Clutching Pearls C2
I’m building a command and control (C2) program suite to learn C2 software design and implementation at a fine-grained level (using MITRE ATT&CK C2 Techniques and existing C2 software as references).
Why Are You Coding Yet Another C2?!
I want to be proficient in coding offensive malware targeting multiple platforms written in C and assembly. Additionally, malware is a cool place where much innovation is happening. I want to join in the fun!
I realize I’m doing everything in hard mode… and I’m OK with it. This is a learning and research project for me to get better at C and assembly, but also writing malware for everything from a custom DNS server to code making syscalls in assembly from scratch.
So, in summary: all the work done and choices made in this project are only for me.
If this project helps you, that’s awesome, too; let me know! Note that I don’t want pull requests because I want to be the only author.
Source Code (Vaporware)
The source code is available on Github, and the project is essentially vaporware right now (not functional).
Core Goals (For Now)
- Small binary size.
- Small as possible for static binary.
- Lean on resources.
- Handle a large number of active agents and operators.
- Unsure what number metric it is, but several thousand is realistic.
- Write portable C as much as possible/appropriate.
- Target GNU/Linux, NetBSD, OpenBSD, FreeBSD, Windows, and macOS.
- I’d like to have native packages for each platform.
- Publish all source code and documentation as open source.
- Giving back to the community while also exploring it personally.
- Competitive with other well-known C2 software out there.
- Implement most of the features in the C2 Matrix spreadsheet.
Core Features (Subject To Change)
- Support many server services: HTTPS, DNS over UDP, DNS over HTTPS, FTP, SMB, ICMP, SMTP, IMAP, raw TCP, and raw UDP, and I’m sure many more (shooting for more than anyone else).
- Multi-user server and agents: multiple users can use the same server and communicate with the same agents simultaneously.
- Plugin support: Unsure of the best way to implement this yet, but it would be nice if Python plugins were possible at the very least.
- relaying: relay communications to the server via other agents and to agents via other agents (return path doesn’t have to be the same).
- time/day schedules: only operate on certain days and times, such as work hours.
- queues: queue multiple commands/requests.
- multiple server service communications: optionally communicate over multiple server services (such as multiple DNS queries and then SMTP) within the same session.
- communication playbooks: predefined communication ordering to emulate normal traffic.
- Asymmetric and symmetric encryption: rotating keys, using existing industry standards of AES and DSA, for example.
- Decoupled transmission, data chunking, and data modification: allowing for independence at each level, one-to-many relationships, and independent plugin support.
- Server API: frontends can use the remote server API, allowing for a decoupled experience where user interfaces can be remote and in whatever format is needed.
Product Features Plan (Will Change)
I’m not a project manager, but this is my rough plan. After version 0.2, I’ll have an excellent foundation to launch other features. It would be nice to have dates tied to these for an actual roadmap, but that’s not something I can reasonably do, nor do I want to be chained to arbitrary dates for a fun project.
Next Version: 0.2 (Carmilla) – MVP of Base Functionality
- Server: Add database initializer (SQLite, MySQL, PostgreSQL)
- Server: Add a TCP listener
- Server: Add a TCP+TLS listener
- Server: Add an HTTPS listener
- Server: Add encryption – RSA
- Server: Add encryption – AES
- Server: Add session management for agents
- Server: Add data chunker
- Server: Add envelope data encapsulation (think SOAP envelopes without SOAP overhead)
- Server: Add documentation
Unsorted Backlog for the MVP 1.0 (Elvira) Release
- Server: Add session management for users
- Server: Add remote API (via HTTPS and Unix socket)
- Server: Add plugin support
- Server: Add agent schedule support
- Server: Add an FTP listener
- Agent: Add agent relaying (server <-> relaying agent <-> agent)
- Agent: Add an SMB listener
- Server: Add an ICMP listener
- Server: Add an SMTP listener
- Server: Add user management
- Server: Add a DNS (UDP) listener
- Server: Generate agents (in C, C++, or Rust??)
- Server: Add tests
- Agent: Add tests
- Server: add Docker support to run the server in a docker container
- Server: Add a web client (depends on the server’s remote API)
- Server: Add a CLI client (depends on the server’s remote API)
- Efforts were made to make traffic look more normal.
- Open up Wireshark and make typical web traffic requests. Watch what happens when an email is sent, when visiting a standard website, etc.
- Add support for cloud services for file storage (Box, Sharepoint O365, Dropbox, Google Drive, S3, etc.) that can be publicly available for download and then deleted.
- Check what is installed and if there is a service running.
- Redirector builder.
- Custom-built redirectors to evade signature-based detection by having something unique each time.
- Full focus on agents, dropper, and malware payloads to download and evade detection.