A Hillbilly's First C2

all right welcome everybody out thank you for stopping by after lunch like this I know it's hard for some people to stick around I appreciate it though very much thank you and if you've seen me before thank you for coming back uh thinking I'm decent enough to hear second time around but uh for this is going to be a new presentation for me uh you're the guinea pigs uh first people get to see it so please be bear with me it hopefully it all goes well we'll find out as we're going along um I'm calling this uh I submitted the title of a Hillbilly's first C2 but internally in my head I always called it baby's first C2 so I

put both of them on the slide and in the code I actually refer to it as baby C2 so deal with it sorry about that uh so okay first of all let me just introduce myself who am I those of you who' met me before you already know all this but my name is Adam Compton I currently work for trusted SEC uh up out of Cleveland up there wonderful team uh but outside of that I've been in infos SEC one form or another for 25 26ish years somewhere in there now worked for Private Industry federal government I've done presentations across the world all that kind of fun stuff I've done programming I've done research development

um yeah I've touched pretty much every aspect of infos SEC at this point one way or another much of it I am I'm not it's not my forte so I keep coming back to pentesting but no worries about that uh I say hillbilly born in Eastern Kentucky back in Pike County Kentucky so I qualify I'm promise I actually have Hatfield and McCoy both on my family tree so don't worry about that uh I am an old school Unix Linux user from actually that was my first OS once I got out of Windows 311 jumped over to a Unix OS have no idea what uh Unix OS it was at this time I first one I remember was

Square Linux that I actually remember a name for I think there was like an AT&T Linux or Unix in there somewhere I don't remember but still been doing this for a long time and with all of this new technologies come around new things show up and I find interest in it I tend to be a little late to the game sometimes because I get stuck in my ways working just pin testing doing all that and I end up using tools without understanding the full understanding the full comprehension of them and that's where the talk sort of came about which brings us to why this talk c2s if you're doing pin testing red teaming infos General you may have come across c2s

most likely you have uh there's lots of them out there it can be as simple as just you can script something up easily enough in uh python or in bash or not neing bash but like with netcat stuff like that there's different ways you can do it you can almost set one up with just SSA AG very rudimentary but you've used them in one way or another fundamentally they're just like client server applications at the very abstract base level but they can be fun they can give you lots of functionality and all that I wanted a new project I like programming I'm I am a pentester but all my degrees are in programming so I like

going back doing some coding every once in a while the fact that I use c2s without understanding the fundamentals of them so sometimes was bothering me so I'm like hey I want to learn about them I want to build one up from the ground up or at least build up the comprehension and the steps and the understanding of them so that goes into I wanted to understand the aspects of it and as working on it I'm like H this sounds like this might actually work out as a presentation topic we'll find out we'll hope see how well it turns out here this evening so first and foremost let's get out of the way some of the basics of

what is a C2 as I said before it is really just a client server application that allows you to interface between a server and one or more remote systems in the case of pentesting red teaming all that usually a compromis system that allows you to have remote control or remote access to that box to perform commands and issue other com uh servic requests via it oh excuse me what is the purpose of a C2 um primarily so you have the ability to manage one or more other systems out there without having to jump onto them every single time maintain it helps maintain the connectivity provides the functionality and if you want to boil down what is a C2 to its bare components

as I said before you have a client in a server or in this case a client in an agent client in an implant a agent implant um client all use interchangeably by a lot of different people depending on who your qu C2 you're talking about in this talk I'm going to just be using agent fundamentally for the part that runs on the compromise system or the client system and finally there's usually a front end some way in there that front end might be a gooey application that allows you to uh visualize the connections uh think like um Cobalt strike there nice visual interface you can see the connections uh you can issue commands drop down menus all that fun

stuff it's very gooey based um application you might also have uh TCH based a lot of the smaller developed ones whether it's I think Metasploit Metasploit can very much metlo is a C2 it very much is Tech spaced unless you pay for their paid version and then you can get a gooey version for that but fundamentally it is a text based one so you can interface that way I've seen some that interface with a phone so you might have a phone app that allows you to interface a little bit there's all kind of different things a web app maybe but all of them all these user interfaces all they are really doing is providing you

