Simple C2 Server and Injecting Commands to Pixels (Bmp Files) for Communication between C2 Server & Client
Simple C2 Server and Injecting Commands to Pixels (Bmp Files) for Communication between Server & Client
in this Article i will talk about this "Picture 1" , some guys asked me about this technique and this "Picture 1" ... also i want to show you how can use this simple Method to hide your C2 Commands via Image files with simple examples by my own C2 server etc.
Picture 1:
in this "Picture 1" you can see simple "Dir" command was injected into BMP file , that means our text codes will be our Pixels in BMP file, if you want to know how you can do something like this you should read this old article : https://www.dhirubhai.net/pulse/transferring-backdoor-payloads-bmp-image-pixels-damon-mohammadbagher/
so in this article i do not want to talk about background of technique (step-by-step for method and codes) , you can read this old article to see background of method by examples and codes etc.
but in this Article i want to show you with [simple pictures] how i have done with my C2 code in client-side and server-side.
anyway before anything you should know the goal in this article is "how you can use Bmp pixels as code or as C2 payload to communication between C2 server/client with something like [Tunneling] in network traffic by Images files to bypass some Monitoring/BlueTeam Tools etc."
in this "Picture 2" you can see my C# Codes for C2 Server and this part of code is for Server-Side.
Picture 2:
in this "Picture 2", you can see our C2 Command which in this case is "Seatbelt Antivirus" after run will save into "Test.bmp" file in server side , and all information about C2 commands as Pixels codes will save into BMP file very simple , in this case our C2 command Details are: antivirus$1$1$192.168.56.1$0$9904 this means our command should run in Target Client with this IPv4 address by this PID and type of cmd is 0 , that means this command is Seatbelt command (Not Windows Native Command) and ....
so in my code after run this command this BMP File created and saved in Server side in hard-disk , now bytes of BMP will Send to Client over Port 443 BUT in this case my simple code had not Encryption for Payload of BMP file but you can do this if you want Real Tunneling by Images file in Network Traffic ;D.
Picture 3:
C2 Commands in Network Traffic and bmp bytes in packets
as you can see in network traffic we have exactly bytes of BMP file in Network Packets , so as Defender when dump these Packets you only can see "Test.bmp" like "Picture 3" , but remember my Payload in BMP File is not Encrypted so you can SEE C2 Commands in bytes of BMP File , just for show demo in my payload and my code, i did not use Encryption for BMP files ;). but if encryption used by an attacker then you CAN NOT see these information simply and i think they can bypass your monitoring tools with this simple method very simple. you only can see a simple BMP file by Mspaint ;D
领英推荐
Picture 4:
in "Picture 4" you can see Bytes for C2 Commands which was injected into BMP file in Network Traffic also in Hex of BMP file.
Note: in my Code C2 Commands Sent by BMP file to Client but Client will Response to Server With Encryption over Port 443 , that means Seatbelt command will execute by client also command Output encrypted by Client and Sent to Server over Port 443 so in Network Traffic you can not see cmd output because Encrypted by Client key which server have same key to decrypt cmd output payloads etc.
Picture 5:
in the "Picture 5" you can see in Client Side, BMP File Downloaded from Server with same Bytes so now Client know which Command Should run in memory and cmd output will encrypt by Client Side code and will send to server by delay 5 Secs (Once)
Picture 6:
in "Picture 6" you can see Client Side Codes for Encryption , as you can see _Data which contains CMD output Data will Encrypt and Send to Server very simple.
so in my C2 Communication will be something like this :
Video:
as you can see with this simple method you can hide your payload and probably you can bypass Network Monitoring by Defenders too, but you can test this technique by your own C2 . ;)