Home

Awesome

Red Commander

Creates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here

Important!

This build does NOT use free-tier eligible servers. Approximate costs can vary. During testing, we used six ec2 instances that cost around $70/month total.

<span style="color:red;background-color:black;"> Please read all of this Readme. </span>

I spent a ton of time ensuring that as many questions as I could think of were answered. If I missed something, please feel free to reach out. This tool may be maintained periodically, but it's mainly used as a stepping stone for further development.

Setup

Features

Customization Notes

Name the folders below labeled "web-redir1.org", "web-redir2.com" to whatever the domain name is for that web redirector. This will ensure that the correct Joomla install lands on the right EC2 server! For Example:

If you created a decoy joomla site "definitely-legit-company.com" and wanted to use it as a web redirector, ensure it's in the 'domains' variable, and name a folder in the files/ directory 'definitely-legit-company.com' with dump.sql and joomla.zip in that folder that correspond to that site. Details on how to do that are below.

/opt/redcommander/files
β”‚   C2concealer.zip
β”‚   cobaltstrike.zip
β”‚   cs2modrewrite.py
β”‚   RedELK.zip
β”‚   redirect.rules
β”‚
β”œβ”€β”€β”€web-redir1.org
β”‚       dump.sql
β”‚       joomla.zip
β”‚
β”œβ”€β”€β”€web-redir2.com
β”‚       dump.sql
β”‚       joomla.zip
β”‚
└───custom
    β”œβ”€β”€β”€DNS
    β”‚       evasive.profile
    β”‚       keystore.store
    β”‚
    └───HTTPS
            evasive.profile
            keystore.store

Details

All files have to be named EXACTLY as shown above in the folders shown. The exception is naming the folder for the web redirect domains.

Requirements

Ansible Control Node Requirements

Variable Requirements

The only REQUIRED pre-requisite that's not included in the variables file is to add your campaign domains to CloudFlare. The simple steps for that are:

Important! Please be kind to CloudFlare. Send an email to abuseteam@cloudflare.com stating your AUTHORIZED intentions.

Variables

All variables except the Vault key are covered in vars/main.yml. Please reference that file for descriptions of each variable. USE ANSIBLE VAULT FOR SENSITIVE DATA!

Example:

ansible-vault encrypt_string --vault-password-file /path/to/password/file --name 'aws_secret_key'

Usage

We usually run this directly from the control node, though I'm in the process of importing this to AWX.

Important! Ensure that your variables are correct before running the playbook!

ansible-playbook playbook.yml --ask-vault-pass

I created a janky output.yml play that will spit out IP/Hostname correlations in debug. It's not pretty, but I left it in case you don't have access to AWS EC2 web gui.

There's also a nuke playbook for destroying your infrastructure. It's run the same way:

ansible-playbook nuke.yml --ask-vault-pass

Run that at your own risk.

FAQ

Check πŸ‘ Your πŸ‘ Profile

Ensure that all variables were correctly added. Check /var/log/redelk logs for errors in the RedELK server. Otherwise check the RedELK Wiki. Oh, and make sure you have a live beacon. Otherwise you likely won't have any data! :)

Where? Try running it again with -vvv. Generally the Python Traceback will tell you whats wrong.

Author Information

Alex Williams, OSCP, GXPN

Twitter: @offsec_ginger

Github: offsecginger

Special Thanks

(In no particular order)