970),
[https://news.ycombinator.com/item?id=13232417](https://news.ycombinator.com/item?id=13232417)

\- mentions a Tor pluggable transport implementing the technique first
discussed in January 2014:
[https://trac.torproject.org/projects/tor/wiki/doc/meek](https://trac.torproject.org/projects/tor/wiki/doc/meek)

\- also mentions effective mitigations done provider-side:
[https://news.ycombinator.com/item?id=13233720](https://news.ycombinator.com/item?id=13233720)

>temprature: _Cloudflare did this a few years back by requiring that SNI
matches the host header [...] or suspend the server running the reflector
(Google did this to the meek reflector running on Appspot that Tor Browser
used)._

