Command and Control
Command and Control: Ingress Tool Transfer
To maintain control and update the malware, the attacker uses ingress tool transfer techniques through secure and commonly allowed protocols such as HTTPS or FTP. Here’s how to do this using the command line:
Using PowerShell to Download Tools Over HTTPS:
PowerShell can be used to securely download tools and payloads via HTTPS.
Example command to download a file using
Invoke-WebRequest
:To ensure the download is secure and avoid detection, you can use PowerShell to download and execute the tool immediately:
Using FTP to Transfer Tools:
If FTP is allowed, use the built-in
ftp
command to transfer tools.
Example commands:
This script connects to the FTP server, logs in with credentials, and downloads the
tool.exe
file.
Using cURL to Download Tools Over HTTPS:
cURL
is a versatile command-line tool for transferring data using various protocols.
Example command to download a file using cURL:
Command and Control: Web Protocols
Setting Up the C2 Server: First, you need to set up a C2 server that will act as the control point for your backdoor. This server can be a regular web server configured to accept HTTPS connections. You can use a web server software like Apache or Nginx. Ensure that the server has a valid SSL/TLS certificate for HTTPS communication.
Creating the Backdoor: Write a backdoor script that communicates with the C2 server over HTTPS. The backdoor should send HTTP POST requests to the server and handle responses accordingly. Below is an example in Python:
Ensuring Encrypted Communications: By using HTTPS, the communications are encrypted using SSL/TLS. This ensures that data transferred between the victim's machine and the C2 server is not easily intercepted or deciphered.
Employing Domain Fronting: Domain fronting involves routing your traffic through legitimate domains to disguise it. This is usually done by manipulating the HTTP headers. You can use a service like Cloudflare to achieve this. Here’s an example using the
requests
library to implement domain fronting:In this script,
C2_FRONT_DOMAIN
is a legitimate domain that proxies the traffic to your actual C2 server. This helps in evading detection as the traffic appears to be going to a legitimate service.
Command and Control: Encrypted Channel: Symmetric Cryptography
Setting Up the C2 Server
Install Necessary Software: Set up a web server and install necessary cryptographic libraries.
Create the C2 Server Script: Write a Flask application to handle encrypted communications.
Start the C2 Server: Ensure the Flask application runs over HTTPS for encrypted transport.
Creating the Backdoor
Install Necessary Libraries: Ensure the target machine has the required libraries.
Write the Backdoor Script: Create a Python script that communicates with the C2 server, using AES encryption for data.
Command and Control: Data Encoding: Standard Encoding
Step 1: Data Encoding with Base64
Base64 encoding is a common technique to encode binary data into ASCII text, which makes it easier to transmit over text-based protocols. Here’s how you can encode data using base64 on the command line:
Encode a File Using Base64:
You can use the
base64
command to encode a file. For example, to encode a file nameddata.txt
, you would use:This command reads the contents of
data.txt
, encodes it in base64, and writes the encoded data toencoded_data.txt
.
Decode a Base64 Encoded File:
To decode a base64 encoded file back to its original form, use the
-d
flag:
Step 2: Sending Encoded Data over the Network
Once the data is encoded, you can send it over the network to your C2 server. Here is a basic example using curl
to POST the encoded data:
This command posts the contents of encoded_data.txt
to the specified URL.
Step 3: Hiding Encoded Data with Steganography
To further conceal the encoded data, you can use steganography to hide it within an innocuous file, such as an image. One common tool for this is steghide
.
Install Steghide:
You can install
steghide
using the package manager for your system. For instance, on Debian-based systems:
Embed Encoded Data in an Image:
To hide the
encoded_data.txt
within an image fileimage.jpg
, use:This command embeds the contents of
encoded_data.txt
intoimage.jpg
, creating a new image fileoutput.jpg
that contains the hidden data.
Extract Data from an Image:
To retrieve the hidden data from the image, use:
This extracts the hidden data from
output.jpg
and saves it toextracted_data.txt
.
Command and Control: Non-Application Layer Protocol
Step 1: Understanding ICMP Tunneling
ICMP tunneling involves encapsulating data within ICMP packets, which are typically used for diagnostic or control purposes. Tools such as icmpsh
, Ptunnel
, or custom scripts can be used to establish an ICMP tunnel. In this guide, we'll use icmpsh
as an example tool for ICMP tunneling.
Step 2: Setting Up the Environment
Install Required Tools:
Ensure you have the necessary tools installed on both the client (attacker) and the server (C2 server). You can download
icmpsh
from its repository.
Step 3: Running ICMP Tunneling
On the C2 Server
Start the ICMP Listener:
Run the ICMP listener on the server. This will listen for ICMP echo requests from the client and respond accordingly.
Replace
<Server_IP>
with the IP address of the C2 server and<Client_IP>
with the IP address of the attacking client.
On the Attacking Client
Start the ICMP Shell:
On the client machine, start the ICMP shell to communicate with the server.
Replace
<Server_IP>
with the IP address of the C2 server.
