├── CHAOS-setup └── Dockerfile ├── DeimosC2-setup └── Dockerfile ├── Empire-setup └── placeholder ├── EvilOSX-setup └── Dockerfile ├── LICENSE ├── MacC2-setup └── placeholder ├── MacShellSwift-setup └── Dockerfile ├── Mythic-setup └── placeholder ├── README.md ├── Sliver-setup └── Dockerfile ├── install_docker_linux.sh ├── pic1.png ├── pic10.png ├── pic2.png ├── pic3.png ├── pic4.png ├── pic5.png ├── pic6.png ├── pic7.png ├── pic8.png ├── pic9.png └── run.sh /CHAOS-setup/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.15 2 | 3 | RUN mkdir -p /chaosc2 4 | 5 | RUN cd /chaosc2 && echo "this is my test file" >> /chaosc2/metest.txt 6 | 7 | ADD . /chaosc2/ 8 | 9 | RUN cd /chaosc2/CHAOS/cmd/chaos/ && go build 10 | 11 | CMD ["/chaosc2/CHAOS/cmd/chaos/chaos"] 12 | 13 | -------------------------------------------------------------------------------- /DeimosC2-setup/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.15 2 | 3 | RUN mkdir -p /deimosapp 4 | 5 | WORKDIR /deimosapp 6 | 7 | ADD . /deimosapp 8 | 9 | CMD ["/deimosapp/DeimosC2"] 10 | -------------------------------------------------------------------------------- /Empire-setup/placeholder: -------------------------------------------------------------------------------- 1 | # github placeholder for initially empty dir 2 | -------------------------------------------------------------------------------- /EvilOSX-setup/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:2 2 | 3 | RUN mkdir -p /EvilOSX && cd /EvilOSX 4 | 5 | ADD . /EvilOSX/ 6 | 7 | WORKDIR /EvilOSX 8 | 9 | RUN pip install -r requirements.txt 10 | 11 | CMD ["python", "start.py", "--cli", "--port", "80"] 12 | 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2020, Cedric Owens 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /MacC2-setup/placeholder: -------------------------------------------------------------------------------- 1 | # placeholder for initially empty github directory 2 | -------------------------------------------------------------------------------- /MacShellSwift-setup/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3 2 | 3 | RUN mkdir -p /mss 4 | 5 | ADD . /mss/ 6 | 7 | WORKDIR /mss 8 | 9 | RUN openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -subj "/C=US/ST=CA/L=Redwood City/O=Mac Experts LLC" && openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem 10 | 11 | CMD ["python3", "swiftshell-server.py"] 12 | -------------------------------------------------------------------------------- /Mythic-setup/placeholder: -------------------------------------------------------------------------------- 1 | # placeholder for initially empty github directory 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # C2 Cradle 2 | The C2 Cradle is a tool to easily download, install, and start command & control servers (I added C2s that have macOS compatible C2 payloads/clients) as docker containers. The operator is presented with a list of options to choose from and the C2 Cradle will take it from there and download, install, and start the C2 server in a container. 3 | 4 | **Why?** 5 | 1. This can be useful to blue teamers who want to quickly stand up commonly used cross platform C2 frameworks for building detections. This will allow blue teamers to easily accomplish this without having to worry about manually installing dependencies. 6 | 7 | 2. This may also be helpful for red teams looking to automate C2 setup. This can be coupled with additional automation (ex: Ansible or Terraform) for near push button C2 deployments. 8 | 9 | --------------- 10 | 11 | ## Prerequisites 12 | 13 | I built this primarily on Ubuntu, so I recommend running on Ubuntu. 14 | 15 | Docker must be installed and running. I have included a docker install script that works with most Linux flavors here if you need to install docker: 16 | 17 | > sudo ./install_docker_linux.sh 18 | 19 | I did most of my testing on Ubuntu host machines. Curl must also be installed (weird, but some versions of Ubuntu do not include curl so you may have to install it). 