Update RedGuard Version 23.08.21

CHANGELOG

@@ -1,3 +1,9 @@
+## [23.08.21.0113] - 2023-08-21
+### Added
+- Custom Delete Response Fields
+- Added Header Host information in log output
+- Solved the wrong package problem
+
 ## [23.05.14.2020] - 2023-05-14
 ### Added
 - Sample Fingerprint Identify

README.md

@@ -53,11 +53,11 @@ chmod +x ./RedGuard&&./RedGuard
 
 As shown in the figure below, Set executable permissions and initialize RedGuard. The first run will generate a configuration file in the current user home directory to achieve flexible function configuration. Configuration file name: **.RedGuard_CobaltStrike.ini**.
 
-![1653117707(1).png](https://raw.githubusercontent.com/wikiZ/RedGuardImage/main/1656308555577.jpg)
+![1653117707(1).png](https://raw.githubusercontent.com/wikiZ/RedGuardImage/main/1692550594507.png)
 
 **Configuration file content:**
 
-![1653117707(1).png](https://github.com/wikiZ/RedGuardImage/raw/main/1656310498272.png)
+![1653117707(1).png](https://github.com/wikiZ/RedGuardImage/raw/main/1692550409350.png)
 
 The configuration options of cert are mainly for the configuration information of SSL certificate encrypted HTTPS communication between the sample and the C2 front infrastructure. The proxy is mainly used to configure the control options in the reverse proxy traffic. The specific use will be explained in detail below.
 
