Mastering Modern Red Teaming Infrastructure — Part 2: Building Stealthy C2 Infrastructure with Sliver and Re-director
In modern red teaming, setting up a secure and stealthy Command-and-Control (C2) infrastructure is essential for success. After acquiring and reclassifying a domain in post part 1, the next step is to build an effective system that stays under the radar and ensures operational security.
In this post, I’ll share how I created a layered C2 setup using Sliver and NGINX Proxy Manager, with an extra layer of protection and anonymity provided by Cloudflare. Additionally, I obfuscated and hardened Sliver’s network traffic to bypass NDR, IDS/IPS, and other network monitoring tools. To complete the setup, I developed a custom C++ dropper that downloads and executes payloads directly in heap memory through the proxy chain.
This setup ensures secure and stealthy operations while maintaining anonymity and effectively bypassing advanced network defenses.
Table of Contents
- Infrastructure Design
- Leveraging Cloud-flare to Proxy Traffic
- Configuring NGINX as a Re-director
- Deploying Sliver and Obfuscate its Network Traffic Patterns
- Configure Firewall Rules to Securing Sliver Server Access
- Building a Custom C++ Dropper to Download and Execute Payloads
- Additional OPSEC: Static Content (legitimate website on sliver’s listener)
- Final Thoughts
Infrastructure Design
The foundation of this project lies in creating a stealthy, multi-layered command-and-control (C2) infrastructure. The setup includes:
- Cloudflare Proxy: To obscure traffic and add an additional layer of anonymity.
- NGINX Proxy Manager on Alpha VPS: Acts as a re-director, ensuring all traffic flows through this intermediary layer.
- Sliver C2 Server on Contabo VPS: The core server for managing payloads and sessions, secured with strict firewall rules.
Design Overview: Traffic from the decoy domain “onlin-notifications.net” hosted on Cloudflare is proxied to the Alpha VPS, where the NGINX Proxy Manager routes it to the Sliver C2 server.
Traffic flow: Custom C++ Dropper → Cloudflare Proxy → NGINX Proxy Manager → Sliver C2 Server.
Leveraging Cloudflare to Proxy Traffic
In Part 1, we purchased the domain online-notifications.net through Cloudflare. Now, we’ll configure Cloudflare as an intermediate proxy to anonymize traffic. Follow these steps:
- Add an A record in Cloudflare for the domain online-notifications.net and www.online-notifications.net.
- Point the records to the Nginx Proxy Server IP (130.185.249.223).
- Enable the Proxy (Orange Cloud) option in Cloudflare to mask your server’s real IP address and route traffic securely.
Now, resolving DNS for online-notifications.net and www.online-notifications.net will return Cloudflare’s IP addresses not our NGINX IP. This setup enhances operational security (OPSEC) by using Cloudflare as a trusted intermediary, effectively masking the real IP address of our NGINX Proxy Server and adding an additional layer of anonymity.
Additionally, Cloudflare will hide sensitive WHOIS information such as your email address, organization name, and other personal details. This ensures greater privacy and anonymity, further enhancing operational security (OPSEC) while using the decoy domain.
An additional OPSEC measure as an extra exercise is to restrict access to your C2 and campaign domains through Cloudflare, allowing connections only from the country where your client is located. This strategy will help prevent other threat intelligence teams and external incident response (IR) teams from accessing your domains.
Configuring NGINX as a Re-director
The redirector acts as the intermediary, forwarding traffic from the cloudflare to the actual C2 server. And You can purchase a VPS server from Alpha using the link below. Prices start from $3.50, which is sufficient since we only need minimal resources for a redirector. A lower-cost option will meet the requirements effectively. After purchasing the VPS, we will install Nginx as a Docker container.
https://alphavps.com/cheap-vps.html#plansTbl
- Install Docker and Docker Compose on Alpha VPS
sudo apt update
sudo apt install -y docker.io
sudo systemctl enable docker
sudo systemctl start docker
sudo curl -L "https://github.com/docker/compose/releases/download/v2.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose2. Create a Docker Compose File for Nginx named docker-compose.yml
version: '3.8'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt3- install Nginx using docker compose by type docker compose up -d on the same directory you saved the .yml file. then Use docker ps to verify that the NGINX container is running.
4. Login to NGINX GUI and configure redirection rules
After installation Open the VPS IP with port 81 to login with the Default Administrator User Email: [email protected] Password: changeme then Immediately after logging in with this default user you will be asked to modify your details and change your password
After accessing the Nginx Proxy Manager GUI, we will add proxy host as below:
Add the below: When a connection is received using the domain online-notification.com, route the traffic to the Sliver VPS at IP 157.173.198.175 on port 443.
Then click on the custom location tap and add the below: If a request is made for the file online-notifications.net/microsofta-updates, route it to the same Sliver VPS at IP 157.173.198.175 but on port 80, where the Apache server is hosting the beacon payload. This payload will be downloaded by a dropper to establish a reverse shell.
- Now the rules have been created in the Nginx Proxy Manager, all incoming traffic will be redirected to the sliver C2 real IP.
Deploying Sliver C2 and obfuscate its Network Traffic Patterns
We will deploy Sliver on a Contabo VPS. You can purchase the VPS from the link below, with plans starting at $4.50.