20 | 21 | --------------- 22 | 23 | ## To Run 24 | 25 | > chmod +x run.sh 26 | 27 | > sudo ./run.sh 28 | 29 | --------------- 30 | 31 | ## Available C2 servers: 32 | 33 | ![Image](pic1.png) 34 | 35 | ### 1. Mythic C2: 36 | 37 | **link: https://github.com/its-a-feature/Mythic** 38 | 39 | Since Mythic already has a docker image included, I simply run that image. No additional changes were made. 40 | 41 | I did not create a shared volume between the Mythic container and the host machine since Mythic includes a web server through which to interact with the container and access files on the container (ex: payloads, C2 artifacts, etc.) 42 | 43 | Once the setup is done, by default Mythic will set up the Mythic admin server at https://127.0.0.1:7443. The C2 Cradle script gives you the option to pause during the setup and edit the conf file if you want to change any of this before proceeding with installation and setup: 44 | 45 | ![Image](pic2.png) 46 | 47 | ============================================= 48 | 49 | ### 2. MacC2: 50 | 51 | **link: https://github.com/cedowens/MacC2** 52 | 53 | Since I already included a docker image for my MacC2 project, I simply run that image. No additional changes were made. 54 | 55 | MacC2 creates shared volume between the host and the MacC2 container located at: 56 | > /var/lib/docker/volumes/macc2 57 | 58 | You can use this shared directory to access things such as the macro.txt file, MacC2_client.py, and other C2 artifacts (ex: screenshots, files downloaded, etc). 59 | 60 | Once the setup is done, by default the MacC2 https server will listen on 0.0.0.0 port 443. 61 | 62 | ![Image](pic3.png) 63 | 64 | The IP/hostname provided during setup will be used to configure the client (MacC2_client.py) as well as the macro generated and dropped at macro.txt. Both of those files can be accessed from inside the MacC2 container at: 65 | 66 | > /var/lib/docker/volumes/macc2 67 | 68 | ============================================= 69 | 70 | ### 3. Deimos C2: 71 | 72 | **link: https://github.com/DeimosC2/DeimosC2** 73 | 74 | I built my own docker image for Deimos C2. Here is how the installation and setup works: 75 | 76 | - Since the Deimos C2 repo recommends pulling the latest compiled binary as opposed to building from source, I follow that guidance and pull the latest compiled go binary as of the time of this repo (which is https://github.com/DeimosC2/DeimosC2/releases/download/1.1.0/DeimosC2_linux.zip). **Note: this does take a few mins, since a compiled go binary is being pulled down.** 77 | 78 | - The binary is unzipped and loaded into Docker, where the dependencies are loaded and the DeimosC2 Linux binary is executed to start the Deimos C2 server. 79 | 80 | - The Deimos C2 server will start once done and allow you to login on port 8443 and create a Deimos login account. **Note: You will want to ensure that your Deimos C2 server listening on port 8443 is not publicly exposed** 81 | 82 | ![Image](pic4.png) 83 | 84 | ![Image](pic5.png) 85 | 86 | I created a shared volume between the host and the Deimos C2 container located at: 87 | > /var/lib/docker/volumes/deimosc2 88 | 89 | However, since Deimos includes a web gui through which to access and manage your C2, you likely won't need the shared volume since you can generate payloads, download payloads, view host artifacts, etc all through the GUI. 90 | 91 | ============================================= 92 | 93 | ### 4. EvilOSX C2: 94 | 95 | **link: https://github.com/Marten4n6/EvilOSX** 96 | 97 | I built my own docker image since I had issues with the included one. Here is how the installation and setup works: 98 | 99 | - the EvilOSX repo is cloned and my docker image is copied into the repo 100 | 101 | - the docker image is built and executed, which will install the dependencies in docker and start the server in cli mode on port 80 102 | 103 | ![Image](pic6.png) 104 | 105 | - You can then clone EvilOSX on your host machine (or another host) and generate the EvilOSX payload to connect to the server by running: 106 | 107 | > python start.py --builder 108 | 109 | and entering your C2 IP and port information 110 | 111 | I created a shared volume between the host and the Deimos C2 container located at (for accessing files within the EvilOSX container): 112 | 113 | > /var/lib/docker/volumes/evilosx 114 | 115 | ============================================= 116 | 117 | ### 5. MacShellSwift C2: 118 | 119 | **link: https://github.com/cedowens/MacShellSwift** 120 | 121 | Since I already included a docker image for MacShellSwift, I simply run that image. No additional changes were made. 122 | 123 | The MacShellSwift C2 server by default will listen on 0.0.0.0 on the port entered during the setup: 124 | 125 | ![Image](pic7.png) 126 | 127 | I created a shared volume between the host and the MacShellSwift C2 container located at: 128 | > /var/lib/docker/volumes/MacShellSwift 129 | 130 | Here you can access C2 artifacts (ex: screenshots, files downloaded, etc.). 