The cyber-pirate's guide to C2 development - Gerhard Botha | BSides Cape Town 2023

uh thanks for thanks to everybody for joining um this is about the U expected ratio of people who are in infos versus people who are in infosec and actually like C2 Dev um so thank you so much for taking the time to come and join um I see uh Christ is also here it's probably just because he's a volunteer to be here um okay so me wait for you okay I'm going just yeah I'm going just go so my name is harot um also known as kabot by absolutely nobody uh I am a security engineer at bitm um I do pen testing during the day or I try to and then uh after hours I am

more ma Dave offensive security research and tooling and then also uh f around with some automation so what that basically just tells you is that I start a new project on uh Friday Friday afternoon and then on Sunday night I get so pissed off that I just leave it and never touch it again um so you don't have to take photos of the uh QR code cuz I think it is done uh I thought yeah I didn't I didn't know I was speaking last so yeah okay so the agenda is we're just going to cover what a C2 is the difference between a server and a framework um the architecture how to design your own if

you're interested uh some considerations Lessons Learned uh which is basically just me being stupid and then uh some examples and cool courses the C2 overview so before we start what a C2 is um or how to make one we kind of need to know what it is right so uh C2 is basically just a contra attacker controlled computer that uh has access to a bunch another a bunch of other victim computers and it can remotely uh you know remotely execute stuff uh it does make the post exploitation life a lot easier if you are ever uh doing like an active directory pen test or doing like a red team or something having tools available and ready to use makes your life a lot

easier than just going back to all your GitHub bookmarks and downloading the tools and so on uh various capabilities depending on the goal so some c2s exist merely just for export trading data whereas others are for lateral movement whereas others are for like initial access and um they are you know it comes in a host of like different like shapes or sizes uh paid open source uh so back when we were at uh Zer xcon earlier the year Leon made a joke and said we don't need more c2s we need we don't need more paid c2s but we can always use more open source c2s so um and then it is the threat threat actors most beloved tool so

almost most to almost all of the modern day attacks um have a C2 in some shape way or form if you look at like all the um if you look at all the breaches and you read uh how many times Cobalt strike was deployed in an operation that uh you know that that breached the company and then ended up in Ransom wheel data data exfiltration so why make your own um first of all minimal ioc's so ioc standing for indicator of compromise and if you create something custom or if you create something that hasn't been seen yet or isn't well known you tend to fly under the radar a little bit easier Uh custom solution so for my one uh we need

something to actually automate some some uh automate some uh commands for for um like a purple team assessment and Caldera is good but we also just need something that um we also just needed something that you know like that fits our solution so yeah um it helps you understand attacks a lot better so if you can create it I'm one of the people that if I create something I know how it works and a lot of the people especially in this in um especially in this community is let me make it or let me break it then let me make make it then I know how it works so that's kind of like another reason why

you want to make your own field contribution um there are and the C2 Matrix um I don't have the link on me but there's something like 150 if not more like open source or ranging between open source and paid but most of them are open source so if you create something or if you help somebody with a popular open source E2 you know you put yourself and you put your name on it um it just helps improve the field overall and it uh cuz better attacker tools eventually lead to better defensive tools um improving your skills I think that's a that's a very like obvious one cuz you'll probably start not knowing anything unless you're a genius um

otherwise yeah you'll start like me not knowing you know A to Z on the keyboard and then actually know you know know having something that's pretty decent and then finally Career Development uh a lot of people especially in interviews if you if you can create something and you can talk about it and you can show why it's important or you can show how much you learn through the whole process um it's a lot better than explaining what a SQL injection is or something like that it just shows your expertise within a certain field and then also you learn a lot so you learn how to set up a web server how to create your own web server

cuz a C2 server is kind of like a web server that you can communicate through um so if you have that like firsthand practical knowledge like practical knowledge is the best knowledge um so we'll go into a server versus a framework so it kind of is the same like same same but not same um so server from what is mostly known is it is a uh it's more designed for specific techniques uh it's more it's smaller uh at normal like single operator focused and uh like shorter term usage and uh low iocs depending on the U um depending on the on the operation so what I mean by uh uh specific techniques in that uh