the user ability to connect with the server and then use its functionality on or against the various agents that are out there it's just that interface for the human many times you will find that the user interface and the server are not separable but they are logically separate but they're sometimes packaged together sometimes it's going to be a separate application that's fine you might have the server running then you have the guy application that connects to it but either way you do have those three primary components some form of agent a server and then some form of a user interface I've mentioned a few already but what are some of the more popular c2s that I've encountered uh this is a

little bit bias list it's the list that I personally have used one or all of these of and there's lots of them out there you have your main ones up there like metas sprit that most of us are probably more familiar with Cobalt strike and then beyond that you have the smaller or more Boutique versions I guess out there if you want to call it that sliver Merlin I don't think Russell was in the audience today but shout out to him um Mythic and then U shout out to one of my co-workers for Bad Rats out there all of these are functional they're have their own bells and whistles their own take on how to

implement a C2 there's a website out there on how to the uh the C2 matrix.com it's relatively up toate there's other websites out there that can give you a more complete list or an alternate list of various C twos but I just wanted to throw this up there for people to take a look at as we're going through this I've already talked about this a little bit but let's uh cover the terms one last time to make sure we're all on the same page the server is just a central controller it sits there it fires up most times what referred to as a listener a listener is just a typically referred to more precisely as a protocol

listener you might have a listener for straight socket communication or you might have a protocol listener for like HTTP traffic depending on what the protocol is that you're wanting to communicate over you have to have a listener that's listening for those internal incoming connections and then providing you the ability to set up a session and communicate out over that the server is the part that facilitates all that you have agents agents can be as simple or complex as you want but they are the part that run on that remote system on that compromised system system they might be just as trivial as a simple socket client that just allows you to have like a neet cat almost to

have a shell on that box it might be very complex where it's a several megabyte in size uh binary that has run over there that gives all kinds of bells and whistles throws the kitchen sink in there it varies in size but it is still that part that runs on the A on the remote system and of course the front end as we've discussed already is just part that allows you to interface with the server and through it to the

agent most of what I'm going over right here is just so that we cover the basics so we're all on the same be ground I'll be getting through this relatively soon here oh excuse me I ate too much for lunch and I got a little drowsy I guess but yeah so what kind of agents are there not only is there small agents large agents agents written in C written in Python written in C what have you but the way that they want to connect back uh the scenarios that you generally encounter are where you have one compromised system and the server it's just one to one ratio it's as simple as think SSH you have you're connecting in

done or you might have multiple agents connecting back in this is typical with like a think a web server lots of clients connecting into the web server to either do a push or a post or a gift get to the web server that's a Min to one relationship uh that's another scenario probably the most common one then finally honestly I had to just pull this one out of the thin air just calling them chain agents I don't know a proper term for it if somebody does please let me know it's a scenario where you're having to chain multiple agents together uh typically used in scenarios where you're doing pivoting things of that nature might have uh compromised system

in network one which has access to network to and it then connects back to agent uh you have an agent there as well and it connects back and then it connects all the way back so you're pivoting you're using sort of a jump jump box mentality so those are the kind of the scenarios these can be a oneoff they can be a mixture of these every how you want to facilitate or view it uh outside of my words just a little graphical version you're sitting out there with yourself as the attacker you the internet in front of you through some mechanism you get an implant uh agent on some remote system behind a firewall and Turnal to a company ideally

a company you have a contract to work with because otherwise uh you might be getting nasty little knocks on your door but still it gets on there it might be through social engineering it might be whatever the scenario um somehow you got an implant on there and it calls back out because it has the ability to call out calls out to to you and Via that connection you have established a bidirectional communication between you and that internal server that is a one agent uh scenario that we were talking about before from there maybe your fishing activity is if that's what you were doing established a second connection great now you have two internal multiple to one of your server

and somehow in there somebody copied over whatever let's say it was a binary they had to download and run they thought something was suspicious about it they connected it over to another internal system on another Network and it connects back whatever the scenario I'm just trying to make stuff up here at this point just to give an explanation for this but it's the different visual representations for what I was describing a little bit earlier there and this is probably the way that most people will see a C2 uh implemented or visualized but there is one last scenario here and this is the one with redirectors I'm not going to be going into too much detail in this talk

