We covered an introduction to C2 servers. We explained C2 agents, payloads and their types (staged vs stageless), Droppers, beacons in addition to C2 agents obfuscation methods. We also covered some of the popular C2 servers including but not limited to Metasploit, Powershell Empire, Armitage and Cobalt Strike. This was part of the TryHackMe red team pathway.
While trying to digest the various components of a C2 framework, it may be intimidating. However, they don’t have to be. In order to better understand what a C2 framework is at its most basic level, think of a Netcat listener (the C2 server) that is capable of handling many reverse shells calling back at once (C2 Agents). It’s a server but for reverse shells. Unlike Netcat, almost all C2 frameworks require a special payload generator. This is usually a feature that is built into the framework itself. For example, Metasploit is a C2 Framework that has its own payload generator, MSFVenom.
So what exactly makes C2 frameworks better than a normal Netcat listener? It seems like all someone needs to do is implement session management into Netcat, and you have the same thing? While this is true, C2 frameworks shine in their “Post Exploitation” features.
What is the beaconing option that introduces a random delay value to the sleep timer?
What is the term for the first portion of a Staged payload?
What is the name of the communication method that can potentially allow access to a restricted network segment that communicates via TCP ports 139 and 445?
Which listener should you choose if you’re accessing a restricted network segment?
Which listener should you choose if you are dealing with a Firewall that does protocol inspection?