Added Cloudflare modules

README.md

@@ -1,9 +1,8 @@
+# Red Baron
 Latest version of this project is now being maintained here: 
 
 https://github.com/byt3bl33d3r/Red-Baron
 
-# Red Baron
-
 <p align="center">
   <img src="https://orig00.deviantart.net/5aae/f/2016/085/0/5/bloody_baron_by_synestesi_art-d9wjp94.jpg" width="400" height="600" alt="baron"/>
 </p>

examples/deploy-cf-infra.tf

@@ -0,0 +1,106 @@
+// Minimum required TF version is 0.11.0
+/*
+===================================================================================================
+EXAMPLE RED BARON CLOUDFLARE MODULE USAGE
+
+cloudflare/zone_creation : Creates a DNS zone and proxied CNAME records to benign downstream domain
+cloudflare/cf-http-dropper : Creates OpSec filters and a worker script to serve a payload download
+                             using a base-64 encoded string of the file contents.
+cloudflare/cf-http-redirector : Creates OpSec filters and a worker script to redirect traffic to a
+                                C2 server (must be name not IP).
+                                Note: Ensure the C2 server only allows inbound traffic from CloudFlare IPs
+cloudflare/cf-http-stager : Proof-of-concept module serving a multi-response JSON payload. Implant will need
+                            to make initial and subsequent requests to combine and execute the payload.
+===================================================================================================
+
+INFORMATION FOR BLOCKING ALL IPs EXCEPT CLOUDFLARE SOURCES TO C2 NODES:
+
+Cloudflare IPs for inbound .htaccess
+grabbed from https://www.cloudflare.com/ips-v4 <- should pull this dynamically
+then create a aws-security group for allowed inbound on http-c2 (or http-rdir)
+173.245.48.0/20
+103.21.244.0/22
+103.22.200.0/22
+103.31.4.0/22
+141.101.64.0/18
+108.162.192.0/18
+190.93.240.0/20
+188.114.96.0/20
+197.234.240.0/22
+198.41.128.0/17
+162.158.0.0/15
+104.16.0.0/12
+172.64.0.0/13
+131.0.72.0/22
+
+https://www.linode.com/docs/web-servers/apache/how-to-set-up-htaccess-on-apache/#allow-ips
+Create or edit the .htaccess file located in the web directory where you want this setting to be applied.
+
+Add the following lines to deny all IPs except for the specific IP and pool of IPs mentioned in the command:
+
+/var/www/html/example.com/public_html
+order deny,allow
+# Denies all IP's
+Deny from all
+# This will allow the IP 192.0.2.9
+allow from 192.0.2.9
+# This will allow all IP's from 192.0.2.0 through 192.0.2.255
+allow from 192.0.2
+===================================================================================================
+*/
+
+terraform {
+  required_version = ">= 0.11.0"
+}
+
+module "zone" {
+  source = "./modules/cloudflare/zone_creation"
+  my_domain_name = "DOMAINNAME"            //our frontend domain
+  benign_domain = "google.com"                   //the benign domain where non-agents, targets, should be redirected
+  //you'll need this: ${module.zone.zone_id}
+}
+
+//If you're using C2 then you'll need to make an entry - CloudFlare worker scripts don't work with IPs.
+module "record" {
+  source = "./modules/cloudflare/record_creation"
+  zone_id = "${module.zone.zone_id}"
+
+  hostname = "images"
+  type = "A"
+  server = "1.1.1.1"
+}
+
+module "http-redirector" {
+  source = "./modules/cloudflare/cf-http-redirector"
+  zone_id = "${module.zone.zone_id}"
+
+  my_domain_name = "DOMAINNAME"            //our frontend domain
+  c2_server = "DESTINATION"                //the backend C2 server
+  uri_pattern = "/agentcallback/*"         //the URI that should be redirected to C2
+  filter_selection = "country"            //filter setting (none, country, user_agent, referer, all)
+  country = "US"                          //override default filter details
+}
+
+module "http-dropper" {
+  source = "./modules/cloudflare/cf-http-dropper"
+  zone_id = "${module.zone.zone_id}"
+
+  my_domain_name = "DOMAINNAME"             //our frontend domain
+  uri_pattern = "/downloads/*"              //the URI that should be redirected to a payload
+  filter_selection = "country"              //filter map setting
+  filename = "test.bat"                     //filename to present to user
+  file_content = "aGVsbG8gd29ybGQ="         //Base64 encoded payload (hello world)
+}
+
+
+module "http-stager" {
+  source = "./modules/cloudflare/cf-http-stager"
+  zone_id = "${module.zone.zone_id}"
+  my_domain_name = "DOMAINNAME" //our frontend domain
+
+  first_stage_uri_pattern = "/stage1/*"       //the URI that should be redirected to first payload
+  second_stage_uri_pattern = "/stage2/*"      //the URI that should be redirected to the second payload
+  filter_selection = "country"                //filter map setting
+  first_stage_json = "{\"data\":\"blah\"}"    //json payload
+  second_stage_json = "{\"data\":\"blah\"}"   //json payload
+}