talking about redirectors but that is uh some scenario where none of the agents directly know about the server itself it knows about a redirector out there on the internet it can be done through uh Cloud Froning it could be done through any number of things where those agents will connect back to that and then that redirects our traffic back to some other system you've designated being your uh server at this point so that if something gets compromised or what have you that box goes down you can fire up another one using that same DNS name or what have you and lo and behold it's still going or you can switch something out you can have multiple redirectors so

that if the first one is compromised it will try a secondary one things of that nature it all depends on how complex you want those agents to be and that is something that needs to be incorporated both on the server and on the agent side but as I said I'm not going to be talking about that for the remainder of this talk unless somebody brings it up and I'd be happy to but it's not planned at this point

all right so what are those of you who have used c2s or implement c2s or have designed c2s what are your communication Protocols of choice uh some of the more common ones I've seen are things going over https things going over DNS not so much more but at one point in time there was a big push I saw in c2s and malware and things of that nature of trying to communicate out over DNS why DNS tends to be not blocked by any Organization for the most part it can go out how does DNS work well well DNS itself Works in its own way but as far as a communication protocol it would typically do something like it would

make a request out for a particular DNS record for a domain that you control or what have you and if that record is obviously not going to be an valid record but it's going to be a triggered to some internal event on the server meaning it needs its new uh tasking or it's giving an output or something like that if it's asking for a new um task or new action to run the response that would come back would be the command that needs to be run or something of that nature so it's really slow communication back and forth but it does work uh I've seen some written in SSH I've seen some examples that people have said

learning how to write uh C2 and SSH I don't know if anybody's actually implemented one using SSH as the protocol for communication but if they have great but I've throw it in there because I see a lot of articles about people trying SSH for it but I don't know if any of the primary ones out there actually make use of that and going back to like Metasploit and some of the older ones straight TCP sockets whether that's a reverse bind or um an encrypted reverse bind what have you it is still just doing a straight TCP socket connection and then whatever you send over that it's up to you whether or not you encrypt it or what have you then

honestly there's a been a growing number as well I've noticed of people using third party software chat programs out there whether it's Discord it's slack it's whatever as a tunnel as a communication they send commands up and they'll either have a bot sitting out there or they'll have a dedicated uh channel that they're listening for and they'll interact back and forth using that as the uh mechanism to send and receive data to their agents it's all handy it's um prevalent out there a lot of organizations already allow outbound to chat or to slack and Discord things of that nature so uh it's already going to be going through their filters as it is so good on that is

there any other out there that people have made use of themselves just curious no did you say IRC I would almost throw that one under Discord and slack but yeah I I agree with you on that one I don't know too many people offand that use IRC a lot but yeah I can say I throw like a uset and stuff like that in there as well if you want to go back a little further but yeah anything like that would be good uh but yeah there's going to be other things out there I've seen people use uh SMB shares or SMB pipes to do communication too depending on connectivity of how the Ser how separated the server and the agents are

from each other if you're internal and doing that maybe if you're out of if you're across a firewall or something like that you could still do A N A UNCC path something like that possibly for uploading and downloading it all depends on what you're going after there so if we're wanting to actually build a C2 what are some of the things that we need to really decide on before we get started uh this is going to be branching into the realm unfortunately for a lot of people of barely putting your toe into software design what goes into software engineering software design you have to think about the base of the problem get that uh written down get

that decided and then build off of that while keeping the end in mind but yeah I've seen a lot of times people like o I want this Bell I want this whistle well let's get the framework in place so we can add those bells and whistles later on first thing I would say is probably that middle one there the server language what language are you comfortable in that you want to write this server in it doesn't really matter to me it doesn't really matter to the server long as you're familiar with the language enough to write socket or web server implementation within that personally I'm going to go with python it's the one I'm most uh comfortable in

at the moment it's the one that I actually wrote what I wrote in in Python U but I've seen virgins written in Go written in PHP and Ruby and C in any number of languages ultimately it goes down to what you feel most comfortable in writing it in just because someone like me says I wrote it in Python does not mean you need to write yours in Python I'm showing an example in Python but that is just it need to decide on what kind of a well at some point you need to worry about your user interface do you want text graphical web depending on your inclination and what language you're using one is going to be easier than the