if you look at like some of these um if you look at some of these uh servers here uh you know one is literally just made to communicate over DNS the other one is a C2 over uh like Google like Google Calendar the one is a C2 over like Discord like it's all just very for very specific made for blending in type of operations um then you have your framework so your framework is the more batteries included type of uh typ type of uh application uh think of cobalt strike uh think of Havoc um Powers show Empire I'm pretty sure a lot of you have used and um okay well I don't put it in here but meterpreter as

well or Metasploit as well it has a lot of functionality that's built in that you can use and that you can play around with whenever you gain that initial shell like you can load extra modules you can do extra exploits you know it has all that where as a b basic server does not have that um and then the rest of the points you know uh multiple protocols and longer term operations and stability that's an important one so with your uh like I'm going to use a goo um which one of the guys from sense poost made and that is literally designed to like communicate only over DNS and um mainly for like uh exfiltration

purposes um so this is the basic architecture uh you have your little hacker guys on the uh it's too late in the day to say if it's your right or my right uh but it's my left so yeah you guys can work that out um you have your you have your gentleman sitting there and they communicate with the server in the middle the server does some kind of read write operation from your uh to like a persistent method like a database um it can be a database it doesn't have to be a database I'll show you how I did mine and then you can communicate with multiple infected uh computers uh the communication process it's basically you know just log into

your console log into the server you send instruction instructions to the server um the server holds on to it the beacon or the implant calls back to the server and say and says do you have anything for me the server gives it an instruction it executes the instruction and it sends the results back to the server and that is and the server then sends the results back to the um back to the operator and that in the nutshell is C2 communication so I'll go over what important design factor and that you need to like kind of like keep in mind when making it um the first one which I also didn't list here mainly because I was lazy is you need to uh get

a cool name and a cool logo for it that is yeah um so like when you look at like a project chart the first 90% of the project is coming up with the naming of everything and U yeah and then you kind of need to then you kind of need to decide if you're going to make it a command line uh goey and a or a web um obviously there's like a bunch of different like um there's a bunch of different pros and cons of both CLI you know is it going to work in the windows terminal is it going to work in the Linux terminal terminal is it going to work in both uh guey you need to like

kind of like think you know what kind of like framework am I going to use uh is it going to be QT is it going to be um is it going to be uh electron for whatever reason you want to do that um or do you want to make it in the web uh what kind of Technologies are you going to use are you going to run it um you know you kind of like need to run it on the chromium on the Chromium browser not the Chrome browser or any browser that doesn't do like any safety checks in that because you are going to upload and download malware and and and and and the

last thing you want to do is like run it in Chrome and you go and download the results and it's like a dump file or whatever and you know Google Chrome just stops you so so chromium U and then the front end framework for it is it going to be like react is it going to be you know you you get the gist of it uh uxui just as important as the ma techniques so obviously you don't want to click 10,000 times just to create an implant you kind of like need to think how you're going to do it what is the best way to do it what is the fastest way to do it obviously the actions that

take that are most important you put top on your list and then you need to create it in a way that like if you need to do reporting or whatever like stuff it in there somewhere but don't let it like distract the operator from the from the main from the goal um I like to store uh this isn't always but I like to store the payload and the modules on the operator side of it it's my machine uh let me keep my stuff if you send it on the server or if you store all your payloads and your modules on the server the more you use it over time uh the Fuller the you know more dis space

it uses and if you're running it on a small device or you're running in on something that needs to be shut uh shut down quickly or opened or you know like be decommissioned or commissioned quickly because your operation got burned or whatever um yeah if you store it there then all your payloads and your modules get burned or you know goes along with it so uh you use this to interact with the beacons through the server so little hacker man over there he is logging into his console communicating with the server and then you can also use it to manage multiple servers so through like just authentication you can log out you can use your console you can log out and

just log back into another server with a different IP address and different credentials um here is the server so it needs to have multiplayer mode multiplayer mode basically just means um you know multiple operators can log into it at the same time so not like free meta sploit but more like a Cobalt strike or uh Havoc or something like that um then uh support M multiple protocols so you have your beaconing protocols which is normal normally HTTP https and DNS and then you have your peer-to-peer which you use for internal like if you need to Pivot from one machine to another machine which is normally like SB or it could also be a or TCP or UDP

