C2 Framework Alternatives for Red Teamers/Pentesters

Hi everyone, I’m back. In this post, I want to introduce some c2 frameworks and I will explain how to use tor services for our c2 server. Let’s start with frameworks!..

C2 Frameworks which I want to introduce:

  • Covenant
  • Cobalt Strike
  • PoshC2
  • Armitage
  • Empire Web
  • Starkiller

1) Covenant

This framework uses .NET Technology. You can use user management system for your team, you can create your own grunts, listeners, etc.

General Capabilities:

  • User Management
  • Task Creation
  • Looting
  • Encrypted C2 Server
  • Listener Profiles
  • API
  • Multi-Platform (.NET Core and Docker support), etc.

For more information: https://github.com/cobbr/Covenant

2) Cobalt Strike

This framework generally using for advanced security testing phases. This may be called improved Armitage and have more capabilities. You can create client side attacks, malicious documents. You may use this for pivoting, malware creation, exploitation, reporting, recon phase (for target profile), etc.

For Advanced Capabilities: https://attack.mitre.org/software/S0154/ , https://www.cobaltstrike.com/

Example APT Groups which used Cobalt Strike: APT19, FIN6, APT41, etc.

3) PoshC2

The APT33 Group uses this C2. You can use this for adversary simulations or red teaming scenarios.

Some Features:

  • Fully encrypted C2 server
  • Client/Server Modal
  • Open source socks proxy
  • Notifications
  • User management
  • Configurable payloads

For Advanced Features: https://attack.mitre.org/software/S0378/ , https://github.com/nettitude/PoshC2 , https://labs.nettitude.com/blog/poshc2-new-features/ , https://poshc2.readthedocs.io/en/latest/

4) Armitage

I was called Metasploit GUI for this app. You can use this for scanning, enumeration, exploitation, post exploitation, pivoting, etc like cobalt strike but this version of that is free and have less capabilities.

Some Features:

  • Graphical Usage
  • Looting (credentials, hashes, etc.)
  • Enumeration with Nmap
  • Logging
  • Uses Metasploit Background
  • Client-side attacks

For extra features: http://www.fastandeasyhacking.com

5) Empire Web

This framework uses for Powershell Empire, you can use the Empire tool graphically with this. You can create listeners, payloads, etc. You can write your own modules, create reports, and more than more.

Some Features:

  • API Support
  • Fully Empire Integration and Easy to use Empire C2

Powershell Empire: https://attack.mitre.org/software/S0363/ , https://www.powershellempire.com/

Empire Web: https://github.com/interference-security/empire-web

Example APT Groups: FIN10, APT33, APT19, WIRTE, etc.

6) Starkiller

Starkiller similar to Empire Web, you can use PS Empire with this tool easily.

For more information about Starkiller: https://github.com/BC-SECURITY/Starkiller , https://www.bc-security.org/post/an-introduction-to-starkiller/

Another C2 Alternative List

  • Slackor
  • SQLC2
  • TrevorC2
  • Prismatica, etc.

Tor Usage For C2 Servers

Firstly we should change the torrc configuration file.

In this configuration our ssh will use port 1222, C2 Listener port 9090, we will use port 443 on the internet but our local machine will use port 4443 for connections.

Created service dictionary:

Later that configs and creation of dictionary, use:

/etc/init.d/tor restart

Then, tor will create a hostname file and private_key file. You can use your hostname with onion router.

For usage: You can use SOCKS Proxy on 9050 (you can change -> torsocks.conf file) port or easiest way to do this simple tor executable 🙂

And now, you can use your c2 server with the onion router, congrats 🙂 Extra İnfo: https://wiki.archlinux.org/index.php/tor , https://www.torproject.org/docs/tor-manual.html.en

Thanks for your time and your interest.

Berk KIRAS – Cyber Security Consultant

4 thoughts on “C2 Framework Alternatives for Red Teamers/Pentesters

  1. off white shoes says:

    I wanted to write a simple comment to appreciate you for all the marvelous tips and tricks you are sharing here. My time consuming internet look up has finally been recognized with awesome know-how to write about with my friends and classmates. I ‘d declare that most of us site visitors are extremely lucky to exist in a fantastic website with many lovely people with very helpful points. I feel truly happy to have used the web page and look forward to so many more enjoyable minutes reading here. Thanks once more for everything.

  2. goyard bag says:

    I just wanted to develop a word in order to say thanks to you for some of the wonderful recommendations you are posting on this website. My extensive internet search has at the end of the day been recognized with useful knowledge to write about with my classmates and friends. I ‘d state that that many of us website visitors are quite lucky to be in a useful network with very many wonderful people with great suggestions. I feel extremely blessed to have encountered your entire weblog and look forward to so many more amazing times reading here. Thank you again for everything.

Comments are closed.