Scribd
Upload
42 views

Command and Control - Website

This document discusses the TrevorC2 tool, which can be used for command and control via legitimate HTTP traffic. It hides command and control activities by cloning a website and inserting encrypted commands. The implant connects to the server, and commands can be sent from the server to clients in an encrypted format within the fake website. TrevorC2 uses AES encryption with a specified cipher.

Uploaded by

Lemari Exploit
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
42 views

Command and Control - Website

This document discusses the TrevorC2 tool, which can be used for command and control via legitimate HTTP traffic. It hides command and control activities by cloning a website and inserting encrypted commands. The implant connects to the server, and commands can be sent from the server to clients in an encrypted format within the fake website. TrevorC2 uses AES encryption with a specified cipher.

Uploaded by

Lemari Exploit
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

Hijack Digital Signatures – PowerShell Script Search the Lab


Search...
Command and Control – WMI

Author
November Command and Control – Website
14, 2017
netbiosX Red Team C2, Command and Control, Red Team, Trevor Leave a
comment
netbiosX

Covering arbitrary commands through legitimate traffic is a must for every red team
engagement. The majority of the command and control tools are implementing a stealthy Follow PenTest Lab
technique that it will allow red teams to hide their activities as data exfiltration is part of the
goals. Enter your email address to follow this blog and
receive notifications of new posts by email.
David Kennedy developed a command and control tool called TrevorC2 that can be used
to execute commands via legitimate HTTP traffic. The URL attribute on the Join 1,667 other followers
trevorc2_server.py needs to be modified to a website of choice.
Enter your email address

Follow

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Recent Posts
Command and Control – Browser
SPN Discovery
Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP
TrevorC2 – Server Configuration

The implant (trevorc2_client.py or trevorc2_client.ps1) has a SITE_URL attribute. This Categories


needs to be changed with the IP address of the command and control server. When the
command and control server file will run it will start to clone the website. Coding (10)
Defense Evasion (20)
Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
Maintaining Access (4)
Mobile Pentesting (7)
Network Mapping (1)
TrevorC2 – Server
Post Exploitation (12)
Privilege Escalation (14)
There are two implants to be used one based in python and one in PowerShell. From the
moment that the implant will be executed a connection will be established with the Red Team (27)
command and control server. Social Engineering (11)
Tools (7)
VoIP (4)
Web Application (14)
Wireless (2)

TrevorC2 – PowerShell Implant


Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Commands can be sent from the server to the clients: June 2018
May 2018
April 2018
January 2018
December 2017
November 2017
October 2017

TrevorC2 – Commands September 2017


August 2017
The commands will be sent encrypted via HTTP/S protocol. TrevorC2 is using AES July 2017
encryption with the following cipher. Encrypted commands will be inserted into the fake June 2017
website inside the oldcss parameter: May 2017
April 2017
March 2017
February 2017
January 2017
November 2016
September 2016
February 2015
TrevorC2 – Encryption Key and Data Location January 2015
July 2014
The fake website will be hosted into the same system as the command and control server
April 2014
and it will look exactly as the original.
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
#BSidesLDN2018 was great so far! Many thanks to
@dradisfw for the ticket #dradis #greatproduct
6 hours ago
Great talk by @john_shier about Dark Web!
#BSidesLDN2018 https://t.co/1yC8lVKn3X
7 hours ago
TrevorC2 – Cloned Website RT @myexploit2600: I be talking at 14:00 in track 2
@BSidesLondon #BsidesLDN2018 7 hours ago
However examining the source code the oldcss parameter will contain the encrypted Finally a social engineering talk #BSidesLDN2018
command. https://t.co/jMMk4lvbcH 7 hours ago
[New Post] Command and Control - Browser
pentestlab.blog/2018/06/06/com… #pentestlab
#Redteam 9 hours ago

Follow @netbiosX

Pen Test Lab Stats


TrevorC2 – Encrypted Command
3,030,594 hits

By doing traffic inspection it is visible that the executed commands are covered through
legitimate HTTP traffic. Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
TrevorC2 – Wireshark Traffic Apps,Shellcode,PoC 0

References Pentest Blogs


https://www.trustedsec.com/2017/10/trevorc2-legitimate-covert-c2-browser-emulation/
Carnal0wnage Ethical Hacking Tutorials 0
https://github.com/trustedsec/trevorc2 Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Advertisements Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London


April 29th, 2014

The big day is here.

Facebook Page

Penetrati…
9.9K likes

Like Page

Be the first of your friends to


like this

Rate this:

1 Vote

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Advertisements
Share this:

 Twitter  Facebook 95  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
Be the first to like this.

Related

Command and Control - Command and Control - Command and Control -


Browser Gmail DNS
In "Red Team" In "Red Team" In "Red Team"

Leave a Reply

Enter your comment here...

Hijack Digital Signatures – PowerShell Script

Command and Control – WMI

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create a free website or blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like