Update RedGuard Version 22.08.03

CHANGELOG

@@ -1,3 +1,8 @@
+## [22.08.03.1214] - 2022-08-03
+### Added
+- Support custom domain names for communication between intranet hosts
+- Edge hosts uses domain fronting to establish hidden C2 channels with CDN
+
 ## [22.7.22.1036] - 2022-7-22
 ### Added
 - Add ThreatBook Cloud SandBox to JA3 Fingerprint Base Interception rule library

README.md

@@ -88,8 +88,12 @@ root@VM-4-13-ubuntu:~# ./RedGuard -h
 Usage of ./RedGuard:
   -DropAction string
         RedGuard interception action (default "redirect")
+  -EdgeHost string
+        Set Edge Host Communication Domain (default "*")
+  -EdgeTarget string
+        Set Edge Host Proxy Target (default "*")
   -HasCert string
-        Whether to use the certificate you have applied for (default "false")
+        Whether to use the certificate you have applied for (default "true")
   -allowIP string
         Proxy Requests Allow IP (default "*")
   -allowLocation string
@@ -98,6 +102,8 @@ Usage of ./RedGuard:
         Proxy Requests Allow Time (default "*")
   -common string
         Cert CommonName (default "*.aliyun.com")
+  -config string
+        Set Config Path
   -country string
         Cert Country (default "CN")
   -dns string
@@ -316,6 +322,12 @@ In the self-built Domain fronting, keep multiple reverse proxy ports consistent,
 
 This can be achieved through multiple node servers, and configure multiple IPs of our nodes in the CS listener HTTPS online IP.
 
+## Edge Node
+
+RedGuard 22.08.03 updated the edge host online settings - custom intranet host interaction domain name, and the edge host uses the domain front CDN node interaction. The asymmetry of the information exchanged between the two hosts is achieved, making it more difficult to trace the source and make it difficult to check.
+
+![image.png](https://github.com/wikiZ/RedGuardImage/raw/main/66b9e60fb8303b3c6b457cc8134a436.png)
+
 ## CobaltStrike
 
 If there is a problem with the above method, the actual online C2 server cannot be directly intercepted by the firewall, because the actual load balancing request in the reverse proxy is made by the IP of the cloud server manufacturer.
@@ -371,13 +383,27 @@ Thank you for your support. RedGuard will continue to improve and update it. I h
 
 **About the developer 风起 related articles:https://www.anquanke.com/member.html?memberId=148652**
 
+> 2022Kcon Author of the weapon spectrum of the hacker conference
+>
+> The 10th ISC Internet Security Conference Advanced Offensive and Defense Forum "C2 Front Flow Control" topic
+>
+> https://isc.n.cn/m/pages/live/index?channel_id=iscyY043&ncode=UR6KZ&room_id=1981905&server_id=785016&tab_id=253
+>
+> Analysis of cloud sandbox flow identification technology
+>
+> https://www.anquanke.com/post/id/277431
+>
+> Realization of JARM Fingerprint Randomization Technology
+>
+> https://www.anquanke.com/post/id/276546
+
 **Kunyu: https://github.com/knownsec/Kunyu**
 
 > 风起于青萍之末，浪成于微澜之间。
 
 
 # 0x06 Community
 
-If you have any questions or requirements, you can submit an issue under the project, or contact the tool author by adding WeCat.
+If you have any questions or requirements, you can submit an issue under the project, or contact the tool author by adding WeChat.
 
 ![867551fe860b10ca1396498a85422b4.jpg](https://github.com/wikiZ/RedGuardImage/raw/main/20220522141706-ce37e178-d996-1.png)