@@ -86,12 +86,18 @@ HasCert      = false
 root@VM-4-13-ubuntu:~# ./RedGuard -h
 
 Usage of ./RedGuard:
+  -DelHeader string
+        Customize the header to be deleted
   -DropAction string
         RedGuard interception action (default "redirect")
   -EdgeHost string
         Set Edge Host Communication Domain (default "*")
   -EdgeTarget string
         Set Edge Host Proxy Target (default "*")
+  -FieldFinger string
+        Set HTTP Header identification field Info
+  -FieldName string
+        Set the name of the HTTP Header identification field
   -HasCert string
         Whether to use the certificate you have applied for (default "true")
   -allowIP string
@@ -129,7 +135,6 @@ Usage of ./RedGuard:
   -type string
         C2 Server Type (default "CobaltStrike")
   -u    Enable configuration file modification
-
 ```
 
 **P.S. You can use the parameter command to modify the configuration file. Of course, I think it may be more convenient to modify it manually with vim.**
@@ -293,6 +298,17 @@ The profile written by 风起 is recommended to use:
 
 > <https://github.com/wikiZ/CobaltStrike-Malleable-Profile>
 
+## Custom Delete Response Fields
+
+In Cobalt Strike 4.7+, Teamserver automatically removes the Content-Encoding header without any notification, potentially causing a malleable http-(get|post).server violation. For example, there is no Content-type in the CS Server response packet, but after being forwarded by RedGuard, the Content-Type is added to the header of the response packet, which causes cf to cache the page, causing interference.
+
+After RedGuard 23.08.21, the function of customizing the header of the response packet has been added. Users can customize and delete the header information in the response packet by modifying the configuration file to solve the problem of incorrect parsing.
+
+```bash
+# Customize the header to be deleted example: Keep-Alive,Transfer-Encoding
+DelHeader     = Keep-Alive,Transfer-Encoding
+```
+
 ## Sample FingerPrint
 
 RedGuard 23.05.13 has updated the trojan sample fingerprint recognition function, which is based on customizing the HTTP Header field of the Malleable Profile as the fingerprint “**sample salt value**” for uniquely identifying the same **C2 listener**/Header Host. In addition, the trojan sample fingerprint generated by combining other relevant request fields can be used to detect the custom sample liveliness. According to the attacker’s task requirements, the trojan sample fingerprint recognition function can perform “**offline operation**” on the samples you want to disable, to better evade malicious traffic analysis of the sample communication and the staged sample PAYLOAD attack payload acquisition analysis, and provide more personalized stealth measures for the attacker.

config/RedGuard_CobaltStrike.go

@@ -38,6 +38,8 @@ MalleableFile = *
 EdgeHost      = *
 # Edge Host Proxy Target example: EdgeTarget = 360.com
 EdgeTarget    = *
+# Customize the header to be deleted example: Keep-Alive,Transfer-Encoding
+DelHeader     = *
 
 [SampleFinger]
 # HTTP Request Header Field

config/version.go

@@ -21,11 +21,11 @@ Github:%s
 
 RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
 `
-	VERSION   = "23.05.13 Alpha"
+	VERSION   = "23.08.21 Alpha"
 	TITLE     = "RedGuard"
 	LICENSE   = "GPL-2.0"
 	URL       = "https://github.com/wikiZ/RedGuard"
 	AUTHOR    = "风起"
-	TEAM      = "0/00"
+	TEAM      = "Independent Security Researcher"
 	COPYRIGHT = "Copyright (C) 2022 风起. All Rights Reserved"
 )

core/ProxyHandler.go

@@ -34,21 +34,28 @@ var (
 
 type baseHandle struct{}
 
-func NewProxy(proxyURL string, dropType bool) (*httputil.ReverseProxy, error) {
+func NewProxy(proxyURL string, dropType bool, delHeader string) (*httputil.ReverseProxy, error) {
 	destinationURL, err := url.Parse(proxyURL)
 	if err != nil {
 		return nil, err
 	}
 	proxy := httputil.NewSingleHostReverseProxy(destinationURL)
 	// dropType Check whether the response to the request is changed
-	proxy.ModifyResponse = modifyResponse(dropType) // Modifies the response to the request
+	proxy.ModifyResponse = modifyResponse(dropType, delHeader) // Modifies the response to the request
 	return proxy, nil
 }
 
-func modifyResponse(drop bool) func(*http.Response) error {
+func modifyResponse(drop bool, delHeader string) func(*http.Response) error {
 	return func(resp *http.Response) error {
 		defer func(Body io.ReadCloser) {
 			logger.Warningf("[RESPONSE] HTTP %s, length: %d", resp.Status, resp.ContentLength)
+			delHeaderList := strings.Split(delHeader, ",")
+			if delHeader != "*" && delHeaderList != nil {
+				// Delete the header field specified in the RG response type
+				for _, header := range delHeaderList {
+					resp.Header.Del(header)
+				}
+			}
 			if drop {
 				// DROP Request
 				logger.Alertf("[DROP] Source IP: %s", resp.Request.RemoteAddr)
@@ -77,6 +84,8 @@ func (h *baseHandle) ServeHTTP(write http.ResponseWriter, req *http.Request) {
 		edgeHost = lib.ReadConfig("proxy", "EdgeHost", cfg)
 		// Read the Edge Host Proxy Target
 		edgeTarget = lib.ReadConfig("proxy", "EdgeTarget", cfg)
+		// Customize the header to be deleted
+		delHeader = lib.ReadConfig("proxy", "DelHeader", cfg)
 	)
 	var isDrop bool
 	var proxy *httputil.ReverseProxy
@@ -98,6 +107,7 @@ func (h *baseHandle) ServeHTTP(write http.ResponseWriter, req *http.Request) {
 	// Check whether the host is verified
 	if IPHash := lib.EncodeMD5(req.JA3); arrays.ContainsString(_addressArray, req.JA3) == -1 {
 		logger.Noticef("JA3 FingerPrint: %s", IPHash)
+		logger.Noticef("[REQUEST] Host:%s", req.Host)
 		logger.Noticef("[REQUEST] %s %s", req.Method, req.RequestURI)
 		logger.Noticef("[REQUEST] %s - %s", req.RemoteAddr, req.UserAgent())
 		// Request filtering method
@@ -114,7 +124,7 @@ func (h *baseHandle) ServeHTTP(write http.ResponseWriter, req *http.Request) {
 
 	// Check whether the domain name is in the whitelist
 	if target, ok := hostTarget[*host]; ok {
-		proxy, err := NewProxy(target, false)
+		proxy, err := NewProxy(target, false, delHeader)
 		if err != nil {
 			logger.Error("Proxy Exception")
 		}
@@ -144,7 +154,7 @@ LOOK:
 		break
 	}
 	// Determine whether to redirect or intercept intercepted traffic
-	proxy, _ = NewProxy(redirectURL, isDrop)
+	proxy, _ = NewProxy(redirectURL, isDrop, delHeader)
 	// Unauthorized access is redirected to the specified URL
 	proxy.ServeHTTP(write, req)
 REDIRECT:

core/arguments.go

@@ -38,5 +38,6 @@ func CmdParse(parse *parameter.Parses, cert *parameter.Cert, finger *parameter.S
 	flag.StringVar(&proxy.EdgeTarget, "EdgeTarget", "*", "Set Edge Host Proxy Target")
 	flag.StringVar(&finger.FieldName, "FieldName", "", "Set the name of the HTTP Header identification field")
 	flag.StringVar(&finger.FieldFinger, "FieldFinger", "", "Set HTTP Header identification field Info")
+	flag.StringVar(&finger.FieldFinger, "DelHeader", "", "Customize the header to be deleted")
 	flag.Parse()
 }

core/parameter/options.go

@@ -37,6 +37,7 @@ type Proxy struct {
 	MalleableFile string
 	EdgeHost      string
 	EdgeTarget    string
+	DelHeader     string
 }
 
 // ProxyConf Reverse proxy configuration structure

doc/README_CN.md

@@ -51,11 +51,11 @@ chmod +x ./RedGuard&&./RedGuard
 
 如下图，首先对RedGuard赋予可执行权限并进行初始化操作，第一次运行会在当前用户目录下生成配置文件，以实现灵活的功能配置，**配置文件名：.RedGuard_CobaltStrike.ini**。
 
-![1653117707(1).png](https://raw.githubusercontent.com/wikiZ/RedGuardImage/main/1656308555577.jpg)
+![1653117707(1).png](https://raw.githubusercontent.com/wikiZ/RedGuardImage/main/1692550594507.png)
 
 **配置文件内容：**
 
-![1653117707(1).png](https://github.com/wikiZ/RedGuardImage/raw/main/1656310498272.png)
+![1653117707(1).png](https://github.com/wikiZ/RedGuardImage/raw/main/1692550409350.png)
 
 cert的配置选项主要是针对样本与C2前置设施的HTTPS流量交互证书的配置信息，proxy主要用于配置反向代理流量中的控制选项，具体使用会在下面进行详细讲解。
 
@@ -83,13 +83,19 @@ HasCert      = false
 ```bash
 root@VM-4-13-ubuntu:~# ./RedGuard -h
 