- Sliver: introduction
I found Sliver One of the best open sources and I used it in many real red teaming engagements, and it was very effective. Also, I used havoc, but I found Sliver more robust, mature, and versatile framework that can replace tools like Cobalt Strike and cross-platform engagements. It’s suitable for larger operations and red teamers who need stability, encryption, and advanced post-exploitation. Sliver is a Bishop Fox project, and they describe it as an “open-source cross-platform adversary emulation/red team framework”. Written in Go, it targets Windows, Linux and MacOS, and possibly every other Go compiler target, although the maintainers don’t guarantee that.
Sliver supports multi-user operation, includes multiple C2 channels, all with encryption baked-in, pivoting, BOFs and more. The interface is text-based. Note: if you are looking for commercial and more mature C2 and best sets of red teams, my recommendation is to use Outflank Security Tooling (OST) from Fortra and you will bypass all AV/EDR easily.
2. Installing the Sliver Server
sudo wget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux
chmod +x /opt/sliver/sliver-server_linux
sudo /opt/sliver/sliver-server_linux
in a more realistic scenario, there’s going to be a team sharing the server and you will need to enable multi player mode. But, As a single person using this server, I could operate from here.
3. Obfuscate Sliver C2 Network Traffic Pattern
After installing Sliver, all logs and configuration files are located in the $HOME/.sliver directory. To begin, we will obfuscate Sliver’s network communication patterns to bypass NDR (Network Detection and Response).
view some content of default pattern file: cat ~/.sliver/configs/http-c2.json
then Backup the Original Configuration File
cp ~/.sliver/configs/http-c2.json ~/.sliver/configs/http-c2.json.backup.- Now we can edit the http-c2.json file and if there is any issue, we can restore the original configuration file.
let us open the file and obfuscate the network pattern by changing directory name, filenames, and adding extra web server headers to blend in with legitimate traffic.
Vim ~/.sliver/configs/http-c2.jsonand below is the updated obfuscated communication file on my GitHub
After obfuscate network traffic let us reopen sliver server
Then start the https listener
confirm listener open
generate the raw shellcode sliver beacon
install apache2 server
sudo apt update && sudo apt install apache2then copy the beacon to the apache server directory to host the beacon payload and give the file permission to be downloaded
cp /opt/sliver/WOODEN_ENGINEER.bin /var/www/html/microsofta-updates
sudo chown -R www-data:www-data /var/www/html/ microsofta-updatesConfigure Firewall Rules to Securing Sliver Server Access
After generating the beacon, hosting it, and opening the listener, let us configure firewall rules to allow traffic only from specific IPs on sliver which will be nginx proxy.
#1. Allow traffic from a specific IP on port 80 and 443
sudo iptables -A INPUT -p tcp -s 130.185.249.223 --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 130.185.249.223 --dport 443 -j ACCEPT
#2. before dropping packets, i want to log any drop to see who want to access my machine
sudo iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "IPTABLES-DROP-PORT80: " --log-level 4
sudo iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "IPTABLES-DROP-PORT443: " --log-level 4
# 3. Add Rules to Drop Traffic from All Other IPs for port 80 and 443
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -j DROPList the rules to ensure they’re correctly applied: sudo iptables -L -n -v
Test Firewall rules by sending traffic from different IPs to ports 80 and 443 using tools like curl or a web browser.
curl http://157.173.198.175:80
curl https://157.173.198.175:443
View Firewall Logs: The logs are stored in the system log file, which can be viewed using: sudo tail -f /var/log/syslog
To filter logs for dropped packets on port 80 or port 443
sudo grep "IPTABLES-DROP-PORT80" /var/log/syslog
sudo grep "IPTABLES-DROP-PORT443" /var/log/syslogIf you need to remove all the rules for test purpose to flush all chains (INPUT, OUTPUT, FORWARD): sudo iptables -F
Building a Custom C++ Dropper to Download and Execute Payloads
We will use the custom dropper hosted on my GitHub to download the Sliver beacon and inject it into memory.
Dropper Link: https://github.com/0xFFF-cmd/Sliver/blob/main/Dropper.cpp
Note: This dropper is written in C++ and should be compiled before use. Currently, we are using it for testing purposes. In future parts, I will show you how to develop a more advanced dropper designed to bypass AV and EDR solutions. Currently, to allow this dropper to work, you need to disable your antivirus or whitelist the folder. This dropper simply downloads the beacon shellcode, injects it into heap memory, changes the memory’s permissions to make it executable, and then executes it.
Create new project in Visual Studio and chose type console APP C++
Now make dropper code as release version then compile it (Build > Build Solution or Ctrl+Shift+B) and execute it.
After executing the dropper’s executable, let’s check the Apache and Sliver logs to observe the dropper’s actions.
- Apache logs confirm beacon shellcode file downloaded successfully
- Sliver logs confirm receiving beacon requests using new obfuscated URLs, filenames and extensions: tail -f ~/.sliver/logs/sliver.log
- In silver we receive the beacon revere shell and it is works now
Additional OPSEC: Static Content (legitimate website on sliver’s listener)
Final Thoughts
By leveraging NGINX as a proxy and incorporating advanced techniques like traffic obfuscation and memory injection, we ensured the infrastructure remained under the radar while maintaining effectiveness. Additionally, we implemented firewall rules to restrict access, adding an extra layer of security. This setup serves as a robust foundation for modern red teaming, offering both reliability and stealth. In future posts, we’ll dive deeper into more advanced techniques to further enhance the security and stealthiness of red team operations.
Part 3: Securing Mail Services with DNS Records and OPSEC for Bypassing Mail Security Gateways
- if you find this blog useful, don’t forget to hit the clap button and follow the blog.
Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others
Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.
Bye Bye, Take Care.
