Red Team Use Case with Cloudflare’s Argos Tunnel Service

Learn how penetration testers can use and abuse Cloudflare’s Argos Tunneling service for hybrid web shells or other C2 mechanisms and how to detect and prevent it.

Disclaimer: The content in this post in no way reflects the opinions or expressed statements on behalf of my employer. It is my own personal tinkering and meant for educational purposes only in red and blue team security operations. Any abuse or unauthorized use of the knowledge and tools listed below is on you.

Recently, Cloudflare released a non-account required trial edition of their service: Argos Tunneling in a recent blog posting. To keep it simple, Argos Tunnels essentially put a reverse call back agent on your local webserver and will tunnel your service to their cloud. The intended use case is that you no longer have to ‘directly’ expose your self-hosted services to the Internet anymore in a typical reverse proxy or forward PAT. Their trial allows for non-account members to test services with dynamically generated DNS records automatically created and pushed throughout their CDN routes to any service port hosted locally. The kicker is that not only is this nearly instantly available; it even wraps your original content in a proper TLS session without any certificate errors!

Why is this a perfect use or test case for Red Teams? Now, in a post-compromise scenario of an endpoint; we can now…