or anything um as long as it works it you know normally it can support M multiple protocols not always depending on what your goals and objectives are uh authenticated uh communication this is super important you don't want a blue teamer to uh you know hack you back that's going to be very bad for the operation um I think their sees so will be impressed but yours not as much um so needs to be stable error handling you don't want one simple error like crashing your whole server so you need to put the exceptions in you need to kind of like think about the edge cases how am I going to do this what can go

wrong and then what can go wrong that I haven't thought about but I still need to handle it um I designed mine in a API toer form um there's been a lot of like I don't know who's been in the API classes and that um or for with like the whole API design of everything but because it's in the API your server can be coded in whatever language your operator console can be coded in whatever language and your um implant can be coded in whatever language as long as it communicates through the API endpoints you are good to go so that makes it awesome uh if you if I write something in goang which I do uh because

I love goang um but somebody else writes something in Rust will see you will see shop or whatever you can write it in whatever as long as it hits the end points um then scriptable uh so depending on depending on again your design um with mine is I have a Json file that it say it writes everything to a Json file because I don't like SQL um and you can basically you know you can like just drop that Json file in or you can script it to when the server starts up it FES that Json F and it already sets up your listeners and your implants and all that um and then the actual fun part the

making of the malware which I think some might find it fun others might find it a bit daunting um this needs to be kind of like of a modular design um so how I designed mine was basically you can take and remove different parts of the program and as long as as like the as long as the base is there uh it will work so modular design you can like move it around you can load extra modules onto it you can do whatever you need or it's just flexible uh specific stages and it is not load um it is uh stage zero is it more of like a loader does it do like host checks before

calling on um like a more is it a light piece of mware that just does a bunch of like light checks is it running in a VM is the host name correct is the uh domain name correct am I targeting the right company that the right guy did he download it from his own computer that he downloaded on A Company Computer you know you need to do these kind of things to be responsible so that you don't run your malware on the wrong device um so is that that's more of like a stage zero and if all those checks passed then you go and fetch your actual malware um um format as executable output so you kind of like need to make

it as a compiled binary um if you do something like just like a py file or JS file or whatever um you know you don't know what version of python the client is running or if they're running python at all so you can't just run a py file and expect it to like always work I scratched this out because I actually um at the zero xcon I said if you don't like if all the python lovers if you don't like it meet me outside one of them did meet me one of them did meet me outside to my surprise and they just said oh you can use this and this and this and this to compile it so you know

to satisfy them they're not even here but to satisfy them I did a strike through um yeah Petty I know uh the size of the beacon so do you want it to be small uh running a certain type of environment or do you cuz sometimes you kind of like want to make your mile wages basically expand uh some antiviruses I don't know if they still do it but they would only read the first like 25 megabits or 25 megabytes of a file and then after that they would just say okay the file's too big you know uh go through um yeah so yeah you get what you pay for I guess um and then and you

know you kind of like need to put that into consideration also the language that you coded in uh something that's made in goang isn't going to be very small something that's made in C or C++ it's going to be a bit it's going to be a bit smaller and then the uh multiplatform so this is another design that you need to or another choice that you need to make uh are you targeting Windows specifically are you targeting targeting Macs are you targeting Linux are you targeting everything how are you going to do it are are you going to make three different uh implants in three different languages are you going to use something like rust or go that you can

just cross compile and go mad um that is all you know that's another design uh decision that you need to make and then the uh bolt in sleep function so would you have like a semi like cheap loader inside of your um inside of your beacon and you know how's it going to handle the Sleep uh so are you going to like encrypt all your bad bits up until the loader or the beacon wakes up calls back to the server un encrypts those bits in memory runs the bad stuff after that send the result back encrypt it again and goes back to sleep so that is a yeah um so just here you can see there

with the the whole sleep function it sleeps um it goes and fetches the instruction from the server it un loads and un encrypts it processes the uh the bad stuff it sends the results and it uh goes back to sleep again and yeah that's the whole beaconing um overview okay um then you kind of need to or you kind of if you don't want to do all that and you just want to make the cool stuff like the mway you can use and misuse existing like Frameworks um to actually just you know to actually just make your M way like you don't have to create a whole custom C2 server there are a lot of current C2