modules/cloudflare/README.md

@@ -0,0 +1,7 @@
+# CloudFlare Modules
+
+These modules were built to quickly create CloudFlare zones, filters, and worker scripts to serve as red team HTTP redirectors and payload delivery options.
+
+See blog post on Medium for background and capability walkthrough. Readme in subdirectories detail each module syntax. Example TerraForm config file can be found in examples folder.
+
+https://medium.com/@wheelsvt/redcloud-learning-from-astaroth-98ea7abd2a2c

modules/cloudflare/cf-http-dropper/README.md

@@ -0,0 +1,36 @@
+# cf-http-dropper
+
+Creates a HTTP payload dropper all in CloudFlare using Worker scripts.
+
+# Example
+
+```hcl
+module "http-dropper" {
+  source = "./modules/cloudflare/cf-http-dropper"
+  zone_id = "${module.zone.zone_id}"
+
+  my_domain_name = "DOMAINNAME"             //our frontend domain
+  uri_pattern = "/downloads/*"              //the URI that should be redirected to a payload
+  filter_selection = "country"              //filter map setting
+  filename = "test.bat"                     //filename to present to user
+  file_content = "aGVsbG8gd29ybGQ="         //Base64 encoded payload (hello world)
+}
+```
+
+# Arguments
+
+| Name                      | Required | Value Type | Description
+|---------------------------| -------- | ---------- | -----------
+|`zone_id`                  | Yes      | String     | Reference to the Zone to host the redirector
+|`my_domain_name`           | Yes      | String     | Domain name to use
+|`uri_pattern`              | Yes      | String     | URI pattern that will redirect to the payload
+|`filter_selection`         | Yes      | String     | OpSec filter selection (all, country, user_agent, referer)
+|`filename`                 | Yes      | String     | Filename to send the client
+|`file_content`             | Yes      | String     | Base64 encoded file contents
+|`user_agent`               | No       | String     | Override user agent filter (if used)
+|`country`                  | No       | String     | Override country filter (if used)
+|`referer`                  | No       | String     | Override referer filter (if used)
+|`description`              | No       | String     | Override Firewall rule
+|`visit_action`             | No       | String     | Override Firewall action (block or captcha)
+|`worker_name`              | No       | String     | Override Worker name prefix (cf-http-redirector)
+|`worker_script_content`    | No       | String     | Override Worker content (heart of the redirection)

modules/cloudflare/cf-http-dropper/main.tf

@@ -0,0 +1,33 @@
+terraform {
+  required_version = ">= 0.11.0"
+}
+
+
+
+//Need Filter --> Firewall Rule
+module "http-filter" {
+  source = "../filter"
+  zone_id = "${var.zone_id}"
+  URI = "${var.uri_pattern}"
+  UA = "${var.user_agent}"
+  referer = "${var.referer}"
+  filter_selection = "${var.filter_selection}"
+}
+
+module "http-firewall" {
+  source = "../firewall_rule"
+  zone_id = "${var.zone_id}"
+  description = "${var.description}"
+  f_id = "${module.http-filter.filter_id}"
+  action = "${var.visit_action}"
+}
+
+//Then worker route and finally a script to do the redirection
+//make sure we name the script the same in deploy.
+module "worker" {
+  source = "../worker_creation"
+  matching_uri = "${format("%s%s",var.my_domain_name, var.uri_pattern)}"
+  worker_script_content = "${replace(replace(var.worker_script_content,"BASE64FILECONTENT",var.file_content),"FILENAME",var.filename)}"
+  worker_name = "${var.worker_name}"
+  zid = "${var.zone_id}"
+}