other I just went with text it's easiest for me because it's just a command line interface or it's you there's any number of python uh libraries out there that will give you menus and what have you so I went with that route uh finally what communication protocols do you want to use do you want to use SSH uh there was a couple like I said a couple uh howtos out there on doing that so I decided why not try that one HTP or htps why why not I see a lot of uh ones out there making use of that as well because SS or htps has already allowed outbound on a lot of servers or a lot of

networks not all but a lot uh and then straight TCP sockets just because well we I like to go School sometimes with like keep my memory open of uh Metasploit and whatnot and just straight reverse shells but these are the kind of things the base level that you need to try to decide on as you're going through this um to help you decide on the communication protocols a little bit there's just a few things you might want to keep in mind I do have some little sample cod in there you don't have to worry about that too much right now but uh like if you wanted to go with straight TCP sockets any programming book you find that talks about socket

community communication is going to give you sample code for a server and client using TPC TCP sockets if you're old school Unix uh with C programming the old Stevens books the network programming book has like a whole chapter just on that um you can easily find code to handle this and uh it's easy it's Direct Control but it does require opening additional ports on the server or on the client and it's probably going to raise some bells on raise some flags at some point in there easily detected htps commonly used Blends in with web traffic uh generally allowed through firewalls it can be used with web proxies because it the web proxy itself doesn't really modify the

data um there's some issues in there with like sending files and whatnot but uh it should still be able to work fine depending on how it breaks up and intercepts and inspects it if it's not a manipulation proxy it should be fine disadvantages can be noisy um might again trigger anomaly systems especially if they see a lot of traffic from multiple systems going out to a new server that the uh wasn't identified in the past just anomalous detection in there but it's likely going to be sufficient to get you through whichever scenario you're working with at the moment SSH again similar to the before it's encrypted um it's hard to intercept things of that nature but uh it too is going to trigger

a bunch of alerts potentially but and you do have to configure a SSH server somewhere depending on the way you want to implement this in order to get because from my own experience with SSH I'll talk about this again in a minute but in order to get this working you need to a straight SSH command is not going to work uh the way you expect unless the agent itself contains the SSH server that's not the path I went with I went with the uh server containing the H the SSH server then I wrote a modified SSH client for the agent that basically establishes a reverse connection so it connects and then it's just listening for reverse communication it works but a

standard SSH client is not going to SSH command is not going to work for you in this scenario the way I have it implemented and the way I've seen most people try to implement it and finally DNS as I was saying before so let's go ahead and get started on some of this coding I'll go through a few slides of some of the things I tried some of the way I have it working then I'll show you some of the code I actually have the way it works it's I'll will forewarn you it is not exciting watching the code run because it's really I start the server I run the client and it works I can show you the

code I would show you a more elaborate version of it that Ed my uh Windows Server I my windows uh VM and all that but it crashed and got corrupted this morning late last night this morning and it's not working so I'll have to ask your forgiveness on that but I will update it and put out a um modified uh recorded video of that to my website later on but as of right now let's go ahead so I was just going to start with just a straight PCP socket connection first off on um as I said this is in Python what I'm going to be looking for there is I need to set up just a standard listener or socket if

you will um it's just going to sit there and listen it's listening binding to a particular host and port in this case host I'm just doing uh 1271 or 000000 for it to listen on all um ports or all IPS Port pick something that is high level or if you're running with administrative privileges you can go on the low order ports there I tend to pick something like 8443 or something like that that is sort of common but not Al but not likely to be in use somewhere on your system at least and then you just sit there and listen that section between lines 21 and 24 is the part I would typically put out into a separate

thread so it can handle multiple Connections in this scenario I'm just doing well a scenario where it's one client to the server and that uh line 21 to 24 there is commonly where I would as I said there would be a loop around there it would constantly be listening for a new inter new connection once it received a new connection a new bind actually line 22 there it would listen for a new uh connection once it grabbed one it would accept it and it would take some identifier that and store it as an array into an array saying that this is a new a new session and then there would be a way for me to interact specify

