FW RULES

C2 AGENT RULE

root@oco:~$ BROWSER > AZURE/AWS > Settings > Networking > Add inbound port rule
 #this creates an inbound rule where only the Red Team operators can access the C2 server
 #the red team operators are in the 49.36.41.230 IP while the c2 is in 20.66.23.137
 Rule: SSH                //the ssh to the nginx vm is only accessible by 49.36.41.242 (attacker)
  Priority: 300
  Port: 22
  Protocol: TCP
  Source: 49.36.41.242
  Destination: Any
  Action: Allow

 Rule: AllowHTTPInbound
  Priority: 310
  Port: 80
  Protocol: TCP
  Source: 49.36.41.182
  Destination: Any
  Action: Allow
  
 Rule: AllowHTTPSInbound
  Priority: 320
  Port: 443                 //port 443 is accessible by anyone
  Protocol: TCP
  Source: Any
  Destination: Any
  Action: Allow
  
 #port 5555 is only accessible by 20.66.87.234 (the victim)
 #ensure that the payload server's hidden directory "cwl" can't be easily brute forced by anyone to include by the blue team
 #it is highly recommended to use a directory name with long name and can't be easily brute forced
 #https://{nuclear.cyberwarfare.live}/cwl or arbitraryLongNamedDirectory
 Rule: AllowMyIpAddressCustom5555Inbound         ///payload server port
  Priority: 330
  Port: 5555
  Protocol: Any
  Source: 20.66.87.234
  Destination: Any
  Action: Allow
   
 Rule: AllowVnetInbound
  Priority: 65000
  Port: Any
  Protocol: Any
  Source: VirtualNetwork
  Destination: VirtualNetwork
  Action: Allow
  
 Rule: AllowAzureLoadBalancerInbound
  Priority: 65001
  Port: Any
  Protocol: Any
  Source: AzureLoadBalancer
  Destination: Any
  Action: Allow
  
 Rule: DenyAllInbound
  Priority: 65500
  Port: Any
  Protocol: Any
  Source: Any
  Destination: Any
  Action: Deny

SAMPLE 2

PAYLOAD SERVER FW RULES

root@oco:~$ BROWSER > AZURE/AWS > Settings > Networking > Add inbound port rule
 #this creates an inbound rule where only the Red Team operators can access the C2 server
 #the red team operators are in the 49.36.41.230 IP while the c2 is in 20.66.23.137
 Rule: SSH                //the ssh to the nginx vm is only accessible by 49.36.41.242 (attacker)
  Priority: 300
  Port: 22
  Protocol: TCP
  Source: 49.36.43.68    //this is the attacker OWKS
  Destination: Any
  Action: Allow
  
 #this rule is specific to the victim/target - use to serve any payloads to the specific targets
 #only the agents/malware on the specified target is allowed to download from this payload server - this payload server isn't viewable or accessible by anyone else on the public internet
 Rule: AllowVictimInbound
  Priority: 310
  Port: 443
  Protocol: TCP
  Source: 74.235.35.184    //this is the target's IP space
  Destination: Any
  Action: Allow

 #this is rule enables the attacker to view the contents of the Payload server via HTTPS
 #https://nuclear.cyberwarfare.live
 #this is served either via PWNDROP or SIMPLEHTTP SERVER
 Rule: AllowMyIPAddressCustom443Inbound
  Priority: 320
  Port: 443
  Protocol: Any
  Source: 49.36.43.68    //this is the attacker OWKS
  Destination: Any
  Action: Allow
   
 Rule: AllowVnetInbound
  Priority: 65000
  Port: Any
  Protocol: Any
  Source: VirtualNetwork
  Destination: VirtualNetwork
  Action: Allow
  
 Rule: AllowAzureLoadBalancerInbound
  Priority: 65001
  Port: Any
  Protocol: Any
  Source: AzureLoadBalancer
  Destination: Any
  Action: Allow
  
 Rule: DenyAllInbound
  Priority: 65500
  Port: Any
  Protocol: Any
  Source: Any
  Destination: Any
  Action: Deny

PreviousNGINX (AWS EC2/AZURE)NextCONFIGURATION

Last updated 5 months ago