131 | 132 | After the MacShellSwift C2 server is set up, you can then clone the MacShellSwift repo on a macOS host with Xcode installed, modify the client payload IP address to connect to the MacShellSwift C2 server you set up, build it, and copy it over to the target host. 133 | 134 | ============================================= 135 | 136 | ### 6. Sliver C2: 137 | 138 | **link: https://github.com/BishopFox/sliver** 139 | 140 | Sliver C2 does have it's own docker image, but I used my own for simplicity. Here is how the installation and setup works: 141 | 142 | - the Sliver C2 compiled go binary is downloaded (the latest version during the time of this repo was v1.2.0 and I used the sliver-server_linux.zip file) 143 | 144 | - the binary is unzipped and added to the docker image where it is executed 145 | 146 | - you will then be brought to the Sliver main menu to select options (start your listener, generate payloads, etc.): 147 | 148 | ![Image](pic8.png) 149 | 150 | I created a shared volume between the host and the Sliver C2 container at: 151 | 152 | > /var/lib/docker/volumes/sliverc2. 153 | 154 | **When generating Sliver implants add "--save /sliverc2" to your command to drop the payload in the shared volume above for you to access outside of the container: 155 | 156 | example: 157 | > generate --os mac --mtls localhost --save /sliverc2 158 | 159 | ============================================= 160 | 161 | ### 7. CHAOS C2: 162 | 163 | **link: https://github.com/tiagorlampert/CHAOS** 164 | 165 | CHAOS C2 does not include a docker image so I built one. Here is how the installation and setup works: 166 | 167 | - The CHAOS repo is cloned to the host machine 168 | 169 | - My dockerfile is copied over to the repo and added in docker, where the go binary is built and started: 170 | 171 | ![Image](pic9.png) 172 | 173 | - After the server is stood up as a docker container, take the following steps: 174 | 175 | i. Start a listener on the server: 176 | > listen address=[IP of server] port=[port] 177 | 178 | ii. You will need to locally (outside of the container) download CHAOS C2 and generate the payload: 179 | 180 | > git clone https://github.com/tiagorlampert/CHAOS && cd CHAOS/cmd/chaos && go build 181 | 182 | > cd ../.. 183 | 184 | > cp cmd/chaos/chaos . 185 | 186 | > ./chaos 187 | 188 | > generate address=[IP of C2 server] port=[C2 server port] --[platform] 189 | 190 | The CHAOS binary will be dropped in the build directory with a random name. Execute the binary on the target host and the C2 server will show a C2 connection 191 | 192 | iii. Docker maps the chaosc2 directory (where the server is running) to the following directory on the host: 193 | 194 | > /var/lib/docker/volumes/chaosc2/_data 195 | 196 | ============================================= 197 | 198 | ### 8. Empire C2: 199 | 200 | **link: https://github.com/BC-SECURITY** 201 | 202 | Since Empire contains its own docker image, I simply pull that image and run it. No additional changes were made. 203 | 204 | Once started the server also opens port 5000 (default admin API) as well as 1337 (default REST API), so you will need to restrict access to those services appropriately. 205 | 206 | ![Image](pic10.png) 207 | -------------------------------------------------------------------------------- /Sliver-setup/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.15 2 | 3 | RUN mkdir -p /sliverc2 4 | 5 | WORKDIR /sliverc2 6 | 7 | ADD . /sliverc2/ 8 | 9 | RUN chmod +x sliver-server 10 | 11 | CMD ["/sliverc2/sliver-server"] 12 | 13 | -------------------------------------------------------------------------------- /install_docker_linux.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | if [ "$EUID" -ne 0 ] 3 | then echo "[-] Please run as root" 4 | exit 5 | fi 6 | 7 | sudo apt update 8 | sudo apt install -y docker.io 9 | sudo systemctl enable docker --now 10 | sudo wget "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -O /usr/local/bin/docker-compose 11 | sudo chmod +x /usr/local/bin/docker-compose 12 | -------------------------------------------------------------------------------- /pic1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic1.png -------------------------------------------------------------------------------- /pic10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic10.png -------------------------------------------------------------------------------- /pic2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic2.png -------------------------------------------------------------------------------- /pic3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic3.png -------------------------------------------------------------------------------- /pic4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic4.png -------------------------------------------------------------------------------- /pic5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic5.png -------------------------------------------------------------------------------- /pic6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic6.png -------------------------------------------------------------------------------- /pic7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic7.png -------------------------------------------------------------------------------- /pic8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic8.png -------------------------------------------------------------------------------- /pic9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedowens/C2_Cradle/09b6ce2a814ebec033a1166e057e5c8599116286/pic9.png -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "*************************************************" 4 | echo " Welcome to the C2 Cradle! " 5 | echo "*************************************************" 6 | echo "" 7 | echo "======>Which C2 would you like to stand up?" 8 | echo "1 => Mythic" 9 | echo "2 => MacC2" 10 | echo "3 => DeimosC2" 11 | echo "4 => EvilOSX" 12 | echo "5 => MacShellSwift" 13 | echo "6 => Sliver" 14 | echo "7 => CHAOS" 15 | echo "8 => Empire" 16 | 17 | read response 18 | 19 | if [[ "$response" == "1" ]];then 20 | echo "[+] Mythic C2 selected. Running setup now..." 21 | cd Mythic-setup && git clone https://github.com/its-a-feature/Mythic && cd Mythic 22 | read -p "----> Do you need to make any changes to the Mythic default config (Y/N)? " answer 23 | if [[ ("$answer" == "Y") || ("$answer" == "y") ]];then 24 | echo "****The Mythic config file is located at Mythic-setup/Mythic/mythic-docker/config.json****" 25 | read -p "==>The script will pause here until you have made the necessary config edits. Once done press any key to continue..." pause 26 | ./start_mythic.sh 27 | else 28 | ./start_mythic.sh 29 | fi 30 | 31 | elif [[ "$response" == "2" ]]; then 32 | echo "[+] MacC2 selected. Running setup now..." 33 | cd MacC2-setup && git clone https://github.com/cedowens/MacC2 && cd MacC2 34 | chmod +x setup.sh && ./setup.sh 35 | 36 | elif [[ "$response" == "3" ]]; then 37 | echo "[+] Deimos C2 selected. Running setup now..." 38 | cd DeimosC2-setup && curl -LO https://github.com/DeimosC2/DeimosC2/releases/download/1.1.0/DeimosC2_linux.zip && unzip DeimosC2_linux.zip 39 | docker build --no-cache -t deimosc2-docker . 40 | docker volume create deimosc2 41 | sudo docker run --rm --network="host" -v deimosc2:/deimosapp -ti deimosc2-docker 42 | 43 | elif [[ "$response" == "4" ]]; then 44 | echo "[+] EvilOSX C2 selected. Running setup now..." 45 | cd EvilOSX-setup && git clone https://github.com/Marten4n6/EvilOSX && cp Dockerfile EvilOSX/Dockerfile && cd EvilOSX/ 46 | docker build --no-cache -t evilosx-docker . 47 | docker volume create evilosx 48 | sudo docker run --rm --network="host" -v evilosx:/EvilOSX -ti evilosx-docker 49 | 50 | elif [[ "$response" == "5" ]]; then 51 | echo "[+] MacShellSwift C2 selected. Running setup now..." 52 | cd MacShellSwift-setup && git clone https://github.com/cedowens/MacShellSwift && cd MacShellSwift/MacShellSwift 53 | chmod +x run.sh && ./run.sh 54 | 55 | elif [[ "$response" == "6" ]]; then 56 | echo "[+] Sliver C2 selected. Running setup now..." 57 | cd Sliver-setup && curl -LO https://github.com/BishopFox/sliver/releases/download/v1.2.0/sliver-server_linux.zip && unzip sliver-server_linux.zip && cp Dockerfile artifacts/linux/Dockerfile && cd artifacts/linux 58 | docker build --no-cache -t sliver-docker . 59 | docker volume create sliverc2 60 | sudo docker run --rm --network="host" -v sliverc2:/sliverc2 -ti sliver-docker 61 | cd ../.. && rm -rf artifacts/ sliver-server_linux.zip 62 | 63 | elif [[ "$response" == "7" ]]; then 64 | echo "[+] CHAOS C2 selected. Running setup now..." 65 | cd CHAOS-setup && git clone https://github.com/tiagorlampert/CHAOS && cp Dockerfile CHAOS/Dockerfile 66 | docker build --no-cache -t chaosc2-docker . 67 | docker volume create chaosc2 68 | sudo docker run --rm --network="host" -v chaosc2:/chaosc2:ro -ti chaosc2-docker 69 | 70 | elif [[ "$response" == "8" ]]; then 71 | echo "[+] Empire C2 selected. Running setup now..." 72 | docker pull bcsecurity/empire:latest 73 | sudo docker run --rm --network="host" -ti bcsecurity/empire:latest 74 | 75 | fi 76 | --------------------------------------------------------------------------------