Command and control (C2)

With a foot into the door, maintain persistence within the target environment, communicate with infected or compromised devices inside the network, and potentially exfiltrate sensitive data.

C2 frameworks are post-exploitation frameworks that allow red teamers to collaborate and control compromised machines. C2 is considered one of the most important tools for red teamers during offensive cyber operations. C2 frameworks provide fast and straightforward approaches to:

  • Generate various malicious payloads

  • Enumerate the compromised machine/networks

  • Perform privilege escalation and pivoting

  • Lateral movement

This page looks at Cobalt Strike, PowerShell Empire, Metasploit. Most of these frameworks aim to support a convenient environment to share and communicate between red team operations once the initial access is gained to a system.

Cobalt Strike

Cobalt Strike is a commercial framework that focuses on Adversary Simulations and Red Team Operations. It is a combination of remote access tools, post-exploitation capabilities, and a reporting system. It provides an agent with advanced techniques to establish covert communications and perform various operations, including key-logging, files upload and download, VPN deployment, privilege escalation techniques, mimikatz, port scanning, and the most advanced lateral movements. Even without much knowledge one can do (making it dangerous), and it is extremely expensive.

PowerShell Empire

PowerShell Empire is an open-source framework that helps red team operators and pen testers collaborate across multiple servers using keys and shared passwords. It is an exploitation framework based on PowerShell and Python agents. PowerShell Empire focuses on client-side and post-exploitation of Windows and Active Directory environment. Starkiller is a GUI for Powershell Empire.

Installation on a Kali VM

Make a snapshot of the VM, so you can roll back in case something goes wrong.

sudo su
apt update && apt -y full-upgrade

Make another snapshot, and install powershell empire and starkiller:

sudo apt install -y powershell-empire starkiller

Defaults are empireadmin:password123. Change asap.

Launch

Start the server:

sudo powershell-empire server

Start the client:

sudo powershell-empire client

Start de GUI (if you wish, we do without):

starkiller --no-sandbox

Metasploit

Metasploit is a widely used exploitation framework that offers various techniques and tools to perform hacking easily. It is an open-source framework and is considered one of the primary tools for pentesting and red team operations. Metasploit is one of the tools we use a lot.