PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.
PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.
Other notable features of PoshC2 include:
- Highly configurable payloads, including default beacon times, jitter, kill dates, user agents and more.
- A large number of payloads generated out-of-the-box which are frequently updated and maintained to bypass common Anti-Virus products.
- Auto-generated Apache Rewrite rules for use in a C2 proxy, protecting your C2 infrastructure and maintaining good operational security.
- A modular format allowing users to create or edit C#, PowerShell or Python3 modules which can be run in-memory by the Implants.
- Notifications on receiving a successful Implant, such as via text message or Pushover.
- A comprehensive and maintained contextual help and an intelligent prompt with contextual auto-completion, history and suggestions.
- Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic even when communicating over HTTP.
- Client/Server format allowing multiple team members to utilise a single C2 server.
- Extensive logging. Every action and response is timestamped and stored in a database with all relevant information such as user, host, implant number etc. In addition to this the C2 server output is directly logged to a separate file.
- Support for Docker, allowing reliable and cross-platform execution
PoshC2 is fully open source and available on GitHub here: https://github.com/nettitude/PoshC2/
PoshC2 can be installed on any system with Python3 installed, however it is only commonly tested on Debian based Linux distribution, such as Ubuntu and Kali Linux. These operating systems are also free and open source and for the most reliable experience it is recommended that PoshC2 in this way, from a VPS or Virtual Machine if required. It has, however, also been tested on Arch Linux and Windows 10.
It is recommended to add an exclusions folder for any host-based Anti-Virus for the PoshC2 install directory and project directory.
To install PoshC2 on a Debian based Linux distribution run the following from a Terminal:
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash
Once the install script has finished, edit the PoshC2 configuration by issuing the below command:
This will open up the PoshC2 configuration file in your $EDITOR of choice, or vim if one is not set.
The only requirement is to set the PayloadCommsHost field to the URL that the target will be connecting to. Payloads will be generated using this URL.
Once this is done open two terminal windows and in one run:
to launch the C2 server.
In the second window run the Implant-Handler:
posh -u <username>
On launch the C2 server will generate various payloads and log their use and locations in the output. Once an Implant has been created, commands can then be issued from the Implant-Handler, and their response will be displayed in the C2 server output.
Keep In Touch¶
For all the latest news and features, or for the latest documentation and support check out the PoshC2 GitHub page or find us below:
Find us on Twitter - @Nettitude_Labs.
Find us on Slack - poshc2.slack.com (Send an email to labs below to be added to slack channel).
Find us on Email - email@example.com.
We actively encourage the industry to contribute and would want nothing less for PoshC2, be it pull requests, reporting bugs or new ideas. There is no such thing as a stupid question or bad idea.
The best place to do this is on GitHub or chat in the PoshC2 slack channel.