Cloudy with a chance of redirectors
Leveraging a powerful Operator plugin to provision red team tools in the cloud
This post has been updated with the release of Operator version 1.3
Operator is a command-and-control (C2) platform built around the concept of plugins. As a core system, Operator can manage agents, adversaries and attacks. But plugins can extend this to do pretty much anything. In this post, we’re going to deep-dive into the Connect plugin, which is one of the most important plugins when it comes to running a realistic red team exercise.
First off, how do you get the Connect plugin? After opening Operator, click on the Connect icon on the left sidebar (it should be automatically installed as soon as you start). You should be welcomed with this view:
So what can you do with this plugin?
Connect to your teammates!
Provision pre-compromised Windows or Linux servers
Let’s explore each.
#1: Provision redirectors
Why use redirectors? Safely accept connections over the internet.
A redirector is simply a Linux server that can accept network connections from the internet and proxy (redirect) them to a different computer. Redirectors are essential for a few reasons:
You can deploy an agent anywhere in the world and have it connect to your redirector instead of your desktop directly. Adjusting your firewall rules to accept agent beacons locally could create a dangerous security hole.
When you use a redirector, agents don't know your IP address. If the defense finds your agent and notices it is contacting IP address 220.127.116.11, they may start blocking traffic to that location. If 18.104.22.168 represents your redirector, you can simply deploy a new redirector to get around the defense. If this were your Operator IP address, you would have to configure a much different approach to work around the blocking (such as moving your physical location or using a dynamic VPN).
Operator redirectors work like this:
From the Connect plugin, provision a redirector in either Amazon Web Services (AWS) or Google Cloud Provider (GCP) account by selecting “Provision a New Redirector” from the dropdown menu on your left hand side. This will create the Linux server in your own account and establish a connection between it and your Operator app.
Once provisioned (it usually takes 2 minutes) you can turn it on (look for “Available connections” above the dropdown you used to provision it) by clicking the host name. When a redirector is on, all agent ports (check the Network Settings sidebar) will be connected to your redirector. This means, if you deploy an agent pointed at your redirector, the connection will now be directed to your desktop app.
Once your redirector is on, you can deploy a Pneuma agent to test it:
./pneuma -address ec2-3-93-152-59.compute-1.amazonaws.com:2323
You should see an agent beacon into a new range called “cloud”.
How this works: behind the scenes
When you deploy a redirector a headless (no UI) version of Operator is immediately installed on it. Headless is in charge of accepting the agent beacons and transporting them back down to your Operator instance over bi-directional gRPC channels.
After provisioning a new redirector, it’ll appear in the top left of the screen. It’ll remain orange when it is provisioning. When it turns grey, you can click to enable it. This flips the icon to green and establishes the gRPC channels between you and your new headless redirector. From this point forward, any agent connecting to the redirector address will show up in your Operator, which you can validate back in the Operate section.
What did people do before this? Red teamers would typically install a network load-balancer, like HAProxy or a connection handling program, like SOCAT, and manually manage the connections via terminal.
#2: Connect to your teammates!
Why connect to your team? If you’re running a multi-person red team operation, you can share duties - regardless of your physical location - in order to work more efficiently. No more letting one person control the entire operation. You can now delegate.
If you have an Enterprise license, you can share your redirector hostname/password (see above) with a teammate within your organization. They can use these credentials to connect to it at which point, all agents connecting to the redirector will mirror across both of your Operator instances.
Each of you can send instructions to the agents, update agent configurations, lock agents or open reverse shells to them. The only thing you can’t do is delete remotely connected agents. This is intentional: only the “owner” can delete an agent, which is the redirector in this case.
Here’s a tip while working in a connected state: use the CTL+L keyboard shortcut to open your “activity stream”, which shows a timeline of all the system and agent updates occurring in your app.
#3: Provision pre-compromised servers
Why provision test servers? You may work on a MacOS and not have access to a Windows computer to test an attack on. Provisioning a real test machine allows you to quickly test your TTPs.
While redirectors are the main duty of the Connect plugin, it’s not the only thing it can do. A second big feature of this plugin is the ability to quickly provision pre-compromised servers in your AWS environment.
Heading back to the Connect plugin, you can select either a Linux or Windows server to deploy by selecting the “Provision a Virtual Machine” option from the dropdown on the left hand side:
You simply select:
The platform you want to launch your new virtual machine on
A redirector to point the agent toward
Which tools you want to install on the new server. A tool is an independent piece of software you want to provision with the server, such as a splunk or sysmon agent (above example). Different operating systems will offer different tools.
After deploying a server - and ensuring your chosen redirector is turned on - you should receive a beacon within 5-6 minutes.
The Editor section contains a handy utility for quickly testing TTPs against any connected agent. Just simply click the DEPLOY button when viewing any TTP to bring up the following modal window:
What did people do before this? Red teamers would typically use VMWare (expensive) or Virtual Box (not very user friendly) to deploy agents on different operating systems and test TTPs. Both of these options take significant resources (RAM/CPU) to run.
Hopefully this post helps you navigate through one of Operator’s most useful plugins. The Connect plugin is a simple to use provisioning tool which manages the complexities of redirector connection handling and test range deployments.
Get your redirectors online. Test TTPs against real machines. Do all of this - quickly - with the Connect plugin.