Frameworks out there that allows you to expand and uh you know basically piggy piggyback off of their like yeah piggy back off of their like um their hard work and you only get to focus on the fun part um stuff like execute assembly and uh which is basically just running running net code in memory um which is pretty cool because you can you can literally just any like cop file or whatever you can like pass it through and it will run it in memory you don't have to like you don't have to create your own Beacon for that you can just create like a little module that does that and then the same with the cough

loaders where instead of it being a net it's more of just like a object file that gets like um that gets run into memory um which is probably the best way of doing things like right now um um and then obviously you want to test everything for stability you want to test it for ioc's and then you want to test it for like functionality and that and make sure that like all your edge cases are handled so here are three good projects um the one Mythic actually just got a like a recent release um it yeah it's like yeah the the design of that thing is out of the this world uh hard hat is kind of

like the new like kid on the Block that have a whole like blog post about like how you can make your own implant or how you can like extend it if you want to so you don't have to like focus on coding the server and the client and all that and then uh one of the people I on a group with uh made this like uh Revenant which is that demon skull type of thing um the other demon skull type of thing um on the thing and yeah you can basically just uh it allows you to run like EMA it in like a old type of C which is old type all C is old type but

yeah it can run on like anything okay so this is how I designed mine you have the operator in the server um your operator has all the uh meat to it um your modules your invasions uh evasions Beacon like all your configs and your console and stuff like that and your server just it's literally just there to handle the listener and handle the communication that's that's it and this is basically what it looks like uh I have the CI sort of ready which I'll show you some screenshots and then the beacon is in go I've played around with rust to have it working in some extent and cop I haven't touched but yeah the slide just

looked empty so I threw it in there and then also with the goey um I ALS so haven't touched that cuz yeah I decided to just make it in CLI because you know it can also look like CLI can also look pretty but I'll show you now um and this is the beacon barding um process so you have your modules F them you the operator then chooses which modules he wants to put into his implant and then uh also what the listener info is uh it gets sent to two different uh Json files and and then it gets run then the source Boulder project then gets uh then basically goes and fetches those files It Bolts it out as a piece of

source code and then it compiles it into uh you'll see the demo. star that is the actual source code and then the last one is the compilation of it so is it is it over complicated maybe uh do I care no so this is just basically the module selection where you can choose it um I shamelessly ripped the um examples out of bubble te's uh GitHub uh repository which is a awesome framework for um making like a terminal user interfac um I didn't want it to just look basic because I mean just because we hack stuff and attack stuff doesn't mean we're animals we also deserve we also deserve pretty things um so yeah and this also this also um kind of

eliminates human error I mean there's no way for you to type something in here well I say that now but I haven't really tried it but yeah there's no way for you to type something in so you can't type in the wrong module name or anything like that you just press up and down and you press uh the space button and you select what you want uh this is basically the module example um so every module gets its own or every yeah every module gets its own file and it's stored in the modules folder this is a super basic uh super basic example so what it will do is it will read the uh the miters like TTP it

will read the description and then it has the um the public function which it will then pull into the uh final like final source code um this is the module config folder so when when you load the thing or when you load the server up or you load yeah when you load the server up and when you load your operator console up what it will do is there's a script that runs that goes and fetches all of the modules and it displays it like this I will show you now why so when you choose the help and this is where it goes in and you can basically um again bubble te's like um uh table

which you can search from they're in the lower my right uh corner and you can just V sty slash go and search for what modules you want instead of like scrolling through a list so I made it this way uh just in case there is like a 100 modules and you don't always know what you want but if you know you want scan then you can uh you can search for scan uh This Is The Listener config um yeah there's not much to it it's basically just the same as with the like um the same as like with the other things you can fold this in uh pre starting up your server and then when

you load it in you can just drop that into your like configuration file and uh just click uh run run listeners and then it will start everything up for you um the profile at the bottom is just to make it more malleable and just so it like if you need to like emulate a specific adversary or something like that um you can just like fill it in there without it being too much of a pain uh again this is the uh uh listener creation so again uh ripped out of bubble te's like GitHub repo uh probably saved me like years because I have no idea how to start this um so it instead of having like a instead of having like