-Usage of ./RedGuard.exe:
+Usage of ./RedGuard:
+  -DelHeader string
+        Customize the header to be deleted
   -DropAction string
         RedGuard interception action (default "redirect")
   -EdgeHost string
         Set Edge Host Communication Domain (default "*")
   -EdgeTarget string
         Set Edge Host Proxy Target (default "*")
+  -FieldFinger string
+        Set HTTP Header identification field Info
+  -FieldName string
+        Set the name of the HTTP Header identification field
   -HasCert string
         Whether to use the certificate you have applied for (default "true")
   -allowIP string
@@ -291,6 +297,17 @@ MalleableFile = /root/cobaltstrike/Malleable.profile
 
 > https://github.com/wikiZ/CobaltStrike-Malleable-Profile
 
+## 自定义删除响应字段
+
+在 Cobalt Strike 4.7+ 中，Teamserver 会在没有任何通知的情况下自动删除 Content-Encoding 标头，从而可能导致违反可延展http-(get|post).server。例如CS Server响应包中没有Content-type，但经过了RedGuard转发后，在响应包Header添加了Content-Type，然后导致cf对这个页面进行了缓存，造成了干扰。
+
+在RedGuard 23.08.21版本后增加了自定义响应包Header头的功能，用户可以通过修改配置文件的方式进行自定义删除的响应包中的Header信息，以解决错误解析的问题。
+
+```bash
+# Customize the header to be deleted example: Keep-Alive,Transfer-Encoding
+DelHeader     = Keep-Alive,Transfer-Encoding
+```
+
 ## Sample FingerPrint
 
 RedGuard 23.05.13已更新木马样本指纹识别功能，该功能基于对Malleable Profile自定义设置HTTP Header字段作为该指纹“**样本Salt值**”，为相同**C2监听器/**Header Host提供唯一辨识。此外，结合其他相关请求字段生成的木马样本指纹，可用于检测自定义样本存活性。根据攻击方任务要求，木马样本指纹识别功能可针对希望失效的样本进行**“下线操作”**，更好地规避恶意研判流量的样本通联性关联及分阶段样本PAYLOAD攻击载荷获取分析，给予攻击方更加个性化的隐匿措施。

lib/handle_config.go

@@ -83,7 +83,7 @@ func UpdateConfig(cert *parameter.Cert, proxy *parameter.Proxy, finger *paramete
 			"Port_HTTP": proxy.HTTPort, "Port_HTTPS": proxy.HTTPSPort, "Redirect": proxy.Redirect,
 			"AllowIP": proxy.AllowIP, "AllowTime": proxy.AllowTime, "AllowLocation": proxy.AllowLocation,
 			"drop_action": proxy.DropAction, "HostTarget": proxy.HostTarget, "MalleableFile": proxy.MalleableFile,
-			"EdgeHost": proxy.EdgeHost, "EdgeTarget": proxy.EdgeTarget,
+			"EdgeHost": proxy.EdgeHost, "EdgeTarget": proxy.EdgeTarget, "DelHeader": proxy.DelHeader,
 		}
 		_sampleFinger = map[string]string{
 			"FieldName": finger.FieldName, "FieldFinger": finger.FieldFinger,