Step 4: Sending Commands and Receiving Responses
Interact with the C2 Server:
Once the ICMP tunnel is established, you can send commands from the client to the server. The server will execute the commands and send back the responses encapsulated in ICMP packets.
For example, on the client, you might see a prompt where you can type commands:
Receive Responses:
The server processes these commands and sends the results back to the client within ICMP echo replies.
Step 5: Stealth Considerations
Stealth Measures:
To enhance stealth, consider varying the timing and size of ICMP packets, encrypting the payload, and ensuring that the ICMP traffic blends in with normal network behavior.
Command and Control: Asymmetric Cryptography
Step 1: Generate Public and Private Keys
Install OpenSSL: Ensure OpenSSL is installed on both the attacker's machine and the compromised systems.
Generate a Private Key: On the attacker's machine, generate a private key. This key will be used to decrypt the data sent from the compromised systems.
This command generates a 2048-bit RSA private key and saves it to
private_key.pem
, encrypting it with AES-256 for added security.Generate a Public Key: Extract the corresponding public key from the private key. This key will be distributed to the compromised systems.
This command reads the private key from
private_key.pem
and writes the public key topublic_key.pem
.
Step 2: Encrypt Data on the Compromised System
On each compromised system, use the public key to encrypt outbound communication. The following steps assume you have a file data.txt
containing the data you wish to send.
Encrypt Data: Use the public key to encrypt the data file.
This command encrypts
data.txt
usingpublic_key.pem
and writes the encrypted data toencrypted_data.bin
.
Step 3: Transmit Encrypted Data
Send the encrypted data (encrypted_data.bin
) to the C2 server. This can be done using any network communication tool such as curl
or nc
(netcat).
Using curl:
Using nc (netcat):
Step 4: Decrypt Data on the C2 Server
On the attacker's C2 server, use the private key to decrypt the received data.
Decrypt Data: After receiving the
encrypted_data.bin
, decrypt it using the private key.This command reads
encrypted_data.bin
, decrypts it usingprivate_key.pem
, and writes the original data todecrypted_data.txt
.
Command and Control: Application Layer Protocol: DNS
Step 1: Set Up a DNS Server
First, the attacker needs to set up a DNS server to handle the encoded data. You can use bind9
or another DNS server software for this purpose.
Install
bind9
:Configure the DNS Server:
Edit the
named.conf.local
file to set up the DNS zones. Here’s an example configuration:Create the zone file
/etc/bind/db.maliciousdomain.com
:Replace
<DNS_Server_IP>
with the IP address of your DNS server.
Step 2: Encode Commands and Data into DNS Queries
On the compromised machine, encode the commands or data into DNS queries. For example, to encode the command ls
:
Base64 Encode the Command:
This might output something like
bHM=
.Create a DNS Query:
Use
dig
to send the encoded data as part of a subdomain to the malicious DNS server:Replace
<DNS_Server_IP>
with the IP address of your DNS server.
Step 3: Decode and Execute Commands on the DNS Server
On the DNS server, you need a mechanism to decode the received data and execute it. This can be done using a script or custom DNS server software that intercepts the queries.
Script to Decode and Execute:
Create a script to intercept DNS queries and handle the encoded commands:
This script uses
tshark
to monitor DNS queries, extracts the base64-encoded command, decodes it, executes it, and saves the result to a file.
Step 4: Return Results via DNS Responses
To send the results back, you can encode the output in DNS responses:
Encode the Result:
Respond with the Encoded Data:
Use
nsupdate
or custom DNS server code to craft a DNS response containing the encoded result.
Command and Control: Web Service: Bidirectional Communication
Step 1: Set Up the C2 Server
Install Necessary Software: Ensure you have a web server installed on your C2 server. Apache or Nginx can be used. For this example, we'll use Apache.
Enable SSL/TLS: Configure HTTPS to encrypt communications. You can use
Let's Encrypt
to obtain a free SSL certificate.Follow the prompts to obtain and install the certificate.
Create a Web Application for C2: Set up a simple web application to handle bidirectional communication. Create a directory for your C2 scripts.
Create a PHP script
c2.php
to handle incoming requests:Save this script in
/var/www/html/c2/c2.php
.
Step 2: Compromised System Communication
On the compromised system, use a script to communicate with the C2 server. The script will send system information, execute received commands, and upload data.
Install
curl
:Create a Communication Script:
Create a script
c2_client.sh
:Make the script executable:
Step 3: Execute the Client Script
Run the c2_client.sh
script on the compromised system:
Step 4: Issuing Commands from the C2 Server
Create a text file commands.txt
on the C2 server to issue commands to compromised systems:
When the compromised system polls the C2 server, it will receive the command, execute it, and send back the output.
Step 5: Secure Communication
To ensure that the communication remains secure and blends in with normal web traffic, ensure the following:
Use HTTPS: Encrypt all communications between the compromised system and the C2 server.
Mimic Legitimate Traffic: Ensure the HTTP requests and responses appear similar to normal web traffic. For example, use standard headers and user-agents in the
curl
requests.
Last updated