{
	"id": "66eb7696-edf5-47c5-a31e-504630aeea72",
	"created_at": "2026-04-06T00:21:18.601563Z",
	"updated_at": "2026-04-10T03:19:55.760466Z",
	"deleted_at": null,
	"sha1_hash": "50b39d5213b27114b58bfd6479805508a8c3cace",
	"title": "How to Bypass Web-Proxy Filtering - Black Hills Information Security, Inc.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3417330,
	"plain_text": "How to Bypass Web-Proxy Filtering - Black Hills Information\r\nSecurity, Inc.\r\nBy BHIS\r\nPublished: 2017-04-13 · Archived: 2026-04-05 19:57:45 UTC\r\nBrian Fehrman //\r\nSomeone recently posed a question to BHIS about creating C2 channels in environments where heavily restrictive\r\negress filtering is being utilized. Testers at BHIS, and in the industry as a whole, routinely run into this type of\r\nscenario. BHIS strongly encourages the use of egress filtering. As with many other security approaches, however,\r\nit is important to realize that this is just one piece of the overall security puzzle.\r\nThere are multiple ways to get around heavy egress-filtering (thanks to Beau for the links and insights in this\r\nsection). In some cases, tools such as ICMPSploit [1] can be used to create C2 channels using the ICMP protocol.\r\nDNScat is a well-known tool that utilizes DNS requests and responses for C2 traffic. For this blog, we are going to\r\nfocus solely on environments that are only allowing web-based traffic in and out of the environment. We will\r\nplace an additional restriction on this scenario and assume that the environment also uses web-proxy filtering. It’s\r\nbecoming more common to see companies not only block known bad sites but also block access to sites that have\r\nnot received a categorization (e.g., Shopping, Financial, Sports, etc.) Even in this type of environment, there are\r\nnumerous ways to establish C2 channels. Some of the methods include leveraging Gmail [2] and Outlook [3].\r\nDomain-fronting via CDN services is also becoming increasingly popular [4].\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 1 of 9\n\nI would like to focus on a web-proxy filtering bypass method that is known as domain-categorization take-over\r\n(thanks to harmj0y for the idea). I will walk you through the process of getting your own categorized domain and\r\ntalk about some of the ways you can utilize it.\r\nThe first step is to find a recently expired domain that received a “good” categorization before it expired. The idea\r\nis that if you re-register a domain shortly after its previous owner failed to renew it, the categorization that was\r\ngiven to that domain will remain intact. How do we go about doing that? Easy!! Head on over to the site located at\r\nhttps://www.expireddomains.net. Now, you can use this service without signing up for anything. I suggest taking\r\njust a few minutes to sign up for a free account. With a registered account, you are afforded access to a lot more\r\ncontent than you do if you just browse anonymously. After logging in, you should see something similar to the\r\nscreenshot below. I’ve highlighted the main area of interest. Click on one of the domain suffixes (e.g., “Deleted\r\n.info Domains”). The .com sites will likely be the most expensive to register. I typically go for .info, which can\r\nusually be bought for about $1/year.\r\nAfter clicking a Deleted Domain suffix, you will be taken to a page that shows recently expired domains with that\r\nsuffix and a lot of information to go along with it. What does all of it mean? Well, I will talk about what I feel are\r\nthe most important statistics. First, click on the “Show Filter” option.\r\nThe first thing that I like to do is to check the “no Adult Names” box. We don’t pass judgment here, but web-proxy\r\nfilters sure do! Next, I check the “only available Domains” box to ensure that domains that are currently registered\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 2 of 9\n\ndo not appear in the list. The last change that I make is to select the “SimilarWeb Top Country” to be the country\r\nin which my target resides. This can help to reduce the suspicion of web-proxy filters. Once you’re satisfied with\r\nthe filter options, click the “Apply Filter” button towards the bottom of the page.\r\nNext, click on the “SimilarWeb” heading to sort the expired domains by their SimilarWeb ranking. Essentially, the\r\nlower the number the more “reputable” the site. Once I’ve applied the sorting, I start clicking through the\r\nSimilarWeb rating for the domains until I find one that has been assigned a category. In this case, clicking the\r\nSimilarWeb link for gtavdata.info shows that this site was categorized as “Reference-\u003eMaps” site. Seems\r\ninnocuous enough for our needs!\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 3 of 9\n\nNow that we’ve found a suitable categorized-domain, we need to register it. I suggest using\r\nhttps://www.namesilo.com since it has a nice interface, seems to keep the domain categorization intact, and\r\nprovides free WHOIS privacy. We don’t need hosting or anything fancy, just something to register the domain and\r\nset the A record for the domain. NameSilo also makes it easy to set up Office 365 Mail with your domain but that\r\nis a discussion for another blog post. Just type in the name of the domain that you found in the previous step and\r\nregister away. Make sure to pick the correct domain extension (e.g., .info, .com, .net, etc.) or else the trick likely\r\nwon’t work.