Command and Control (C2) frameworks are essential in the Red Teamers and Attackers playbooks. They help hackers of all types to take over networks or turn regular computers into bots, creating a network of remotely controlled computers that can send spam or launch DDoS attacks. In the early days of the internet, a Command and Control attack would allow hackers to have full control of a physical server, now most of the targets are servers on the cloud. We can easily imagine the catastrophic effects if an attacker gained access to public services servers, being able to shut down power supplies entirely, gaining control of computers that are responsible for handling robot-assisted surgeries at hospitals, and so on. But how does a computer get infected? There are numerous ways of infecting a computer and starting a C2 framework, and they are usually done through well-known ways. Malvertising Vulnerable web browser plugins Phishing Direct installation of malware (usually done through physical access) Exploiting a vulnerable system (usually due to unpatched OSs and servers) After the infection is done, the attacker can launch a reverse shell in order to execute commands, start a ransomware attack, exfiltrate data, launch a DDoS attack or just sit there and wait for the appropriate moment to do their devilish things. The Command and Control structure As of now, everything might look overwhelming, but at the end of the day, a C2 server is pretty much a listener (C2 server) that can handle many reverse shells at once (C2 agents) plus the post-exploitation features that only the frameworks have. A reverse shell or remote shell takes advantage of a vulnerability to instantiate a shell session and access the victim’s computer, in order to redirect inputs and outputs from the user’s computer to the attacker’s machine. : Serves as a hub for the agents to call back to, agents will periodically call back to the server and wait for the operator’s commands. C2 Server : The agent is generated by the framework and is responsible for calling back to the server. It has special functionalities that cannot be found on simple reverse shells. Agents/Payloads : As the name suggests, it’s an application that runs on the C2 servers and waits for a callback on a specific port or protocol. Listeners : This is the process of the Agent calling back to the server. Beacons Most common C2 frameworks There are free and paid frameworks, they have some differences, but probably the biggest one is that the premiums are less likely to be detected by antivirus software. That does not mean that the free ones are bad, but since they are open-source, signatures can easily be developed. : is one of the most popular frameworks, it’s developed and maintained by , it is publicly available, can be downloaded for free, and comes bundled in the most popular penetration testing distributions. Metasploit rapid7 : This is an extension of the framework, it has a fully-fledged GUI written in Java that looks similar to , this is because they are both created by Raphael Mudge. Armitage Metasploit Cobalt Strike : This is arguably the most popular C2 framework next to , has its GUI written in Java to increase flexibility, and is maintained by . Cobalt Strike Metasploit HelpSystems : Marketed as a “Customizable Command and Control Center” or “C4” framework that provides a true adversary simulation-like experience and was created by Chetan Nayak or Paranoid Ninja. Brute Ratel : This is not a framework, but a comprehensive list of all C2 frameworks available, it is currently being maintained by and and I highly recommend you to check it out. C2 Matrix Jorge Orchilles Bryson Bort This was a small glimpse of Command and Control attacks and frameworks, there are plenty more to cover, like how to set up a C2 server and how to start an attack, but that is out of the scope of this story. Keep an eye out on the wild interwebs for the next stories.

LastPass Confirms Hackers Stole Encrypted Password Vaults... Four Months Ago

Learn History in a Fun Way

Command and Control Frameworks in a Nutshell

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

How to Use an Uncensored AI Model and Train It With Your Data

108 Stories To Learn About Cybersecurity Tips

10 Cybersecurity Books Every Business Owner Should Read

10 Best Practices for Securing Your API

122 Stories To Learn About Cybercrime

3 Cybersecurity Priorities for 2021: Threat Fatigue; Remote Work; Budget

How to Use an Uncensored AI Model and Train It With Your Data

108 Stories To Learn About Cybersecurity Tips

10 Cybersecurity Books Every Business Owner Should Read

10 Best Practices for Securing Your API

122 Stories To Learn About Cybercrime

3 Cybersecurity Priorities for 2021: Threat Fatigue; Remote Work; Budget

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps