Command and Control ( C2 ) is one of the most essential part of red team engagements. There are a lot tools out there that are designed just for efficient command and control such as :
In this article, we would be specifically talking about How to create C2 over HTTP(s). This code can be modified to incorporate multi-operator Command and Control as well as mimic different web servers , frameworks etc.
Command and Control over HTTP(s) has become one of the most common method for red team operations. The main reason for that are the advantages listed below.
Asynchronous C2 :
C2 over HTTP is asynchronous as opposed to C2 over tcp. It also helps you create long/medium/short haul C2 which calls back every week or day or hour for a task to run since it doesn’t require persistent connection. This helps you reduce the noise that is generated between team server and compromised host.
Hiding in Plain Site :
The payload can be crafted as such that unless compromised host calls back to C2 infrastructure, traffic does not reach C2. This can be achieved by setting up re-directors. Cobalt Strike Malleable C2 Profiles and Empire HTTP profiles along with re-directors are great examples of this.
So without further ado, let’s dive into how to create custom HTTP(S) c2.
- Install python3 and generate ( self-signed ) certificate
$ apt-get install python3$ openssl req -subj ‘/CN=Temporary Cert/O=Temporary Cert/C=US’ -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.cert
- Download HTTP C2 Server and payload from the github link below. Make sure HTTP server has proper certificate path or in same folder as the one that has certificates. Also for payload file change call back IP address to your C2 server IP ( c2_connection ).
- Start the C2 server ( tested on Debian ) and fire up the payload on victim Linux ( tested on Ubuntu 16.04 , 18.04 , macos mojave ) machine. The C2 communication is going to look as shown in image below.
$ python3 http_c2_server.py
$ python3 http_c2_payload.py
This is a sample code that can be modified or build upon as per the need of the operation to mimic different web servers , blog frameworks , e-commerce sites etc. You can also add further checks to verify if connection is coming from compromised host or not. An example of C2 built upon this can be found below.