a label uh it basically just has like dark text and then as soon as you like hover over it or you start typing then it will start filling in um and then after that you click submit and then it will uh this will be filled in and this is the implant config so again um it's going to be something similar to this and then just mixed up with the like check boxes and I'm going to show you how I did mine but yeah this is a warning it is honest work but yeah it ain't much um so this is the oops go back okay so this is the final demo do star uh block which is basically

the source code um and I made it it's it's not a bug it's a feature right guys so I made it so that you can like um surgically modify everything before compiling ing um because the compiler will go and fetch it from a predetermined um uh file location and basically the boulder function on my right uh is just like a like a simplified version of what it does it basically when you run it you it goes and fetches Order import which in goang it's just format. print and then it's like a thousand lines of like a th strings of a thousand Imports and when you compile it it will only take the Imports it needs um again fun

and then with the U the host name it will go and fetch it from your fetch it from the implant config file and uh uh place it in here well it will read from the implant uh config file then it will go and fetch that specific section in the modules folder and throw it in here uh the server um you know from The Listener config file the requests uh this is like if it's HTTP https SMB DNS um oh not SNB uh DNS HTTP https uh it will go and um yeah it will go and like said if it's if it's HTTP put this in if it's https put that in and then the modules which will

basically just go and fetch it from from um from the top there and throw it in here why I didn't make the the the handle fun uh function and handles modules Function One function I can't tell you not because I don't want to tell you just because I thought of this design and I was probably like three beers deep and yeah I was just like yeah this works I'm going to do it this way um one cool thing about it is you can actually just go into change the case so um if there is any alerts or if there is any monitoring on certain endpoints like get host name or kill or uh uh reg keep

assist you can change that into whatever you want so if there is any detections on specific endpoints um or specific functions being called then you can um yeah then that will help you with uh evading the detection cuz we do all know how brittle uh antivi antiviruses okay um obsc Basics which is basically me being stupid so um turn off sample submission so when you make something and you test it especially on Windows uh Windows Defender will always go and grab that sample submit it to a cloud or submit it to the cloud and then uh come back and say if it's malicious if it's not and if it's not malicious or it's suspicious or

whatever it will go and fetch it and store it in the cloud and go and analyze it further um that leads into keeping it offline so if you can make your own local area network that doesn't reach out to the internet that way def Fender can't keep it out but you can still test for antivirus detection or evasion um that would be great so one thing I do is I have a local gitlab server at home which I run all the uh cicd stuff on the local server without reaching out to the cloud and that I'd like to think that it helps with um detection or at least evading detection or leaking of uh like

samples so far it's worked but uh yeah I think it works because I like to think it works um and then know your enemy so if you're going to be testing against antivirus or defenses like defenses are your enemy you're going to want to evade like what's the point of making malware um what's the point of making malware if you like you know if it gets if it gets detected by everything and anything under the sun um but where the share so if you share your malware to your friends or to your colleagues over teams over like Google or whatever and you're like hey check this I made this like look how good I am um it's going to get

burnt because they're going to run it they're not going to put all these considerations um they're not going to take all these steps and considerations that you did so yeah so we actually the previous company uh we had like a we had like a malware group and I had this like ransomware that was made in them and it was beautiful and it worked and Defender didn't pick up anything um all the files were encrypted and the fender just said you know your device is safe um I shared it on the group and yeah true as Bob the next day like yeah yeah like a whole weekend gone uh stay away from your host so this is kind of obvious um again with

that like Mal way I made it in a VM um and I'm glad I did because I tested it out and I forgot to like I got lazy with the file pass and instead of saying like C SL this this this to the specific like um like specific folder that I wanted to test I just said C slash and it locked up my entire VM and I am happy that I made it in a VM because yeah yeah like I said this upsc Basics are basically like don't be a like don't be a dumbass um and then be a little paranoid when shooting oh trouble not shooting troubl shooting so if uh you make something or you're going to hit a

