DocsRelease Notes

c2_and_http_server

Suggest Edits

The c2_and_http_server playbook can be used to set up the components needed to test a network security stack's ability to prevent/detect a myriad of different command and control tunnels, reconnaissance techniques and data exfiltration. The playbook creates a cloud based PowerShell Empire container task and an HTTP Server container task. Once the tasks are ready, the playbook sets up a C2 listener on the PowerShell Empire container task and then generates a stager as a launcher file and uploads it to the HTTP Server container task. After all of the tasks are completed, the playbook pauses and waits for an agent connection. The launcher file can be downloaded from the HTTP Server and executed on any system that supports the generated launcher type. Once an agent connects, the playbook prints the C2 task name and agent name, which can be used to configure the recon and lateral movement playbooks.

Sample playbook output:

An agent is connected. 
C2 task name: <c2_server_mm-dd-YYYY-HH-MM>
C2 IP address: <c2_server_ip_address>
C2 URL: https://<c2-hostname>.<domain>:443
C2 listener name: http_malleable
Agent name: <unique_agent_id>
Agent hostname: <agent_hostname>
Agent internal IP: <agent_internal_ip>
Agent external IP: <agent_external_ip>
Agent OS details: <agent_os_details>
Agent system architecture: <agent_system_architecture>
Agent username: <agent_username>
Agent is high integrity (0=no, 1=yes): <0|1>

Playbook will halt until prompted to proceed with clean up.

Press Ctrl+C to proceed with clean up.

The latest version of PowerShell Empire has support for an http_malleable listener type, which can be specified in the configurable parameters of this playbook. By default, the playbook will initialize an http_malleable listener type that uses the "sofacy" profile. You can find more information about the http_malleable listener type here and the full list of supported profiles is available here.

This playbook supports provisioning the C2 server and HTTP server with a custom domain. If a domain is provided and TLS is enabled (both settings that are applied in the playbook configuration), a Let's Encrypt certificate will automatically be requested and used by the corresponding listeners. If a domain is not specified and TLS is enabled for the listeners, a self-signed certificate will automatically be generated with the details from the cert_subj parameter detailed below.

The Let's Encrypt certificates are associated with randomized hostnames and they have a short expiration window so there isn't any need to do any sort of certificate revocation after the playbook is finished. However, as a word of caution, Let's Encrypt enforces a limit of 50 certificates per week per domain (revoking certificates has no effect on this limit) and this playbook generates two certificates per execution. If both certificates are associated with the same domain, that means that you are limited to 25 executions of this playbook per week for a given domain. Therefore, if you are performing test runs of the playbook, set the test_certificate parameter to True, which will allow the playbook to generate Let's Encrypt certificates from the Let's Encrypt sandbox (the Let's Encrypt sandbox does not enforce any limits). The sandbox certificates are not signed by the Let's Encrypt trusted CA but they will at least allow you to verify that the Let's Encrypt certificate request process is working. The resulting certificate assigned to the listeners will be valid but untrusted by most browsers.

To use a custom domain with this playbook, the domain must be registered with your ./HAVOC campaign beforehand. See the Domains section of the Administration Through CLI Console page for more details.

Requirements

This playbook does not require any pre-existing ./HAVOC components however, you will need a standalone system that will download and run the C2 agent.

Note that the public IP address this system will use to connect to the C2 listener must be specified in the client_ip parameter when configuring the playbook.

Architecture

The architecture and workflow of this playbook looks as follows:

1299

Configuration

To configure this playbook, use the ./havoc -c CLI option, select the number associated with the c2_and_http_server playbook and provide the requested details.

Required parameters:
[c2_listener]
listener_type - the communication method to be used between the C2 agent and C2 server. This can be any one of dbx, http, http_com, http_foreign, http_hop, http_malleable, http_mapi, meterpreter, onedrive, redirector.
listener_profile - if http_malleable is selected as the listener_type, this parameter is used to indicate which malleable C2 profile the http_malleable listener should use.
listener_port - the port number that the listener will bind to.
listener_tls - indicates whether or not the listener will use TLS encrypted communications (True|False).
test_certificate - use a test (Let's Encrypt sandbox) certificate (True|False).
domain_name - specify a domain name for the C2 server.
cert_subj - an OpenSSL compatible certificate subject to be used when generating a self-signed certificate.

[c2_stager]
StagerName - the name of the stager type to generate for the listener (use the get_stagers command as documented in PowerShell Empire Container Task's available commands section to get a list of all available stagers).
Language - the programming language that the stager should use (python|powershell).
StagerRetries - the number of times the stager will try to connect to the listener before giving up.
OutFile - the file name to use for the resulting stager file.
Obfuscate - obfuscate the stager code (True|False). For powershell only.
ObfuscateCommand - the obfuscation command used to obfuscate stager code if obfuscation is enabled. For powershell only.
Base64 - encode the stager code with base64 encoding (True|False).
SafeChecks - checks for LittleSnitch or a sandbox, exit the staging process if found.
UserAgent - user-agent string to use for the staging request (default|none|other).
Proxy - proxy to use for the request (default|none|other).
ProxyCreds - proxy credentials to use for the request (default|none|other).
Bypasses - bypasses as a space separated list to be prepended to the stager.

[http_service]
http_port - the port number that the listener will bind to.
tls - indicates whether or not the listener will use TLS encrypted communications (True|False).
test_certificate - use a test (Let's Encrypt sandbox) certificate (True|False).
domain_name - specify a domain name for the http server.
cert_subj - an OpenSSL compatible certificate subject to be used when generating a self-signed certificate.

[c2_client]
client_ip - Your PAT or NAT address range that the C2 agent will use to reach the Internet. This can be a comma separated list of IP addresses but they must be in CIDR notation, e.g. 192.168.1.50/32,192.168.2.0/24.

$ ./havoc -c
1) activity_report	 3) pse_host_recon	  5) pse_network_recon
2) c2_and_http_server	 4) pse_lateral_movement  6) simple_exfil
Select a playbook to configure: 2
Configuring playbook c2_and_http_server.

If you have previously configured this playbook, configuring it again will delete the existing configuration.
Are you sure you want to continue? [Y/N]: y

Creating a customized c2_and_http_server.ini file.
Provide a value for each parameter.
Press enter without providing a value to accept the default.

[c2_listener]
listener_type [http_malleable]: <listener_type>
listener_profile [sofacy]: <listener_profile>
listener_port [443]: <listener_port>
listener_tls [True]: <True|False>
test_certificate [False]: <True|False>
domain_name [None]: <domain_name|None>
cert_subj [/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=$HOST]: <cert_subj>

[c2_stager]
StagerName [multi/launcher]: <stager_type>
Language [powershell]: <powershell|python>
StagerRetries [0]: <number_of_retries>
OutFile [launcher.ps1]: <output_file_name>
Obfuscate [False]: <True|False>
ObfuscateCommand [Token\All\1]: <obfuscation_command>
Base64 [False]: <True|False>
SafeChecks [False]: <True|False>
UserAgent [default]: <default|none|other>
Proxy [default]: <default|none|other>
ProxyCreds [default]: <default|none|other>
Bypasses [mattifestation etw]: <bypass_technique>

[http_service]
http_port [443]: <http_port>
tls [True]: <True|False>
test_certificate [False]: <True|False>
domain_name [None]: <domain_name|None>
cert_subj [/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=$HOST]: <cert_subj>

[c2_client]
client_ip [192.168.1.100/32]: <client_ip_address>

<snip - installing required Python modules>

Playbook c2_and_http_server configured.
$

Execution

To execute this playbook, run the following ./HAVOC CLI command (where <profile> is replaced with the ./HAVOC config profile name that you would like to authenticate to the ./HAVOC API with):

$ ./havoc -e c2_and_http_server <profile>

Clean up

Error handling
If the playbook encounters errors during execution, it should automatically switch to a clean_up function and delete any resources that it created. If the playbook is hung on a specific task, you can press Ctrl+C to terminate the playbook and initiate the clean_up function.

Successful execution
After the playbook executes all operations successfully it will pause itself and leave all corresponding resources in place so that you can utilize its components with other playbooks such as the windows_recon playbook. When you're finished running the desired activities with the components from this playbook, pressing the "enter" key at the paused prompt will initiate the playbook's clean_up function.

Associated resources
This playbook creates and destroys the following resources:

  • A PowerShell Empire cloud container task.
    • A PowerShell Empire Listener.
    • A PowerShell Empire Stager file that gets saved to the local directory where ./HAVOC CLI was executed from.
      • The file name will reflect the OutFile parameter set when configuring the playbook.
  • A portgroup that restricts inbound access to the PowerShell Empire's Listener port to just the client_ip set when configuring the playbook.
  • A shared Workspace file that is a copy of the PowerShell Empire Stager file.
    • The file name will reflect the OutFile parameter set when configuring the playbook.
  • An HTTP Server cloud container task.
  • A portgroup that restricts inbound access to the HTTP Server's http_port to just the client_ip set when configuring the playbook.

If you're uncertain whether the clean_up function completed successfully, the following ./HAVOC CLI console commands can be used to check which resources are still present:
list_tasks
list_portgroups
list_files

Updated 7 months ago