Intro to C2
TryHackMe Room - Red Team Learning Path Update: 2022
What is a C2 framework?
Extensively used during Red Team engagements, it is a must to be familiar with Command and Control framework. It is used by Red Teamers to send commands to a compromise hosts living in the targeted network via known protocol such as SMB, DNS, HTTPS, etc.
Some C2 frameworks are free and others are paid. Paid C2 frameworks have more options and are sometime more difficult to detect by EDR. The C2 matrix project give a great overview of the most common frameworks and their capabilities.
Vocabulary
A specific vocabulary is tied to C2 framework.
Words | Definitions |
---|---|
Agents | Payload that connect back to a listener on the C2 server. Can be compared to a reverse shell but with extensive capabilities and commandlets. Agents/payloads can be staged or stageless. Staged payloads are more difficult to detect by antivirus and EDR. In staged payloads, the payload is split into multiple parts that are transferred on the compromised host in two times.
|
Listeners | Live on the C2 server and wait for agents callback. |
C2 server | Server used to receive callback from Agents send command to. |
Beacons | Agents "beacons" the C2 server to connect to listeners. Algorithms can be implemented so the Agents callback the C2 server at a specific time rate (Sleep Timers). To make the pattern more difficult to identify for the Blue Team, a random laps of time is added to the Sleep Timer (Jitter). So, it appears like the Agents beacon the C2 server using at an unpredictable rate. |
Modules | Modules make post-exploitation and network pivoting more easier for Red Teamers. Modules are the features that make C2 Agents distinctive from simple reverse shells. Example: Using the SMB Beacon technique, a compromised host can be used as proxy to join a restricted part of the network. |
Domain Fronting & C2 Profiles
The C2 server needs to be available for the Red Teamers to communicate with while being hidden as much as possible from the Blue Team. The Domain fronting and the creation of C2 profile help to accomplish this goal. The two techniques require to register a domain for the C2 server.
The Domain fronting technique make use of a reverse proxy (such as Cloudflare) to hide the C2 server behind a trustable proxy server. By forcing the traffic to go through a well known an trustable proxy server, the objective is to ensure as much as possible that the outbounding traffic is not suspicious.
Reverse proxy can also be used to create "profiles" (C2 profiling). By having control on the requests and its parameters, the Red Teamers can craft the request in a specific manner in a way that depending of its origin, the request will be redirected toward the C2 server or a simple web page.
The two schema below resume these techniques.
Armitage
Armitage is the Metasploit C2 GUI. Not a very popular framework to use in real world engagement.
Installation
Both the Teamserver and Armitage file are located in the armitage/release/ directory.
Installation issues with MSF6 and Postgresql v14.
The C2 interface should never be public facing. Use port forwarding to forward a port that let RedTeam Operators access the interface.
Listeners
Different types of listeners suitable for various contexts can be used with Armitage.
Listeners | Contexts |
---|---|
Meterpreter | To use with Metasploit framework |
HTTP/HTTPS | When dealing with a Firewall that does protocol inspection |
SMB | Restricted network environment |
DNS | When not easy to access the internet |
Redirectors
This room introduced the learners about the importance of redirectors. In Red Team engagement, we do not want that our C2 server to communicate directly with the victim. An intermediate between the two will prevent that our infrastructures get flagged by the Blue Team and then take down.
We can create a redirector using Apache2 and Metasploit with specific rules based on User-Agents, URI, Host Header, etc. We can also used well-known technologies such as AWS EC2, Digital Ocean, Azure app function, etc. It is preferable to use technologies that are integrated within the target environment.
The following command will create an HTTP payload with the User-Agent set to NotaMeterpreter.
By capturing the traffic, we can observe that the User-Agent is set to 'NotaMeterpreter'.
Apache2 can be used as a proxy to redirect the traffic based on specific rules through the Rewrite Engine and ProxyPass features. We can modify directly the /etc/apache2/sites-available/000-default.conf
or setting up a .htaccess
file.
In the file below, the RewriteCond
can be read as below: if the User-Agent is 'NotMeterpreter', proxies the traffic to http://localhost:8080. We also need to make sure that the AllowOverride
feature is set to All
.
Example of .htaccess file located at the root of the Apache2 web server.
The .htaccess file can be read as this:
Apache2 modules that need to be enabled to be able to set up a redirector.
We also need to restart the Apache2 server:
Last updated