roadblock eventually like like don't throw it in open AI um yeah like why would you do that like yeah don't just say Hey listen you know why why is why is ransomware not working or you know what's wrong with this code or whatever um this is for the new kids for the uh older lot um I'm very thankful that there are not a lot of you in this room because we will outnumber you um is don't throw it into stack Overflow and say hey why is this not working cuz uh yeah you're basically you're basically burning your malware if you just throw if you just throw it into like a public forum or you submit it to any like

online thing or whatever you don't know what data they collect you don't know what they're taking away from your from your um and then also I think this goes without saying it's like don't publish it on GitHub unless you ready for it to be burned um yeah even when it's on private um I don't trust Microsoft and enough to know or you know to not burn my stuff to uh to feed that monster that they call uh jgpt okay and yeah this is basically just visualized keep it offline um cuz this is what happened to me my mawe got burned because I sent it to the cloud and yeah A visual representation of me and then uh these are more for

testing like what do you like you need to like kind of think you know if you're going to use this in the field do you want to use it as a paint test as a red team as a purple team but then you also need to kind of test on uh different like um The Domain controllers the clients can it work on Windows 2008 can it work on 2003 like 2012 uh 2012 2016 how does it work how does it function same with the same with the endpoints you know Windows 10 Windows 11 Windows 7 Windows 8 is it 32bit is it at 64 bit like these are all like the kind of like things you need to

like like like think of when you when you when you make something like this so with goang um I think goang before 1.12 could still work on uh could still work on Windows 2003 uh after that they just like stopped official support um but yeah so if anything breaks then yeah and then it also goes for stability like you need to like again kind of like think of like the edge cases and that like what happens if the internet cut out or if you're busy downloading a file you're busy exfiltrating data and the internet cuts out do did you do you have a function that actually saves it as a temp file and then reads it and then

when the internet cuts out like the the thing pauses and then when it comes back on then it continues downloading or does it just fail and when they when you eventually get a call back again can you like U start restart the download um that's also with the different like scenarios in that and then uh different capabilities like yeah don't don't try well you can if you want I'm not going to stop you but um don't try and just make this like super Advanced thing from the start like kind of like think like okay let's just get a basic Show Now you kind of need to think what happens can I upload and download stuff that's the next step the

next step is doing like like checks like you know is it a VM if it's a VM can I handle this like you kind of like take that like gradual like as you increase with your skills and confidence uh so does your so does your malware and so does like the functionality and the capabilities uh final hurdles the things that absolutely nobody wants to talk about and that is fine uh I don't want to talk about it either but but um yeah I have a set time so I need to fold that time um so documentation it's easier to just start writing it when you get started like your ideas in it and then later as soon

as you complete something or something works write how it works why it works and that and then when you actually do book out like a documentation day AKA for me it's like a Saturday night um then you know you read through all these not and you're like oh okay I see um I just want to stress that I by no means a developer so I don't know what you guys go through um yeah this is just my this is just my weekend project or um when I'm done with work my boss is sitting here so I can't say that I'm doing it during the day um but uh yeah wink wink uh installation so are you going to

distribute it like you want people to use it when you actually do get ready to uh submit it and um or like get people to share it are you going to send it as like a binary are you going to send it as like a Docker file uh because we all love Docker um are you going to have like the full setup steps the full support what happens if this goes wrong did you try and install it on different devices how how well does it work on auntu versus Cali because there is a difference uh does it work on Windows you know like does it work on Mac like all these type of things and then uh

with tests so I'm not going to get too in too much of it because I can talk your ear off about tests but uh yeah you kind of like need to have those like automated checks in place to make sure that everything runs as needed um just the lessons before we finish up uh start small B big comes back to what I was saying like start with something that's just basically a reverse shell and you log into like the server it's not even like a console or anything you basically just log into the server and you can communicate with a beacon on another computer like just start there don't try and think like we're going to like do this now or at

least that's a I started I know like developers that can probably do this in like a like a Friday night but for me it took like 6 months um you know back up your work so you know with the gitlab um don't use to GitHub um you know don't be afraid to start over so the current one that I made with all like the design sign considerations and that was probably my like my 10th like uh like my 10th iteration of it uh each time I would make it I'd get frustrated I'd just say you know rm- R and just rip that uh directory out of my computer like it's yeah um get it working so

