What is C2 Framework? (+Installation Guide)

In this guide, you'll learn what a C2 server and chassis are, why you might want to use one, and the key benefits they can provide to you and your team.

You'll discover some of the most popular C2 frameworks available today and get hands-on experience using the popular Havoc open source C2 framework.

c5

 

What is the C2 frame?

If you've ever done pentests before, you'll know about malware and shells.

You run a piece of malware on a target machine, which creates a terminal session or shell that binds back to you (reverse shell) or to you (bind shell). You can then remotely control the target machine.

Every hacker wants to get a shell on a target system to perform post-exploitation tasks like harvesting credentials, leaking data or moving to new targets using techniques like kerberoasting.

A C2 frame takes the concept of shells to the next level. They provide a centralized platform to control hundreds of compromised systems on a target network and are used in almost every real cyber attack.

In addition, the C2 framework has advanced automation capabilities and effortlessly integrates various leading tools. This helps with lateral movement, post-exploitation enumeration, privilege escalation, persistence, and more.

Typically, C2 frameworks have three parts: a C2 server, a C2 client, and a C2 agent.

  • C2 server: The center for managing compromised systems, C2 communication and data.
  • C2 Client: Software installed on a C2 operator's machine that allows him to connect to the C2 server and interact with compromised machines.
  • C2 Agent: Malware installed on an infected target machine, which connects to a C2 server and allows an operator to control the infected machine remotely. This is also known as a C2 implant or bot, depending on which C2 frame you are using.

c1

You run the C2 agent on a target machine and the agent connects to the public C2 server.

An administrator connects to the C2 server to interact with the compromised machine through the server.

The administrator can interact with the C2 server and compromised systems using a command line or a graphical user interface (GUI). Many advanced C2 frameworks include both so the administrator can visualize the systems they are attacking.

c2

But why do you need a C2 frame? Why not just use a reverse shell? Let's see more.

What is the purpose of a C2 frame?

C2 frameworks are platforms designed to give you the ability to perform post-exploitation tasks, maintain access to systems, and collaborate with others to achieve your goals.

The C2 infrastructure is designed to use a client-server model, where multiple C2 clients can connect to a central C2 server through an intuitive user interface, from which they can attack systems.

This allows multiple administrators to work simultaneously, provides a central point for data flow, and requires only one public IP/domain, making the creation of new C2 infrastructure easier.

The architectural design of C2 frames also makes them significantly more stable than reverse or binding shells. The public C2 server means you don't need your own system in a DMZ to receive recalls – that's the server's job.

This, combined with a well-designed C2 agent, means there is less chance of being interrupted or disconnected when hacking. You could shut down your client machine and reconnect to the server later without losing any shells.

If you're still not convinced, another powerful feature of the C2 frameworks is their support for external post-exploit hacking tools and hiding the execution of those tools in memory: tools like Mimikatz, BloodHound, and Nmap.

This feature means you can customize a framework to your needs using tools you're comfortable with. You can even use different C2 agents or frameworks together. For example, connecting a Metasploit agent to a Cobalt Strike C2 server.

These qualities make C2 frames ideal for red teaming or purple teaming exercises, where security professionals must simulate real attacks to test their defensive capabilities.

 

What are the benefits of a C2 frame?

Now you know what frameworks are and why attackers use them, so let's explore some of the key advantages of these platforms.

  • Stealth: They can incorporate various evasion techniques, including using SSL certificates, to encrypt data and hide malicious activities, masquerading as legitimate network traffic, and hiding an attacker's IP addresses through C2 redirectors.
  • Flexibility: Several frameworks allow you to customize C2 agents, change C2 server responses and configuration settings, and implement new attack techniques. This allows you to tailor your C2 infrastructure to specific target systems or targets and avoid defensive measures.
  • scalability: C2 frames are designed for scaling. Multiple operators (clients) can interact with a single C2 server controlling hundreds of exposed machines – leveraging cloud technology to deploy your infrastructure on demand.
  • Centralized Management: Allow you to manage and control compromised systems from a single, centralized interface. This allows operators to coordinate and orchestrate their activities, manage compromised systems, and execute commands on multiple hosts simultaneously.
  • P: Many C2 frameworks have built-in persistence mechanisms that you can deploy on compromised systems to maintain access even after reboots or the implementation of strong security features and measures.
  • Data Exfiltration: C2 frameworks allow you to easily hide massive amounts of sensitive data from compromised systems, hide it through encryption or obfuscation, and make it available to anyone on your team by hosting it on a central C2 server.
  • Reliability: C2 frameworks are intended to provide a reliable mechanism for interacting with exposed computers. This includes having a trusted C2 agent connected to the C2 server, the ability to create backup servers or split the stages of the attack across different C2 servers, and the ability to use C2 rerouters to redirect traffic in the event of IP or domain name of server C2.

 

What are the most popular C2 frameworks?

So now you want to get your hands dirty and start using a C2 frame. Great! But which one should you use? Let's look at some of the most popular C2 frames to help you decide.

Cobalt Strike

Cobalt Strike is a commercial adversary simulation platform and red team operations widely used in the security industry by penetration testers. This is one of the industry's leading tools for C2 frameworks, but its benefits come at a high price.

powershell empire

PowerShell Empire is an open source meta-exploitation framework that makes extensive use of the PowerShell scripting language, which is typically found on Windows systems.

Slither

Slither is an open source, cross-platform adversary and red team emulation framework designed for security testing on Windows, MacOS, and Linux machines.

