# Traffic Redirection

Traffic Redirection
- Overview
- Table of URLs and IPs used by Redirectors

# Overview

Multiple redirectors are used to distribute the traffic across subnets and IP address ranges.

Traffic redirection is performed using iptables NAT masquerading, with traffic sent to specific destination IP address and port combinations being redirected to a specific IP address and port. Scripts in the ansible/playbooks/files/redirectors folder provide the following functionality:

enable-traffic-forwarding-rules-redirect.sh.j2
- A template script that is populated and run to configure multiple network forwarding rules on a server.
disable-traffic-forwarding-rules.sh
- Running the script on a server will disable and clear any network forwarding rules in place.
print-traffic-forwarding-rules.sh
- Running the script will print to standard output the network forwarding rules currently configured.

# Table of URLs and IPs used by Redirectors

Scenario Purpose	Redirection Domain	Redirection Source IP	Redirector	Redirection Source Port(s)	Destination Host	Destination Port(s)
Scattered Spider: Simple File Server	`kingslanding-rmm.com`	86.234.15.38	`stormlands`	80	`kali`	80
Scattered Spider: Simple File Server (Preflights)	`evals-preflights.org`	86.234.54.133	`stormlands`	80	`kali`	80
Scattered Spider: Spearphish to Adversary AITM	`sso-kingslanding.net`	86.234.158.146	`stormlands`	80	`kali`	8888
Scattered Spider: SFTP	`ramsgate.com`	86.234.99.108	`stormlands`	22	`kali`	22
Mustang Panda: Orpheus FTP Exfil	`karhold.com`	49.67.12.21	`stark`	20 21 40000 40001 40002 40003	`kali`	20 21 40000 40001 40002 40003
Mustang Panda: Orpheus SFS	`pentos-analysis.org`	191.44.44.44	`bolton`	80	`kali`	80
Mustang Panda: Orpheus C2 Handler	`karstarkland.net`	191.44.44.199	`bolton`	443	`kali`	8443
Mustang Panda: Perseus C2 Handler	`ValarMorghulis.org`	78.31.97.203	`greyjoy`	443	`kali`	9443
Mustang Panda: Perseus HTML file	`mailstreamnet.com`	49.67.12.59	`stark`	443	`kali`	8443
Mustang Panda: Toneshell VSCode Tunnel	`edupronewscd.com`	49.67.12.94	`stark`	80	`kali`	8888
Protections 1: Simple File Server	`pasteme.io`	86.234.232.55	`stormlands`	80	`kali`	80
Protections 1: Attacker Proxy 1	`ironborn.io`	78.31.97.65	`greyjoy`	443	`authentik`	443
Protections 3: C2 Redirector	`livesso.com`	49.67.12.54	`stark`	80	`rustdesk`	80
Protections 3: Attacker Proxy 2	`shadowbinders.net`	78.31.97.72	`greyjoy`	443	`authentik`	443
Protections 4: Orpheus C2 Handler	`casterlystone.com`	191.44.44.224	`bolton`	443	`kali`	8443
Protections 5: Perseus C2 Handler	`MaesterJam2025.com`	78.31.97.251	`greyjoy`	443	`kali`	9443
Protections 5: SFS for MSC file	`faithoftheseven.com`	191.44.44.96	`bolton`	80	`kali`	80
Protections 5: SFS for MSI file	`essos-news.com`	191.44.44.169	`bolton`	80	`kali`	80
Protections 7: Attacker Proxy 3	`goldcloaks.org`	78.31.97.151	`greyjoy`	443	`authentik`	443