Configuring & Starting PoshC2¶
Once you have installed PoshC2 the first step is to edit the configuration file.
All of PoshC2’s configuration is stored in the Config.py in the PoshC2 directory, by default located at /opt/PoshC2.
You can edit this configuration file at any time by issuing the following command:
This will open the configuration file in your local $EDITOR of choice. If this variable is not set, then the default is vim. A --nano option exists for users who prefer nano.
If the command is not found, check that you have run the install.sh install script, as these script handles the installation of the posh-* commands. If you have installed PoshC2 to a location other than /opt/PoshC2, you can control where the posh-* commands look for Posh by setting the POSHC2_DIR environment variable.
Every line above the do not change section is modifiable, however some common options include:
- PayloadCommsHost - This is the URL that you want to use for all C2 communications that the payloads will beacon out to.
- DomainFrontHeader - If Domain Fronting is being used, this will be the value of the HTTP Host header.
- KillDate - This is the date that all persistence and implants will stop beaconing.
- Jitter - The beacon period jitter value as a decimal (e.g. 0.2 = 20% = between 4 and 6s if the beacon is 5s.).
- DefaultSleep - The default beacon period for new implants.
- EnableNotifications - Enable notifications for when a new implant connections (requires ClockworkSMS or Pushover to be set up).
- NotificationsProjectName - A prefix for notifications to identify this server.
- DefaultMigrationProcess - For generated payloads that migrate into a new process, this is the process that is spawned and migrated into.
- UserAgent - the UserAgent to use for HTTP(S) communications.
By default, PoshC2 will configure the implant to use HTTPS, however it can be used over plain text HTTP if required by changing the PayloadCommsHost protocol to http://. Even over HTTP, all communications are encrypted in order to keep communications secure. The added benefit of HTTPS is that unless the organisation is performing SSL Inspection the communications cannot be checked, and encrypted HTTP traffic could be deemed suspicious. Furthermore, HTTPS traffic encrypts all HTTP headers, allowing the use of Domain Fronting without the Host header being readable, again unless SSL Inspection is being performed.
Once PoshC2 has been configured, launch the C2 server by running the following:
Depending on the port used, this may require elevated permissions to bind to that port. The first time the C2 server is run per project, it will create the project folder structure and database and build all the out-of-the-box payloads for your configuration, in addition to printing some quickstart commands to the server log, such as a PowerShell one liner for quick testing.
Once the log reports that the webserver is running, PoshC2 is ready to receive implants.
If a second user wants to view the C2 Server log they cannot run posh-server again as this will attempt to bind to the same port. Instead, the log can be viewed with:
The Implant-Handler is used to interact with the C2 Server and any Implants. It can be started by issuing this command:
This will prompt the user for a username. This is only used for logging purposes. You can set the user from the command line through the -u option:
posh -u crashoverride
Multiple Implant-Handler processes can be run to allow different users or sessions to control the C2 Server.
Each project creates a unique folder to store all data and downloads specific to that engagement, including unique encryption keys. This means if you have shellcode pre-configured for one project, this will not connect to another project as the encryption keys will not match. This is an in-built safety measure to ensure that only expected payloads connect to expected servers.
Running as a Service¶
When running on a server, PoshC2 can be setup to run as a service instead of a foreground process.
This means that if the user’s session quits then the process will not die, and similarly if the host is rebooted the service will resume automatically.
The C2 server can be installed and started as a service by issuing the following command:
This will install and launch the service and view the log, however now if the user ctrl-c’s the log the C2 service will continue to run in the background. If posh-service is re-run it will restart the service.
A user can resume viewing the log by entering:
The service can be stopped by running: