Home Internet of things Command and Control – Website

Command and Control – Website

551
0


and – 



Covering arbitrary commands through legitimate traffic is a must for every red team engagement. The majority of the command and control tools are implementing a stealthy technique that it will allow red teams to hide their activities as data exfiltration is part of the goals.

David Kennedy developed a command and control tool called TrevorC2 that can be used to execute commands via legitimate HTTP traffic. The URL attribute on the trevorc2_server.py needs to be modified to a website of choice.

TrevorC2 - Server Configuration  - trevorc2 server configuration - Command and Control – Website

TrevorC2 – Server Configuration

The implant (trevorc2_client.py or trevorc2_client.ps1) has a SITE_URL attribute. This needs to be changed with the IP address of the command and control server. When the command and control server file will run it will start to clone the website.

TrevorC2 - Server  - trevorc2 server - Command and Control – Website

TrevorC2 – Server

There are two implants to be used one based in python and one in PowerShell. From the moment that the implant will be executed a connection will be established with the command and control server.

TrevorC2 - PowerShell Implant  - trevorc2 powershell implant - Command and Control – Website

TrevorC2 – PowerShell Implant

Commands can be sent from the server to  the clients:

TrevorC2 - Commands  - trevorc2 commands - Command and Control – Website

TrevorC2 – Commands

The commands will be sent encrypted via HTTP/S protocol. TrevorC2 is using AES encryption with the following cipher. Encrypted commands will be inserted into the fake website inside the oldcss parameter:

TrevorC2 - Encryption Key and Data Location  - trevorc2 encryption key data location - Command and Control – Website

TrevorC2 – Encryption Key and Data Location

The fake website will be hosted into the same system as the command and control server and it will look exactly as the original.

TrevorC2 - Cloned Website  - trevorc2 cloned website - Command and Control – Website

TrevorC2 – Cloned Website

However examining the source code the oldcss parameter will contain the encrypted command.

TrevorC2 - Encrypted Command  - trevorc2 encrypted command - Command and Control – Website

TrevorC2 – Encrypted Command

By doing traffic inspection it is visible that the executed commands are covered through legitimate HTTP traffic.

TrevorC2 - WireShark Traffic  - trevorc2 wireshark traffic - Command and Control – Website

TrevorC2 – Wireshark Traffic

References

https://www.trustedsec.com/2017/10/trevorc2-legitimate-covert-c2-browser-emulation/

https://github.com/trustedsec/trevorc2





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here