created: 2021-10-26T23:36:02 (UTC +08:00)
tags: []
source: https://pentestit.com/list-of-open-source-c2-post-exploitation-frameworks/
author:

List of Open Source C2 Post-Exploitation Frameworks | PenTestIT

Excerpt

This post is an attempt at creating a list of open source C2 Post-Exploitation Frameworks targetting multiple operating systems.

You are here: Home / Offensive Security / List of Open Source C2 Post-Exploitation Frameworks

This post has been lying in my drafts for more than a year with edits all over. But two days ago, it was announced that Powershell Empire would no longer be supported by it’s authors. Hence just like I curated a list of adversary emulation tools, I finalized this list of open source C2 post-exploitation frameworks and thought of publishing this today. This is my attempt at introducing you all with other options that are available to help you “elevate your post-exploitation experience” on multiple operating systems. This post includes Powershell C2 frameworks, Python C2 frameworks, Go C2 frameworks and others in an alphabetical order.

1. APfell: APfell is a cross-platform, OPSEC aware, red teaming, post-exploitation C2 framework built with python3, docker, docker-compose, and a web browser UI. It is designed to provide a collaborative and user friendly interface for operators, managers, and reporting on Mac OS and Linux based operating systems. It includes support for multiple C2 profiles, multiple payload types, JavaScript for Automation (JXA) exclusive to Mac OS, and an interesting Chrome extension payload. APfell maps to my favourite MITRE ATT&CK framework as well. Interestingly, the C2 framework finds inspiration from well known malware families such as PlugX, Flame, etc. Check out APfell version 1.2.
   2. Covenant: Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive

.NET tradecraft easier, and serve as a collaborative command and control platform for red-teamers. What sets this apart from other C2 Post-Exploitation Frameworks is that it supports .NET Core – which is multi-platform. Hence, Covenant can run natively on Linux, MacOS, and Windows platforms! Additionally, Covenant has docker support, allowing it to run within a container on any system that has docker installed. It consists of three components – Covenant (server-side component), Elite (client-side component) and Grunt (implant). Check out Covenant v0.3.
3. Dali: This is a new proof-of-concept C2 server, which uses Imgur to host images and task agents! It follows the bring your own implant (BYOI) concept though the author has included the code of a sample agent. It makes use of an interesting custom stenographic method and has a MySQL backend. Check it out here.
Updated 03/07/2020:
4. Callidus: Callidus is an open source C2 framework, that leverages Outlook, OneNote, Microsoft Teams for command & control. It has been coded in .net core framework in C# and allows operators to leverage O365 services for establishing C2 communication channel. It uses the Microsoft Graph APIs for communicating with the O365 services. Check this project out here.
5. DaaC2: This open source C2 framework makes use of Discord as a C2 channel and supports Microsoft Windows, Linux and MacOS operating systems. It can execute commands and execute shellcodes on non-Windows systems as well! Check it out here.
6. EmpireProject: Sadly as mentioned earlier, this was recently discontinued. Empire/Empyre is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing Powershell, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. Get the last version – Empire 2.5 Release.
7. FactionC2: The FactionC2 framework focuses on operational security,

flexibility & teamwork. Its API focused design provides the foundation for secure communications across any transport method via well documented REST and Socket.IO APIs, to any agent that can speak its language. Currently Faction supports only .NET payloads and modules. Marauder is an example .NET agent for the FactionC2 Framework. However you can easily create your own agent as well. Faction was designed with redirects in mind in the form of Transport Servers. These sit between Faction and your agent and handle masking your communications. This C2 post-exploitation framework has a role based access control system and data can be queried using SQL queries! Check out FactionC2 and Marauder.
Updated 10/16/2019:
8. FudgeC2: FudgeC2 is a campaign orientated Powershell C2 implant built on Python3/Flask. It is designed to facilitate purple teaming activities, team collaboration, client interaction, campaign timelining, and usage visibility. The FudgeC2 implant also supports varying levels and types of obfuscation to allow for varying levels of noise to be made during the engagement to help a SoC benchmark their detection skills. Check it out here.
Updated 8/9/2019:
9. goDoH: goDoH is a proof of concept Command and Control framework, written in Golang, that uses DNS-over-HTTPS as a transport medium. Currently supported providers include Google, Cloudflare but also contains the ability to use traditional DNS. Since goDoH is written in Golang, a single executable for most platforms can be built that contains both the server-side and client-side code needed. Get goDoH 1.5 (5b0db27).
10. iBombshell: iBombShell is a dynamic, open source tool that allows post-exploitation functionalities via a shell or a prompt on systems that support Powershell. Supported features are loaded dynamically in-memory avoiding any hard drive writes, whenever they are needed from a repository. I blogged about this C2 post-exploitation framework here. Get the latest iBombshell version here.
11. Koadic: Koadic is an open source, post-exploitation rat aka remote access trojan that uses the Windows Script Host; via the COM interface, for most of it’s operations. Since it uses VBScript/JScript you can expect it to work on all Microsoft Windows operating systems from Windows 2000 onwards as it has inbuilt support. I covered it in a blog titled – Koadic: An Advanced Windows JScript/VBScript RAT. Give Koadic a run here.
12. Merlin: Merlin is a cross-platform post-exploitation HTTP/2 C2 server

