What Are C2 Frameworks? (+Free 2024 Setup Guide)

What Are C2 Frameworks?

Have you ever wondered “what is a C2 framework” or “C2 server”?

If you’ve been in the hacking game for long enough, you’ve likely come across these terms, heard advanced penetration testers or red teamers talk about them, and may even know that C2 stands for Command and Control.

Now is the time to unmask C2 frameworks and learn everything about them.

In this guide, you’ll learn what is a C2 server and framework, why you’d want to use one, and the key benefits they can provide you and your team.

You’ll discover some of the most popular C2 frameworks available today and get hands-on experience using the popular open-source C2 framework Havoc.

Let’s dive in and explore the fascinating world of C2 frameworks!

What Is a C2 Framework?

If you’ve ever performed hacking or penetration testing before, you’ll know about malware and shells.

You execute a piece of malware on a target machine, which creates a terminal session or shell that connects back to you (reverse shell), or you connect to (bind shell). You can then remotely control the target machine.

Every hacker wants to get a shell on a target system to perform post-exploitation tasks like gathering credentials, exfiltrating data, or pivoting to new targets using techniques like kerberoasting.

A C2 framework takes the idea of shells to the next level. They provide a centralized platform for controlling hundreds of compromised systems within a target network and are used in nearly every real-world cyber attack.

Moreover, the C2 Framework has advanced automation capabilities and incorporates various top-tier tools and assets effortlessly. This aids in lateral movement, post exploitation enumeration, privilege escalation, persistence, and more.

Usually, C2 frameworks have three parts: a C2 server, a C2 client, and a C2 agent.

  • C2 Server: The central command center for managing compromised systems, C2 communication, and data.
  • C2 Client: Software installed on a C2 operator’s machine that allows them to connect to the C2 server and interact with compromised machines.
  • C2 Agent: Malware installed on a compromised target machine that connects back to a C2 server and allows an operator to control the infected machine remotely. This is also known as a C2 implant or bot, depending on the C2 framework you are using.
C2 Framework Diagram

You execute the C2 agent on a target machine, and the agent connects back to your public-facing C2 server.

An operator logs into the C2 server to interact with the compromised machine through the server.

The operator can interact with the C2 server and compromised systems using a command-line or graphical interface (GUI). Many advanced C2 frameworks include both so an operator can visualize the systems they are attacking.

c2 framwork graphical interface
Source

But why do you need a C2 framework? Why not just use a reverse shell? Let’s learn more.

What Is the Purpose of a C2 Framework?

C2 frameworks are platforms designed to provide you with the capabilities to perform post-exploitation tasks, maintain access to systems, and work collaboratively with others to achieve your objectives.

C2 infrastructure is designed to use a client-server model where multiple C2 clients can connect to a centralized C2 server through an intuitive user interface, from which they can attack systems.

This allows multiple operators to work simultaneously, provides a central point for data exfiltration, and only takes a single public-facing IP/domain, making setting up new C2 infrastructure easier.

Typically, C2 infrastructure will be created using C2 redirectors (machines that redirect C2 traffic to the C2 server). If one of these machine’s IPs or domains gets blocked, you can just spin up another C2 redirector to take its place and point this to the C2 server.

The architectural design of C2 frameworks also makes them considerably more stable than reverse or bind shells. The public-facing C2 server means you don’t need your own system in a DMZ to get callbacks—that’s the server’s job.

This, along with a well-engineered C2 agent, means there’s less chance of interruption or disconnection when you’re hacking. You could shut down your client machine and connect back to the server at a later time without losing any shells.

If you’re still not convinced, another powerful feature of C2 frameworks is their support for external post-exploitation hacking tools and hiding the execution of these tools in memory: tools like Mimikatz, BloodHound, and Nmap.

This capability means you can tailor a framework to your needs using tools you’re comfortable with. You can even use different C2 agents or frameworks together. For instance, connecting a Metasploit agent to a Cobalt Strike C2 server.

To explore more hacking tools that C2 frameworks can work with, try reading Top 20 Network Penetration Testing Tools.

These qualities make C2 frameworks ideal for red teaming or purple teaming exercises where security professionals need to mimic real-world attacks to test their defensive capabilities.

What Are the Benefits of a C2 Framework?

Now you know what frameworks are and why attackers use them, so let’s explore some of the key benefits of these platforms.

Benefits of C2 Frameworks

Stealth: They can incorporate various evasion techniques, including using SSL certificates, to encrypt data and hide malicious activities, masquerading as legitimate network traffic, and hiding the IP addresses of an attacker through C2 redirectors.
Flexibility: Many frameworks allow you to customize C2 agents, change your C2 server’s responses and configuration settings, and implement new attack techniques. This allows you to tailor your C2 infrastructure to specific target systems or objectives and evade defensive measures.
Scalability: C2 frameworks are designed to scale. Multiple operators (clients) can interact with a single C2 server that controls hundreds of compromised machines—leveraging cloud technology to grow your infrastructure on demand.
Centralized Management: They allow you to manage and control compromised systems from a single, centralized interface. This allows operators to coordinate and orchestrate their activities, manage compromised systems, and run commands on multiple hosts simultaneously.
Persistence: Many C2 frameworks have built-in persistence mechanisms that you can deploy on compromised systems to maintain access even after reboots or robust security features and measures are applied.
Data Exfiltration: C2 frameworks allow you to easily exfiltrate vast amounts of sensitive data from compromised systems, hide it through encryption or obfuscation, and make it available to anyone on your team by hosting it on a central C2 server.
Reliability: C2 frameworks aim to provide a reliable mechanism for interacting with compromised hosts. This includes having a reliable C2 agent that connects back to the C2 server, having the ability to create fallback servers or compartmentalize the attack stages to different C2 servers, and the capability of using C2 redirectors to redirect traffic if the IP or domain name of your C2 server gets blocked.

What Are Some Popular C2 Frameworks?

So now you want to get your hands dirty and start using a C2 framework. Great! But which one should you use? Let’s look at some of the most popular C2 frameworks to help you decide.

Cobalt Strike

Cobalt Strike is a commercial adversary simulation and red team operations platform widely used in the security industry by penetration testers, red teamers, and purple team exercises. It is one of the industry leading tools for C2 frameworks, but its advantages come with a premium price tag.

Use case: A powerful and versatile C2 framework suitable for advanced security testing. It is ideal for commercial red team operations.

PowerShell Empire

PowerShell Empire is an open-source post-exploitation framework that extensively uses the PowerShell scripting language, typically found on Windows systems. You can learn more about PowerShell Empire in this comprehensive guide.

Use case: Perfect for Windows environments that use PowerShell scripts, C#, or Python.

Slither

Slither is an open-source, cross-platform adversary emulation and red team framework designed for security testing on Windows, MacOS, and Linux machines.

Use case: Ideal for encrypted communications and advanced evasion techniques. It is a C2 framework at the cutting edge of adversary emulation.

Havoc

Havoc is free, open-source, and easy to set up. It provides a client interface for interacting with the C2 server in real-time through API calls, similar in look and feel to Cobalt Strike.

Use case: Great alternative to Cobalt Strike.

Brute Ratel C4

Brute Ratel C4 is a commercial red team and adversary simulation platform that can automate the execution of adversary tactics, techniques, and procedures (TTPs), will map attacks to the MITRE ATT&CK matrix for reporting, and supports multiple command and control channels.

Use case: Focuses heavily on evading modern EDR solutions and bypassing defenses.

Setting Up a C2 Framework With Havoc

This demonstration will show you how to set up and use the Havoc C2 framework. Havoc is an excellent choice for those starting with C2 frameworks. It’s open-source, easy to set up, and provides an intuitive GUI for interacting with your C2 agents.

Havoc Lab Setup

This demonstration consists of a Kali Linux machine where you will install Havoc and a Windows 10 workstation, which will be the target machine for your attacks. To learn how to install Kali Linux as a virtual machine and create your own hacking lab, read the following guides:

Once you have a Kali Linux and Windows 10 virtual machine setup, you can install Havoc.

Havoc Installation

To install Havoc, clone the GitHub repository with the command git clone https://github.com/HavocFramework/Havoc.git.

Cloning Havoc GitHub Repository

Next, move into this cloned directory and install the required dependencies by executing the following two commands:

cd Havoc

sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev python3-dev libboost-all-dev mingw-w64 nasm

Installing Havoc Dependenices

Now build the Havoc C2 server (called “Teamserver” in the documentation) by running the following commands:

cd teamserver

go mod download golang.org/x/sys

go mod download github.com/ugorji/go

cd ..

make ts-build

Building Havoc Teamserver

Then, build the Havoc C2 client with the make client-build command.

Building Havoc Client

Next, edit the ./profiles/havoc.yaotl file to match the following configuration.

Editing Default Havoc Configuration Profile File

You can change the user and Password variables to whatever you like (1).

Importantly, the Teamserver is being run locally on the same Kali Linux machine on which you run the client. To run the server locally, you must change the Host variable to 127.0.0.1 (2).

Note that in a real-world environment, the server would not be run locally on your machine. Instead, it would be on a different public-facing machine to which multiple clients could connect. This would likely be hosted on the cloud or somewhere that is unlikely to face downtime.

Start the Havoc C2 server using the default profile by executing the command ./havoc server --profile ./profiles/havoc.yaotl.

Running the Havoc Teamserver

Connect to the C2 server by starting the Havoc C2 client with the command ./havoc client (1).

Use the details you created in the ./profiles/havoc.yaotl file to connect to the C2 server. Click the New Profile button (2), insert the local IP address (3), and then add the username and password you set (4).

Finally, press Connect to connect to the Havoc server (5).

Running the Havoc Client and Connecting to Teamserver

You will be greeted by the default Havoc dashboard.

Default Havoc Homepage

With the C2 server and client running, you can move on to deploying agents on compromised systems.

Using the C2 Framework Havoc

Now that you’ve installed everything, let’s start using our first C2 framework.

Deploying an Agent With Havoc

There are three steps to perform when deploying a C2 agent on a compromised machine using Havoc.

Step 1: Create a Listener

First, you must create a Listener in the Havoc interface to listen for incoming connections from Havoc agents. To do this, select the Listeners option from the View dropdown menu.

Havoc Listeners Button

This will bring up the Listeners tab. Click the Add button to bring up the Create Listener popup wizard.

Havoc Add Listeners Button

Fill out the Name of the listener (1), leave the payload as Https (2), make sure the Host is set to the IP address of your Kali Linux machine (3), and then click Save (4).

Creating a Listener in Havoc

Clicking Save will create your listener on the Havoc Teamserver.

Listener Created in Havoc

You can now create a payload that executes the Havoc C2 agent and connects back to this listener.

Step 2: Create a Payload

To create a payload in Havoc, select the Payload option from the Attack dropdown menu.

Payload Button in Havoc

This will bring up the Payload wizard, which you can use to customize your options.

Select the Listener you want the payload to connect to (1), the Architecture you are targeting (2), and the Format you want the payload in (3).

For modern Windows operating systems, this will be x64 and Windows Exe. You can leave the rest of the configuration options as their default values and select Generate to create your payload (4).

Havoc Payload Creation Wizard

Once generated, Havoc will ask you where you want to save your payload. Remember this location. You’ll need to use your payload later.

Payload Created in Havoc

Step 3: Transfer and Execute the Payload

The next step is transferring your Havoc payload onto your target machine.

In the real world, uploading and executing a payload on a target machine is typically done through a phishing email.

For the purpose of our demo, you’ll simply transfer the file to the target machine and execute it manually.

First, navigate to the directory where you saved your Havoc payload, then create a Python HTTP server with the command python3 -m http.server.

Starting Python Web Server

Now, on your Windows 10 target machine, open a web browser and navigate to the IP address of your Kali Linux machine. Make sure you disable protections in the Windows Security application, such as Virus & Threat Protection and App & Browser Control. This will ensure the payload executes and is not blocked by Windows Defender.

In the real world, you’d use obfuscation techniques to hide the malicious nature of your payload. This would be done to avoid detection from any system protections and trick the victim into executing it.

Navigating to Kali Linux IP Address in Web Browser on Target Machine

Select the executable file. Once downloaded, click the Open file link and select the Run option.

Executing the Payload on the Target Machine

Finally, jump back on your Kali Linux machine and confirm the payload ran, the C2 agent was deployed, and you have a connection from your target machine to the Havoc C2 server.

Confirming Connection in Havoc GUI

Once you have a C2 agent running on your target machine, you can start running commands and interacting with the compromised host.

Running Havoc C2 Commands

To execute remote commands on a compromised machine, you first need to connect to the C2 agent you want to run commands through. To do this, right-click on the agent and select Interact from the popup menu.

Havoc C2 Agent Interact Button

This will bring up the C2 agent’s tab at the bottom of the Havoc GUI. You can issue commands at the bottom command bar (1) and see the results populate in the output tab (2).

C2 Agent Output Tab

To discover what commands you can execute, run the help command.

Running the Havoc Help Command

Scrolling through the help menu will reveal a lot of commands you can run. Poplular ones include:

  • whoami to get information about the current user and their privileges.
  • powershell to run Windows PowerShell commands.
  • upload and download to put files onto the machine or take them off.
  • shell to drop into a command shell.
  • token to manipulate and impersonate Windows tokens.
  • screenshot to take a screenshot of the current user’s desktop.
  • And many more!

You can even generate a graphical map of the hosts you have infected and their connections back to your Havoc C2 server by selecting View > Session View > Graph.

Selecting the Graph View

This is very useful when you have pivoted deep inside an organization’s network and need to see the path traffic is taking on its way out.

Havoc C2 Graph View

Legal and Ethical Considerations When Using C2 Frameworks

Congratulations, you now know how to set up and work with a C2 framework!

However, with great power comes great responsibility, and for C2 frameworks, this means making legal and ethical considerations when using these powerful tools.

To help you quickly get up to speed on the legality and ethics of using C2 frameworks, here are some key things to consider before performing any hacking activity:

  • Obtain written permission. The most important thing in any penetration test or red team engagement is having legal permission to perform the testing activity. Make sure you and the client sign a legal contract that stipulates what testing you will be performing and that you have permission to do it. There can be serious consequences if you fail to get legal consent.
  • Clearly communicate with the client and set expectations. The client needs to know what type of testing you’ll perform and a high-level overview of how it’ll be done. They may not need to know specific tactics and techniques, but they need to be able to differentiate your testing from a real-world attack. You should have a point-of-contact (POC) on your team that the client can contact to confirm if testing activity is ongoing when they start seeing alerts.

You can learn more about the legal and ethical considerations of penetration testing, red teaming, and hacking in Is Hacking Illegal? The Law and Ethical Perspectives.

Conclusion

C2 frameworks are awesome tools. They allow you to evade detection, remain stealthy, and scale your penetration testing or red team operations to new levels with centralized management and robust mechanisms for interacting with compromised systems.

Many C2s even include advanced customization options that allow you to tailor your C2 infrastructure to a specific target or objective.

This article detailed the purpose of C2 frameworks, the benefits they offer, and some popular commercial and open-source ones you can use. You even got some hands-on experience using the Havoc C2 framework!

If you want to learn more about C2 frameworks and other advanced hacking techniques, check out one of the courses available with a StationX Membership.

Our membership provides access to thousands of courses and labs, career mentorship, study and mastermind groups, an active community of students and professionals, certification roadmaps, and much more to ensure you succeed in your cyber security career goals.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Adam Goss

    Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.

>