C2 Framework Alternatives for Red Teamers/Pentesters

Posted on

Hi everyone, I’m back. In this post, I want to introduce some c2 frameworks and I will explain how to use tor services for our c2 server. Let’s start with frameworks!..

C2 Frameworks which I want to introduce:

  • Covenant
  • Cobalt Strike
  • PoshC2
  • Armitage
  • Empire Web
  • Starkiller

1) Covenant

This framework uses .NET Technology. You can use user management system for your team, you can create your own grunts, listeners, etc.

General Capabilities:

  • User Management
  • Task Creation
  • Looting
  • Encrypted C2 Server
  • Listener Profiles
  • API
  • Multi-Platform (.NET Core and Docker support), etc.
2

For more information: https://github.com/cobbr/Covenant

2) Cobalt Strike

This framework generally using for advanced security testing phases. This may be called improved Armitage and have more capabilities. You can create client side attacks, malicious documents. You may use this for pivoting, malware creation, exploitation, reporting, recon phase (for target profile), etc.

For Advanced Capabilities: https://attack.mitre.org/software/S0154/ , https://www.cobaltstrike.com/

Example APT Groups which used Cobalt Strike: APT19, FIN6, APT41, etc.

3) PoshC2

The APT33 Group uses this C2. You can use this for adversary simulations or red teaming scenarios.

Some Features:

  • Fully encrypted C2 server
  • Client/Server Modal
  • Open source socks proxy
  • Notifications
  • User management
  • Configurable payloads

For Advanced Features: https://attack.mitre.org/software/S0378/ , https://github.com/nettitude/PoshC2 , https://labs.nettitude.com/blog/poshc2-new-features/ , https://poshc2.readthedocs.io/en/latest/

4) Armitage

I was called Metasploit GUI for this app. You can use this for scanning, enumeration, exploitation, post exploitation, pivoting, etc like cobalt strike but this version of that is free and have less capabilities.

Some Features:

  • Graphical Usage
  • Looting (credentials, hashes, etc.)
  • Enumeration with Nmap
  • Logging
  • Uses Metasploit Background
  • Client-side attacks

For extra features: http://www.fastandeasyhacking.com

5) Empire Web

This framework uses for Powershell Empire, you can use the Empire tool graphically with this. You can create listeners, payloads, etc. You can write your own modules, create reports, and more than more.

Some Features:

  • API Support
  • Fully Empire Integration and Easy to use Empire C2

Powershell Empire: https://attack.mitre.org/software/S0363/ , https://www.powershellempire.com/

Empire Web: https://github.com/interference-security/empire-web

Example APT Groups: FIN10, APT33, APT19, WIRTE, etc.

6) Starkiller

Starkiller similar to Empire Web, you can use PS Empire with this tool easily.

For more information about Starkiller: https://github.com/BC-SECURITY/Starkiller , https://www.bc-security.org/post/an-introduction-to-starkiller/

Another C2 Alternative List

  • SILENTTRINITY
  • Slackor
  • SQLC2
  • TrevorC2
  • Prismatica, etc.

Tor Usage For C2 Servers

Firstly we should change the torrc configuration file.

In this configuration our ssh will use port 1222, C2 Listener port 9090, we will use port 443 on the internet but our local machine will use port 4443 for connections.

Created service dictionary:

Later that configs and creation of dictionary, use:

/etc/init.d/tor restart

Then, tor will create a hostname file and private_key file. You can use your hostname with onion router.

For usage: You can use SOCKS Proxy on 9050 (you can change -> torsocks.conf file) port or easiest way to do this simple tor executable 🙂

And now, you can use your c2 server with the onion router, congrats 🙂 Extra İnfo: https://wiki.archlinux.org/index.php/tor , https://www.torproject.org/docs/tor-manual.html.en

Thanks for your time and your interest.

Berk KIRAS – Cyber Security Consultant