HTTP Forwarders / Relays

Concealing attacking hosts through with redirectors/traffic forwarders using iptables or socat


Re-directors or traffic forwarders are essentially proxies between the red teaming server (say the one for sending phishing emails or a C2) and the victim - victim <> re-director <> team server

The purpose of the re-director host is as usual:

  • Obscure the red teaming server by concealing its IP address. In other words - the victim will see traffic coming from the re-director host rather than the team server.

  • If incident responders detect suspicious activity originating from the redirector, it can be "easily" decommissioned and replaced with another one, which is "easier" than rebuilding the team server.

HTTP Forwarding with iptables

I will explore simple HTTP forwarders which are just that - they simply listen on a given interface and port and forward all the traffic they receive on that port, to a listener port on the team server.

My environment in this lab:

  • Team server and a listening port:

  • Re-director host and a listening port:

  • Victim host:

An easy way to create an HTTP re-director is to use a Linux box and its iptables capability.

Below shows how to turn a Linux box into an HTTP re-director. In this case, all the HTTP traffic to (redirector) will be forwarded to (team server) :

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
sysctl net.ipv4.ip_forward=1

Checking that the iptables rules were created successfully:

Testing iptables

Let's simulate a simplified reverse shell from the victim system to the attacking system using our redirector system as a proxy and inspect the traffic crossing over the wire - if the redirector was setup correctly, we should see that systems and will not be communicating directly - all the traffic will be flowing through the box at and (attacking system) will not be visible to the victim

Having a closer look at the traffic/conversations between the endpoints, we can clearly see that at no point the victim system communicated directly with the attacking system - all communications were flowing through the redirector host as described earlier:

HTTP Forwarding with SOCAT

SOCAT is another tool that can be used to do the "dumb pipe" traffic forwarding. The environment in this exercise remains the same as in the previous scenario.

Setting up an HTTP redirector with socat:

socat TCP4-LISTEN:80,fork TCP4: