BounceBack is a powerful, highly customizable and configurable reverse proxy with WAF functionality for hiding your C2/phishing/etc infrastructure from blue teams, sandboxes, scanners, etc. It uses real-time traffic analysis through various filters and their combinations to hide your tools from illegitimate visitors.
The tool is distributed with preconfigured lists of blocked words, blocked and allowed IP addresses.
For more information on tool usage, you may visit project's wiki.
BounceBack currently supports the following filters:
Custom rules may be easily added, just register your RuleBaseCreator or RuleWrapperCreator. See already created RuleBaseCreators and RuleWrapperCreators
Rules configuration page may be found here.
At the moment, BounceBack supports the following protocols:
Custom protocols may be easily added, just register your new type in manager. Example proxy realizations may be found here.
Proxies configuration page may be found here.
Just download latest release from release page, unzip it, edit config file and go on.
If you want to build it from source, install goreleaser and run:
goreleaser release --clean --snapshot
Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.
To enumerate sessions locally/remotely, you could use Quser-BOF.
Usage: bof-rdphijack [your console session id] [target session id to hijack] [password|server] [argument]
Command Description
-------- -----------
password Specifies the password of the user who owns the session to which you want to connect.
server Specifies the remote server that you want to perform RDP hijacking.
Sample usage
--------
Redirect session 2 to session 1 (require SYSTEM privilege):
bof-rdphijack 1 2
Redirect session 2 to session 1 with password of the user who owns the session 2 (require high integrity beacon):
bof-rdphijack 1 2 password P@ssw0rd123
Redirect session 2 to session 1 for a remote server (require token/ticket of the user who owns the session 2):
bof-rdphijack 1 2 server SQL01.lab.internal
make
tscon.exe