that's probably the most um that's probably the most important thing is like get it working first before trying to optimize it if you're going to sit and you're going to like what is the best way to do this what is the best way to do this what is the best way to do this and you kind of like start overthinking and you kind of like start you get panicked because now it's this like whole complicated thing and you started with the simple idea and it's now like built into this like thought monster um and now you're just like okay now I'm going to get discouraged and I'm going to get back to that like when I

can um choose the language that you're comfortable in you can make it in literally anything there's like stuff written in I know people joke about PHP but there's stuff written in PHP there stuff written in only in JavaScript and node a lot of stuff written in goang uh python um there's even one guy that was brave enough to like write it in like pure C like client server implant like everything just see like a like a madman but it was pretty impressive uh take breaks um and then uh GitHub is full of references so I know I said like sharing on GitHub isad bad but if you read on GitHub maybe it's not that bad um or at

least while you're developing something like you know then you don't want to get it like prematurely like burned but GitHub is full of references if you're comfortable with a language um GitHub becomes like the world's biggest library you can read code left right and center you can understand it and it's just like yeah um these are some cool projects that I uh borrowed code from um AKA just like thanks I'll take that you know uh but to be fair they also took it from somebody else so you know is it stealing if you're like stealing from somebody who stole is that moral dilemma it's just code so yeah it's probably not that bad so a lot of them you'll see um

so npl and Empire are the only two that is not written in go um that probably gives you idea that I love go um so yeah these are some pretty cool ones I will be sharing it on the uh hack South group uh the slides and everything so if you guys want to like click links or whatever I promise it's I'm not going to Rick Roll you I didn't have time to do it um but yeah like if you guys do want to like click links or whatever we will be sharing this on the uh Discord group uh here's some cool courses to get you started uh it's probably important to that I say it that one course isn't

going to make you like bul the C2 of your dreams um but this these are some pretty good like um some pretty good like examples on how to get your feet where two of them are in um kind of like cop in Python I don't know why I put it on yet these are the only that I could find on the market but I don't do it in but in any of them um but yeah so but the techniques that they teach you especially the one from razom m is pretty good um and then the uh middle one uh Joe hell it is I think it's like $10 or $5 and it's made entirely of

python so if you want to like make something like that that's yeah these are some cool YouTube videos again I'll share it and then the malwe Mal Academy which I get my inspiration from like I see what they make I see the C source code and and then I just rewrite it and go because uh yeah I'm cool like that and yeah thank you for your

time I know it's been a long day and I hope none of you have questions but if you do I'd be uh happy to happy to answer Yeah question how would you manage mention the first couple of slides contribution then also say so there's a lot of C2 projects out there that you can contribute to um so Havoc is a great example um that guy when he wrote it he was probably like 17 18 years old which it's incredible if you look at like the quality and like the craftsmanship craftsmanship of the software um he regularly releases like bug fixes in that um and that is just from people people complaining that there is a bug

and then somebody just picking it up um or Bing something for it so with Havoc you can also um let me just um so with Revenant the the demon thing they in the light that is literally just a extension that was built only for the Havoc framework so if you wanted to like only make like an implant or if you use this every day even with like Metasploit if you use this every day and there's a new exploit out there and you know how to write like a exploit module for that code uh or for that specific thing and it can also integrate into Metasploit I mean yeah that's that's gold like in terms of like

field contribution cuz they will just say look at this guy he's awesome he wrote a he wrote a exploit that now fits into met exploit okay uh if that's yeah um thanks for the for the talk um I was just curious there's there's a part where it seems like the the person the operator is doing quite a lot of manual work to it like constructions and stuff yeah uh if you thought about something around generating for example where you can get some input from some Vons or otherwise you know you at least know the land a it and you get some AI to do some kind of fin interesting things that that are Guided by what you want to do um let me

see a uh good Rob there at the back is uh pushing me on so uh let me talk with you while we while we go out there yeah um there is actually a super cool project that's uh that's with that yeah 6:00 we to W upor yeah it's good so many good questions thanks Rob i' like you I like you be