Havoc

Havoc is free, open source and easy to set up. It provides a client interface for interacting with the C2 server in real-time via API calls, similar in look and feel to Cobalt Strike.

Brute Ratel C4

Brute Ratel C4 is a commercial red team and adversary simulation platform that can automate the execution of adversary tactics, techniques and procedures (TTPs), map attacks to the MITER ATT&CK matrix for reporting, and support multiple channels of command and control.

 

Setting up a C2 chassis with Havoc

This demo will show you how to set up and use the Havoc C2 frame. Havoc is a great choice for those starting out with C2 frames. It is open source, easy to configure and provides an intuitive GUI for interacting with your C2 agents.

 

Havoc Lab installation

Once you have installed a Kali Linux and Windows 10 virtual machine, you can install Havoc.

Install Havoc

To install Havoc, clone the GitHub repository with the command git clone https://github.com/HavocFramework/Havoc.git.

c3

Next, move to this cloned directory and install the required dependencies by running the following two commands:

cd Havoc
sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev python3-dev libboost-all-dev mingw-w64 nasm

c4

Now build the Havoc C2 server by running the following commands:

cd teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
Cd ..
make ts-build

c5

Then build the Havoc C2 client with the make client-build command.

c6

Then edit the ./profiles/havoc.yaotl file to match the following configuration.

c7

You can change the user and Password variables to whatever you want. It is important that the Teamserver is running locally on the same Kali Linux machine that you are running the client on. To run the server locally, you need to change the Host variable to 127.0.0.1

Start the Havoc C2 server using the default profile by running the command ./havoc server –profile ./profiles/havoc.yaotl..

c8

Connect to the C2 server by launching the Havoc C2 client with the command ./havoc client.

Use the credentials you created in the ./profiles/havoc.yaotl file to connect to the C2 server. Click the New Profile button, enter your local IP address, and then add the username and password you set.

Finally, press Connect to connect to the Havoc server.

c9

You will be presented with Havoc's default dashboard.

c10

With the C2 server and client running, you can proceed to install the agents on exposed systems.

 

Using the C2 Havoc frame

Now that you have everything installed, let's start using our first C2 frame.

Developing an Agent with Havoc

There are three steps to perform when deploying a C2 agent on a compromised machine using Havoc.

Step 1: Create a Listener

First, you need to create a listener on the Havoc interface to listen for incoming connections from Havoc agents. To do this, select the Listeners option from the View drop-down menu.

c1

This will bring up the Listeners tab. Click the Add button to display the Create Listener pop-up wizard.

c2

Fill in the listener name, leave the payload as Https, make sure the host is set to the IP address of the Kali Linux machine, and then click Save.

c3

Clicking Save will create your listener on the Havoc Teamserver.

c4

You can now create a payload that runs the Havoc C2 agent and connects to this listener.

 

Step 2: Create a payload

To create a payload in Havoc, select the payload option from the Attack dropdown.

c5

This will bring up the Payload wizard, which you can use to customize your options.

Choose the listener you want the payload to bind to, the architecture you're targeting, and the format you want the payload to be in .

For modern Windows operating systems, this will be x64 and Windows Exe. You can leave the rest of the configuration options at their default values ​​and select Generate to build your payload.

c6

Once created, Havoc will ask you where you want to save your payload. Remember this position. You will need to use your payload later.

c7

 

Step 3: Transporting and executing the Payload

The next step is to transfer Payload Havoc to your target computer.

First, navigate to the directory where you saved the Havoc Payload, then create a Python HTTP server with the python3 -m http.server command.

c8

Now, on the target Windows 10 machine, open a web browser and navigate to the IP address of the Kali Linux machine. Make sure you've turned off protections in Windows Security, such as Virus & Threat Protection and Application and Browser Control. This will ensure that the Payload runs and is not blocked by Windows Defender.

c9

Select the executable file. Once downloaded, click the Open File link and select the Run option.

c10

Finally, go back to the Kali Linux machine and confirm that the payload has run, that the C2 agent has deployed, and that you have a connection from your target machine to the Havoc C2 server.

c11

Once you run a C2 agent on the target machine, you can start executing commands and interacting with the exposed computer.

Run Havoc C2 commands

To run remote commands on a compromised machine, you must first connect to the C2 agent through which you want to run commands. To do this, right-click the agent and select Interact from the pop-up menu.

c12

This will bring up the C2 agent tab at the bottom of the Havoc GUI. You can issue commands in the lower command line and see the results displayed in the output tab.

c1

To find out what commands you can run, run the help command.

c2

Scrolling through the help menu will reveal many commands you can run. The most popular include:

  • whoami to get information about the current user and their privileges.
  • powershell to run Windows PowerShell commands.
  • uploadanddownload to put files on the machine or remove them.
  • shell to enter a command shell.
  • token for manipulating and impersonating Windows tokens.
  • screenshot to take a screenshot of the current user's desktop.
  • And more

You can even create a graphical map of infected hosts and their connections back to the Havoc C2 server by selecting View > Session View > Graph.

c3

This is very useful when you have penetrated deep into an organization's network and need to see the path that traffic takes on its way out.

c4

 

Conclusion

C2 frameworks are awesome tools. They allow you to evade detection, remain silent, and take penetration testing to new levels with centralized management and powerful mechanisms for interacting with compromised systems.

Many C2s even include advanced customization options that allow you to tailor your C2 infrastructure to a specific goal or objective.

This article discusses the purpose of C2 frameworks, the benefits they offer, and some popular commercial and open source frameworks you can use. You even got some hands-on experience using the Havoc C2 frame!

 

 

 

 

 

 

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).