config/RedGuard_CobaltStrike.go

@@ -1,37 +1,41 @@
-package config
-
-var RedGuardConfig = `[cert]
-# User Optional name
-DNSName      = *.aliyun.com,manager.channel.aliyun.com,*.acs-internal.aliyuncs.com,*.connect.aliyun.com,aliyun.com,whois.www.net.cn,tianchi-global.com
-# Cert User CommonName
-CommonName   = *.aliyun.com
-# Cert User Locality
-Locality     = HangZhou
-# Cert User Organization
-Organization = Alibaba (China) Technology Co., Ltd.
-# Cert User Country
-Country      = CN
-# Whether to use the certificate you have applied for true/false
-HasCert      = true
-
-[proxy]
-# key   : Header Host value of the reverse proxy
-# value : The actual address forwarded by the reverse proxy
-HostTarget    = {"360.net":"http://127.0.0.1:8080","360.com":"https://127.0.0.1:4433"}
-# HTTPS Reverse proxy port
-Port_HTTPS    = :443
-# HTTP Reverse proxy port
-Port_HTTP     = :80
-# RedGuard interception action: redirect / reset / proxy (Hijack HTTP Response)
-drop_action   = proxy
-# URL to redirect to
-Redirect      = https://360.net
-# IP address owning restrictions example:AllowLocation = 山东,上海,杭州 or shanghai,beijing
-AllowLocation = *
-# Whitelist list example: AllowIP = 172.16.1.1,192.168.1.1
-AllowIP       = *
-# Limit the time of requests example: AllowTime = 8:00 - 16:00
-AllowTime     = *
-# C2 Malleable File Path
-MalleableFile = *
-`
+package config
+
+var RedGuardConfig = `[cert]
+# User Optional name
+DNSName      = *.aliyun.com,manager.channel.aliyun.com,*.acs-internal.aliyuncs.com,*.connect.aliyun.com,aliyun.com,whois.www.net.cn,tianchi-global.com
+# Cert User CommonName
+CommonName   = *.aliyun.com
+# Cert User Locality
+Locality     = HangZhou
+# Cert User Organization
+Organization = Alibaba (China) Technology Co., Ltd.
+# Cert User Country
+Country      = CN
+# Whether to use the certificate you have applied for true/false
+HasCert      = true
+
+[proxy]
+# key   : Header Host value of the reverse proxy
+# value : The actual address forwarded by the reverse proxy
+HostTarget    = {"360.net":"http://127.0.0.1:8080","360.com":"https://127.0.0.1:4433"}
+# HTTPS Reverse proxy port
+Port_HTTPS    = :443
+# HTTP Reverse proxy port
+Port_HTTP     = :80
+# RedGuard interception action: redirect / reset / proxy (Hijack HTTP Response)
+drop_action   = proxy
+# URL to redirect to
+Redirect      = https://360.net
+# IP address owning restrictions example:AllowLocation = 山东,上海,杭州 or shanghai,beijing
+AllowLocation = *
+# Whitelist list example: AllowIP = 172.16.1.1,192.168.1.1
+AllowIP       = *
+# Limit the  time of requests example: AllowTime = 8:00 - 16:00
+AllowTime     = *
+# C2 Malleable File Path
+MalleableFile = *
+# Edge Host Communication Domain
+EdgeHost    = *
+# Edge Host Proxy Target example: EdgeTarget = 360.com
+EdgeTarget  = *
+`

config/version.go

@@ -1,31 +1,31 @@
-/**
- * @Author 风起
- * @contact: onlyzaliks@gmail.com
- * @File: version.go
- * @Time: 2022/5/5 9:25
- **/
-
-package config
-
-const (
-	BANNER = `
-	
-██████╗ ███████╗██████╗    ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗ 
-██╔══██╗██╔════╝██╔══██╗  ██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗
-██████╔╝█████╗  ██║  ██║  ██║  ███╗██║   ██║███████║██████╔╝██║  ██║
-██╔══██╗██╔══╝  ██║  ██║  ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║
-██║  ██║███████╗██████╔╝  ╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝  -V %s
-╚═╝  ╚═╝╚══════╝╚═════╝    ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ 
-
-Github:%s
-
-RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
-`
-	VERSION   = "22.7.21 Alpha"
-	TITLE     = "RedGuard"
-	LICENSE   = "GPL-2.0"
-	URL       = "https://github.com/wikiZ/RedGuard"
-	AUTHOR    = "风起"
-	TEAM      = "0/00"
-	COPYRIGHT = "Copyright (C) 2022 风起. All Rights Reserved"
-)
+/**
+ * @Author 风起
+ * @contact: onlyzaliks@gmail.com
+ * @File: version.go
+ * @Time: 2022/5/5 9:25
+ **/
+
+package config
+
+const (
+	BANNER = `
+	
+██████╗ ███████╗██████╗    ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗ 
+██╔══██╗██╔════╝██╔══██╗  ██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗
+██████╔╝█████╗  ██║  ██║  ██║  ███╗██║   ██║███████║██████╔╝██║  ██║
+██╔══██╗██╔══╝  ██║  ██║  ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║
+██║  ██║███████╗██████╔╝  ╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝  -V %s
+╚═╝  ╚═╝╚══════╝╚═════╝    ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ 
+
+Github:%s
+
+RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
+`
+	VERSION   = "22.08.03 Alpha"
+	TITLE     = "RedGuard"
+	LICENSE   = "GPL-2.0"
+	URL       = "https://github.com/wikiZ/RedGuard"
+	AUTHOR    = "风起"
+	TEAM      = "0/00"
+	COPYRIGHT = "Copyright (C) 2022 风起. All Rights Reserved"
+)