modules/cloudflare/cf-http-dropper/variables.tf

@@ -0,0 +1,71 @@
+
+variable "uri_pattern" {
+
+}
+
+variable "filter_selection" {
+}
+
+variable "worker_name" {
+    default = "cf-http-dropper"//won't need to change unless more than one dropper
+}
+
+variable "zone_id" {
+}
+
+variable "my_domain_name" {
+
+}
+
+variable "file_content" {
+}
+variable "filename" {
+}
+
+//our default C2 script - just pass request on to target domain
+variable "worker_script_content" {
+    default = <<-EOF
+payload = "BASE64FILECONTENT"
+function base64Encode (buf) {
+let string = '';
+(new Uint8Array(buf)).forEach(
+(byte) => { string += String.fromCharCode(byte) }
+)
+return btoa(string)
+}
+function base64Decode (string) {
+string = atob(string);
+const
+length = string.length,
+buf = new ArrayBuffer(length),
+bufView = new Uint8Array(buf);
+for (var i = 0; i < length; i++) { bufView[i] = string.charCodeAt(i) }
+return buf
+}
+async function handleRequest(request) {
+let response = new Response(base64Decode(payload), {
+headers: { 'Content-Disposition': 'attachment; filename="FILENAME"' }
+})
+return response}addEventListener('fetch', event => {  event.respondWith(handleRequest(event.request))})
+EOF
+}
+
+variable "user_agent" {
+    default = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
+}
+
+variable "visit_action" {
+    default = "block"
+}
+variable "description" {
+    default = "Dropper-Filter"
+}
+
+variable "referer" {
+    default = "NONE"
+}
+
+variable "country" {
+    default = "US"
+}
+

modules/cloudflare/cf-http-redirector/README.md

@@ -0,0 +1,38 @@
+# cf-http-rdir
+
+Creates a HTTP payload dropper all in CloudFlare using Worker scripts.
+Note: the 
+
+# Example
+
+```hcl
+module "http-redirector" {
+  source = "./modules/cloudflare/cf-http-redirector"
+  zone_id = "${module.zone.zone_id}"
+
+  my_domain_name = "DOMAINNAME"            //our frontend domain
+  c2_server = "DESTINATION"                //our backend domain
+  uri_pattern = "/agentcallback/*"         //the URI that should be redirected to C2
+  filter_selection = "country"            //filter setting (none, country, user_agent, referer, all)
+  country = "US"                          //override default filter details
+}
+```
+
+# Arguments
+
+| Name                      | Required | Value Type | Description
+|---------------------------| -------- | ---------- | -----------
+|`zone_id`                  | Yes      | String     | Reference to the Zone to host the redirector
+|`my_domain_name`           | Yes      | String     | Domain name to use
+|`c2_server`                | Yes      | String     | FQDN of our C2 server (CloudFlare refuses IPs)
+|`uri_pattern`              | Yes      | String     | URI pattern that will redirect to C2 server
+|`filter_selection`         | Yes      | String     | OpSec filter selection (all, country, user_agent, referer)
+|`filename`                 | Yes      | String     | Filename to send the client
+|`file_content`             | Yes      | String     | Base64 encoded file contents
+|`user_agent`               | No       | String     | Override user agent filter (if used)
+|`country`                  | No       | String     | Override country filter (if used)
+|`referer`                  | No       | String     | Override referer filter (if used)
+|`description`              | No       | String     | Override Firewall rule
+|`worker_name`              | No       | String     | Override Worker name prefix (cf-http-redirector)
+|`worker_script_content`    | No       | String     | Override Worker content (heart of the redirection)
+

modules/cloudflare/cf-http-redirector/main.tf

@@ -0,0 +1,33 @@
+terraform {
+  required_version = ">= 0.11.0"
+}
+
+
+
+//Need Filter --> Firewall Rule
+module "http-filter" {
+  source = "../filter"
+  zone_id = "${var.zone_id}"
+  URI = "${var.uri_pattern}"
+  UA = "${var.user_agent}"
+  referer = "${var.referer}"
+  filter_selection = "${var.filter_selection}"
+}
+
+module "http-firewall" {
+  source = "../firewall_rule"
+  zone_id = "${var.zone_id}"
+  description = "${var.description}"
+  f_id = "${module.http-filter.filter_id}"
+  action = "block"
+}
+
+//Then worker route and finally a script to do the redirection
+//make sure we name the script the same in deploy.
+module "worker-route" {
+  source = "../worker_creation"
+  matching_uri = "${format("%s%s",var.my_domain_name, var.uri_pattern)}"
+  worker_name = "${var.worker_name}"
+  worker_script_content = "${replace(var.worker_script_content,"C2DOMAIN",var.c2_server)}"
+  zid = "${var.zone_id}"
+}