C2 frameworks, crucial for post-exploitation operations, offer open-source alternatives to Cobalt Strike. They streamline the management of compromised systems, enable efficient collaboration, and evade detection by providing customizable behaviors.
It is a toolset attackers use to control and manage compromised systems remotely. It comprises agents, team servers, and clients and features features like evasion, data exfiltration, and task management.
Agents connect to team servers, which handle communication and provide services like agent generation and data storage.
Open-source C2 frameworks are diverse and often limited by component coupling.
Golang and C# dominate modern frameworks, while Python and PowerShell are legacy choices. Popular frameworks include Mythic, Sliver, and Havoc.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
C2 frameworks face threats from compromised agents and team servers and unauthenticated third-party attacks, which can lead to data exfiltration, privilege escalation, and denial of service.
Sliver, a Golang-based C2 framework, offers powerful and reliable agents, versatile execution methods, and a vast extension library.
Its high-quality agent architecture and code ensure secure communication and reliable operations.
The vulnerability allowed authenticated Sliver operators to execute arbitrary code on the team server by overwriting a bundled binary with a Metasploit stager, which was fixed by removing the generate msf-stager command and instructing operators to develop their stagers locally.
Havoc, a C2 framework with a Qt GUI, offers process injection and .NET inline assembly for remote shellcode execution.
Despite its less mature codebase, Havoc’s impressive UI and active development make it a promising alternative to Sliver.
Its team server has an authenticated RCE vulnerability due to unsanitized “Service Name” input in an exec.Command() call.
An attacker can inject arbitrary commands into the compilation process by crafting a specific payload in the field, leading to remote code execution.
The researcher discovered an authentication bypass in Havoc’s Service API, where incorrect credentials would not result in a failed authentication, which allowed malicious services to connect to the team server and send unauthorized messages.
Authenticated RCEs in two C2 frameworks were found, but we couldn’t exploit them without authentication.
After investigating Ninja C2, a stealthy C2 framework, they found features similar to Sliver and Havoc with a focus on stealth.
The Ninja web server is vulnerable to unauthenticated arbitrary file downloads due to path traversal, leading to remote code execution.
A malicious agent can register with the team server and upload a malicious file to an arbitrary location, exploiting the vulnerability.
SHAD0W, a modular C2 framework, is vulnerable to unauthenticated RCE due to untrusted beacon-provided values being injected into commands run on the team server, which, used in module compilation, can be exploited by malicious actors to execute arbitrary commands on the team server.
The Covenant framework, previously popular for red team operations, is vulnerable to a privilege escalation attack, where a user can exploit a flaw in the user interface to obtain administrator privileges and then create custom HTTP profiles to execute arbitrary C# code on the server, potentially leading to remote code execution.
According to Include Security, the complexity of C2 frameworks and the need to handle untrusted input makes them vulnerable to RCE attacks.
While most frameworks implement validation measures, oversights can lead to exploitation.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free