& agent written in Golang. It helps you to evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to understand or inspect. Both the Merlin Server and Agent can easily be compiled to run on a multitude of operating systems to include Windows, Linux, Mac OS, Solaris, FreeBSD, ARM, MIPS, or Android. Latest versions of Merlin support features such as Shellcode execution and Shellcode Reflective DLL Injection (sRDI). Get Merlin v0.7.0.
Updated 2/23/2020:
13. Meteor: Meteor is a cross-platform dockerized C2 with modules for TCP and web. It is a Flask/Postgresql DB(SQL Alchemy) back-end and the modules/bots are written in Golang. Each module exposes port(s) to the host, so all callbacks can be directed at the same place. The actual containers and their private network are not exposed directly to the outside world. The database stores all information related to hosts/groups/bots/actions/results. Meteor has modules, that are Golang binaries that communicate with the core via web requests. Get the Meteor v0.1 Alpha Release.
Updated 8/8/2019:
14. Nuages: Nuages is a modular C2 framework, where back end components are open source, while implants and handlers must be developed by the end users according to the functionality needed. Nuages is available through REST or socket.io and can be controlled via command line or a browser via NuagesCli or Nuages_WebCli clients. An example C# implant is included as well. Get Nuages C2.
Updated 12/05/2019:
15. Octopus C2: Octopus is an open source, pre-operation C2 server based on python which can control an Octopus PowerShell agent through HTTP/S. You can use Octopus first to gain information about the target before you start your actual red team operations via a feature called as the “_Endpoint Situational Awareness“. Get Octopus C2 V1.0 BETA here.
16. PoshC2: PoshC2 is a proxy aware C2 framework that utilizes Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce multiple third party libraries to the framework. In addition to the Powershell implant, PoshC2 also has a basic dropper written purely in Python that can be used for command and control over Unix based systems such as Mac OS or Ubuntu. Get PoshC2 v4.8.
Updated 2/23/2020:
17. PRISMatica: Prismatica is a responsive, modular C2 Interface hooked into the Diagon Command and Control Toolkit. There are multiple tools and components it the Prismatica Marketplace such as Diagon & Emergence – the C2 toolkit, Acheron – a RESTful vulnerability assessment and management framework and Tiberium – C2 scanning tool. There are others tools as well, which have not been released yet. The main objective is to provide a convenient platform with modular transports, backends, and implants to enable rapid retooling opportunities and enhance Red Team operations. Give PRISMatica a try here.
18. Silver: This is one of the more recent C2 post-exploitation frameworks. Sliver is a cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Implants support features such as dynamic code generation, compile-time obfuscation, process injection, anti-forensics, Windows process migration and Windows user token manipulation. Get Silver v0.0.6-alpha.
19. SILENTTRINITY: It is an asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET’s DLR. SILENTTRINITY introduces a somewhat new Red Team approach called as BYOI (Bring Your Own Interpreter). Currently the implant only supports C2 over HTTP 1.1. Get SILENTTRINITY.
20. Slackor: Slackor is an open source Golang implant that uses Slack as a command and control server. In this C2 framework, command output and downloaded files are AES encrypted in addition to Slack’s TLS transport encryption and supports functions such as bypassuac, Windows Defender defanger, samdump, minidump among other features. Check Slackor out at this location.
21. SQLC2: SQLC2 is a open source PowerShell script that helps you deploy and manage a C&C that uses SQL Server as both the control server and the agent. It combines a PowerShell script, a TSQL script, and a few tables in an SQL Server instance to tracks agents, commands, and results. What interests me is the fact that SQLC2 can be hosted remotely or in Azure via a database.windows.net address! Get SQLC2 1.0.
22. TrevorC2: TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfiltration and it supports Windows, MacOS, and Linux. Get TrevorC2 1.0.

These are the C2 post-exploitation frameworks I know of. As always, I will keep updating this post.