First Time Use PoshC2_Python

PoshC2’s Python server ships as a self-contained folder with the relevant components and subsequent shortcuts to start the server and implant-handler. The C2 server is the Powershell web server component, whereas the implant-handler is where you can interact with your implants.

Run the installer from a Terminal run the following:

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh | bash

Installation Folder

/opt/PoshC2_Python/

Config File

Open the Config.py file and start editing your C2 configuration, every line above the do not change section is modifiable, however to get started quickly the following items are considered most important:

  • HostnameIP - This is the URL that you want to use for all C2 comms (Multiple URL support coming in later release)
  • KillDate - This is the date that all persistence and implants will stop beaconing
../_images/config.png

C2 Server

To start the C2 Server run the command below, this will require root level permissions as it opens a port on 443 when the server starts. The C2 Server is seen to the left of this terminator window below.

screen -S C2Server
python /opt/PoshC2_Python/C2Server.py
../_images/pyshserver.png

By default, PoshC2_Python will configure the implant to use HTTPS but it can be used over plain text HTTP if required. All communications are encrypted within the HTTP content therefore comms are still secure even over HTTP. There is an added benefit to HTTPS, because unless the organisation is perform SSL inspection the communications cannot be checked.

Optional configurations:

Domain Fronting

PoshC2_Python can now use domain fronting for comms. There is a caveat to this; the host must have .NET v4.0.30319 installed and usable to the PowerShell instance. However, if the host does not have this version of the CLR installed it will default back to the underlying CDN hostname, for example cloudfront.net or azureedge.net. The way we perform domain fronting in PoshC2_Python is by adding the Host header to the web requests.

This is a much stealthier option for comms as you can utilise hostnames with better reputation without needing to buy new domains and obtain reputation yourself. If you want to use domain fronting, then select Yes here and the next question appears.

Customize the beacon URLs

If you want to customize the beacon URLs in PoshC2_Python you can do so here, this will auto generate your Apache Rewrite configuration as well. To do this type “Yes” and enter the URLs. These can be pasted in too, to finish the URL entry just enter a blank line and this will tell PoshC2_Python you have finished entering URLs. An example of URLs can be shown below:

v1/site/html/images.html
printer/navigate/n/2/2018/8/
cgi-bin/conf.pl

Customize the beacon URLs from the Socks Proxy (SharpSocks)

If you want to customize the SharpSocks URLs in PoshC2_Python you can do so here, this will auto generate your Apache Rewrite configuration as well. To do this type “Yes” and enter the URLs. These can be pasted in too, to finish the URL entry just enter a blank line and this will tell PoshC2_Python you have finished entering URLs. An example of URLs can be shown below:

v2/site/html/images.html
sharp/navigate/n/2/2018/8/
p1/cgi-bin/conf.pl

Default UserAgent

PoshC2_Python will use the following UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko.

Referer header

By default the referrer header is blank, however, if you prefer to have a referrer header in the comms type.

Default beacon time of the Posh C2 Server

By default this is set to 5s, however this can be changes to whatever.

Kill Date of the implants in this format dd/MM/yyyy [28/02/2018]:

The Kill Date option is a safety net for both consultants performing Red Teaming and organisations being targeted. If persistence cannot be removed or the payloads are still active in emails or documents, the payload/dropper will not execute if the time has elapsed. The default is two weeks passed the start date but can be changed as long as the format is correct.

Enable sound

This option will enable sound, when a new implant arrives it will tell you.

Do you want to use Clockwork SMS for new payloads

ClockworkSMS is a SMS service provider that can be used for sending texts. PoshC2_Python integrates this service to send a text message when a new implant arrives. This is an optional configuration, however, if you want to integrate this, then all you need to do is sign up and add an API key and Phone number to the initial setup.

This will then send you a text message when an implant arrives.

Implant Handler

The implant-handler also needs starting when running the C2 server, you can run multiple of these if more than one user is controlling the C2 server. The implant handler is seen to the right of this terminator window.

../_images/pyshserver.png

C2Viewer

The C2Viewer window is for when you are using a central server to host the C2 Server and would like more than one user to connect to the database and interact with clients. Usually the best way to achieve this is to map the project folder to a share and then pass this to the Team Viewer window when first opened.

screen -S C2Server
python /opt/PoshC2_Python/C2Viewer.py

Project Folder

Each project creates a unique folder to store all data and downloads specific to that engagement, including unique encryption keys. This means if you have shellcode pre-configured for one project, this will not connect to another project as the encryption keys will not match, so something to be aware of. This is an in-built safety measure to ensure someone else cannot just accept your connections from any PoshC2_Python dropper if they were able to replicate the backend for any reason.

Clockwork SMS

ClockworkSMS is a SMS service provider that can be used for sending texts. PoshC2_Python integrates this service to send a text message when a new implant arrives. This is an optional configuration, however, if you want to integrate this then all you need to do is sign up and add an API key and Phone number to the initial setup.

This will then send you a text message when an implant arrives.

From: PoshC2_Python
Message: NewImplant: Domain \ Username