which one I want to interact with and I would jump into that but right now I'm going straight through assuming just one client coming in and then once I if I go back there the last thing that did on line 24 is it just callused the command loop on that particular socket what the command Loop does is just Loops over saying okay uh prompt give me a command it takes in the command and it sends the sends it off to the agent agent does something with it and then it sends data back I capture the return if it actually looks like there was something there I Rec reconstruct it and print it out this is

me wanting to run a command on the remote system and just get the output back this is the dirt simplest version of a remote a remote access that you can pretty much code in here in Python you can do simpler ones in some other languages that have tailored things for this but this is the fundamental of what you would be looking for there what would work with this as an agent you could use netcat as an agent for this one because there's so little going on in there in this one you could do something like just net cat uh connect back with bin bash or CMD or uh po shell things of that nature and it would work

fine there's actually a great website if you want to go out to htps www revell.com in there that's a great we site that you can go to that would let you have um you can specify what your listener is what kind of system you're on what kind of shell you want and it will give you the command that you can actually use to establish that connection back for things such as this would be fine um let's say that we wanted instead of using netcat we wanted it to use agents um it's a little more complicated in there first thing it does there on line four five is it actually tries to connect out or creates a socket

goes to line S tries to connect to the server assuming it can then it just set goes into a loop from line 8 to 13 and all it does there is says hey is there something you want to send me yes you sent me something I'm assuming that's a command I'm going to run it take the output and send it back to you that is boiling neck boiling nck cat down to its fundamental uh Essence here for this scenario really straightforward really simple some other things you might want to look at as I said this was you could implement this with neck cat but you can also just do TCP dump and capture everything that netcat is saying too or

this agent is saying so we need to implement some kind of encryption most likely um encryption is important you makes it harder to intercept makes it harder to do whatever with it to modify it two of the most common types of encryption I see being used on c2s it looks like is a and RSA AES is typically used in my experience for all uh communication back and forth with the exception of possibly the initial handshake the initial check-in registration things of that nature which is a lot of times being done with RSA and that does it connects and tries to establish a shared key between the two a unique shared key for that individual session and then our

further communication is using that unique key for as encryption back and forth so that if one agent actually gets compromised somehow and they intercept that key or whatever that is not going to allow them to decrypt any other agent communication it separates out all of that and that's fine if I wanted to implement that in the super simple version that we wrote here I would write out two little methods here encrypt and decrypt you receive in the p in data you do something with that and you return the encrypted data or vice versa you can incorporate in there the AES encryption you can incorporate in there exor you can put in there whatever you want long as it's

abstracted this way your agent and your server don't care what it is it just cares that there are those two functions that work for my particular SC oh well I'll come to that here in a second I was going to say for my particular scenario I use basic4 encoding it it works it's not good but for demo purposes say it worked and going back how would that change your server um for the server whenever I type in a command now I just encrypt that command and I send that encrypted portion doesn't really change the code very much at all just adds one extra line in there and then when I go to receive data I receive data I assume

it's encrypted I decrypt it and then I parse the decrypted portion it really just changes two lines in that code to facilitate that same thing for the agent um just in reverse order not a big deal there and then as I said there's some simple encryption I just use Bas 64 I will come back to this assuming I have any bit of time at the end I can come back and show you the code that I'm using but as of right now I've got code I've uploaded it to GitHub I'll uh share that here in a moment or I'll send it down a tweet in a second or what have you it's called babyc 2dev out on GitHub

under my name tianis it allows for multiple connections back and forth it allows for uh multiple protocols currently it's https uh TCP encrypted straight TCP I think I have ssh in there and there might be another one on the way there and it allows you to issue commands upload download things like that for the most part not sure which version has been uploaded but I will upload the latest version here in a bit it doesn't do some of these other things which I would consider more advanced topics for a c2s because what I have talked about will give you a functional interface to remote systems at the if you boil a C2 down to the Bare