\r\nAfter registering the domain name, sign in to namesilo.com and head to the DNS settings for that domain. The\r\nsequence of images below shows the general steps to get there.\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 4 of 9\n\nOnce you’ve found the DNS settings, click the edit button next to the first A record in the list. Change the IP\r\naddress of that A record to be the IP address of your C2/testing server and then click submit button.\r\nNext, delete the other three default DNS records that NameSilo created for you so that you are left with only the A\r\nrecord that you just edited in the previous step.\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 5 of 9\n\nNow, we patiently wait for the A record changes to propagate to the public. Namesilo.com seems to propagate the\r\nchanges within fifteen minutes in most cases. Keep checking for the update by using your favorite DNS resolution\r\ntool against your new domain. In the image below, you can see that I’ve used dig to verify that gtavdata.info now\r\npoints to my C2 server.\r\nThe next step that I usually take is to generate a valid, signed SSL-certificate for the new domain. Having a trusted\r\ncertificate to use for encrypting your traffic will add to the ability to bypass traffic-filtering mechanisms, help\r\nprotect any sensitive data that might be transferred, and it can also evade some anti-virus tools that would\r\notherwise see the unencrypted payload coming across the network. I suggest logging into your C2 server and then\r\nchecking out Carrie’s awesome blog post on how to do this quickly and for free! [5]\r\nAfter generating your shiny-new SSL certificate, you’re ready to use your categorized domain-name for testing!\r\nContinue reading Carrie’s post to see how to use your domain with PowerShell Empire.\r\nYou can also use your certificate and categorized domain with meterpreter and metasploit. Below is an example of\r\nusing msfvenom to generate an HTA payload for my domain.\r\nBefore starting a listener for meterpreter, you might want to host your payload so that you can transfer it into your\r\ntesting environment. You might also have other tools that you’d like to have on your testing system for the\r\nassessment. Apache is one easy way to do this that takes advantage of your certificate and domain. One suggestion\r\nis to create a folder in the /var/www/html directory on your system. For this example, let’s call it serverfolder.\r\nmkdir /var/www/html/serverfolder\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 6 of 9\n\nCopy your payload file and other tools to the directory that you just created. After copying the files, make sure\r\nthat the Apache service is running. In the image below, I’ve copied the met_pay.hta payload file and the\r\nPowerLine toolset (teaser:upcoming webcast!) to my serverfolder directory.\r\nYou can now reach your files by opening a web browser and typing https://yourdomainname.net/serverfolder.\r\nThe next task we will do is to create a listener for our meterpreter payload. After downloading the files to your\r\ntesting system, kill the Apache service on your server and start-up msfconsole.\r\nIssue the commands shown in the screenshot below. Make sure to replace the handlersslcert value with the path to\r\nyour certificate file.\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 7 of 9\n\nHead back to the testing system on which you downloaded the payload and run it. Head back over to your server\r\nand enjoy the new session that was created using your categorized domain and signed SSL-certificate.\r\nFollow Brian on the Twitters: @fullmetalcache\r\nShout-outs: Carrie Roberts, Sally Vandeven, Derek Banks, Beau Bullock, harmj0y (and APT team), and others\r\nthat I’m probably forgetting…\r\n[1] http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html\r\n[2] https://github.com/byt3bl33d3r/gcat\r\n[3] https://github.com/colemination/PowerOutlook\r\n[4] https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/\r\n[5] http://www.blackhillsinfosec.com/?p=5447\r\nReady to learn more?\r\nLevel up your skills with affordable classes from Antisyphon!\r\nPay-Forward-What-You-Can Training\r\nAvailable live/virtual and on-demand\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 8 of 9\n\nSource: https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nhttps://www.blackhillsinfosec.com/bypass-web-proxy-filtering/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/"
	],
	"report_names": [
		"bypass-web-proxy-filtering"
	],
	"threat_actors": [],
	"ts_created_at": 1775434878,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50b39d5213b27114b58bfd6479805508a8c3cace.pdf",
		"text": "https://archive.orkl.eu/50b39d5213b27114b58bfd6479805508a8c3cace.txt",
		"img": "https://archive.orkl.eu/50b39d5213b27114b58bfd6479805508a8c3cace.jpg"
	}
}