Basics that's what you would have now by no means is that going to be a C2 you'd want to use on any environment but it gives you the concepts behind that uh things I would like to see added in there as Bare Basics uh probably halfway down there evade AV evade endpoint protection that's going to be a arms race with a vendors on that one but that's going to be critical as it is it's going to be caught signature based right off the bat you wanted to evade that you want to bypass that so your agents will run um better encryption b64 is not good it's kind of garbage honestly but it does illustrate the point you'd want to

replace it with RSA to establish and then maybe an AES for communication traffic that's fine sleep Jitter and pain uh depending on the way you want to view those those are going to be more of right now communication is straight open um I send a command I get results back not a problem but if you're watching traffic that's going to be happening all the time okay let's say we want to be a little more stealthy about it I want to set up a whole list of commands that run okay I type those up send them in and it's going to run them right away well if I add in a sleep mechanism in there the agents only going to say every x

amount of minutes like every five minutes every hour every in some cases I all like days in between it says give me the next command it runs the command sends back the data what a Jitter does in there is that it randomizes that a little bit it's going to be like every hour plus or minus 20 minutes it's going to shift in there a little bit to make it not as predictable make it help evade a little bit some of the other things you want to add in there that are probably more common on some of the bigger um c2s bof and cough loading that's where I can push [Music] uh it's effectively you're pushing up

binaries to the Sur very abstractly pushing up binaries to get them to run on a remote system while injecting them in such a way that it helps evade a little bit it helps that's a horrible expl explation sorry about that strike that um bof and cough loading my brain completely fried on a better explanation for that I'll come back to it but um loading in Parell scripts from your local system to run them on the remot system that's fine um loading and compiling and executing C assemblies from your own system onto the remote system basically ways to get this extra functionality up there what we've I quickly talked about earlier was basically setting up the base framework

from there you can expand it out into all these other things that are somewhat common on a lot of the other uh c2s out there one that a lot of people I've talked to definitely say is required more or less required socks proxies it's not as common as I'd like it to see on c2s out there but it is one where if it's there it definitely gets used and it makes it very handy there's different ways you can implement the sock proxy but uh either way every house uh implemented you once it's established you can use things like proxy chains or things like that to run remotes run run commands from your system on the remote

systems as if it was being run from there so you can run like in map or you can run any number of other commands that way uh been tow it that's about it so sorry I had to rush through that I will adjust for the next time I present so uh if anybody wants to talk to me afterwards I do have have uh other code I can show you or I can sit down with you talk to you more about it or I will uh if you follow me on Twitter or anything I will post out the link to the uh repo for what I have written up it's broken out into individual sections on how I would wrote it for each

individual section you can follow along with that sorry about that uh thank you all for sitting in here with me I know this one probably wasn't as Lively as some of my other talks but thank you nonetheless for sitting in here thank

you we have some questions questions comments concerns thought I heard someone nope let him percolate a little bit and absorb it yep I guess so

yeah I know I know I never like going right before lunch or right after lunch generally because everybody's ready to go to lunch and then everybody's all tired afterwards so no worries about that hey Adam do you have any uh tips for uh AV Bypass or Evasion for the currently available uh c2s that are out there uh deploying them to a you know a client device or a remote host things like that if I heard I sorry about that that um I didn't pick all of that up but if I can summarize what I think you said is is there any mechanism out there currently that's being used for avoiding AV or going bypass um build into various

c2s there are mechanisms for that in some of them um beyond that there are General techniques that is used to bypass amsi to uh do a randomization to recom recompilation using um C assembly uh recompilation on side there's other techniques that can be used out there but as I said that is an arms race because that's where your inpoint protection vendors are actively working to detect everything that comes out and you in that field so it's always a back and forth with there uh General techniques yeah there's some out there but for the most part whatever new technique comes out probably is going to have a relatively short shelf life of a few months maybe before it starts

getting detected in Mass out there so it's just a matter of if you're on a targeting an older Network you're probably uh lucky if you're targeting a relatively mature lock down Network um most techniques are going to be caught relatively quickly so it's all a matter of um how advanc or how many layers of encryption or layers of aisc and all that you want to throw in there so no worries

no that's my son he'll just be making fun of me anyone else if not thank you very much I'll be around here for the next uh hour or two whatever run me down talk to me and um I will you have my contact information there and I will also be posting out on uh Twitter there probably later tonight uh where the or maybe he in a little bit where the GitHub repo is for it if you want to go look at it as I said before this is not something you should actually be using it's something to use as a learning resource because it is very fundament very fundamentally flawed in some ways but it is also um getting

at the base of how this uh kind of product can be written and what you need to Stepping Stones to work your way through it so is that it all right thank you Adam thank you