Proxy Aware PowerShell C2 Framework: PoshC2

ID N0WHERE:172204
Type n0where
Reporter N0where
Modified 2017-08-25T16:57:39


PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen as the base language as it provides all of the functionality and rich features required without needing to introduce multiple languages to the framework.

PoshC2 is very simple to install, which ever method you choose. We have two install methods are single no fuss installer and a slightly more involved method which is best used if the user wants to do any development on PoshC2.

Simple Install Method

This method is as simple as we’ve created an installer;

powershell -exec bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('')"

Copy the command string from above and paste it into the terminal. The installer method shown above is probably the best way to get started with PoshC2, it also includes functionality that can be used to update the current version of PoshC2, simply re‐running the the above command will determine that PoshC2 is installed, remove it and download and install the latest version.

There is an optional requirement for PoshC2 which enables it to create a custom Java based payload. This requires the Java Development Kit to be installed, this can be downloaded from the Oracle website, the link to the download at the time this document was written is below;

Java Development Kit

Download and install the JDK as per the directions from Oracle.

PoshC2 consists of two individual PowerShell terminals, one called ‘PoshC2 Server’ and the other ‘Implant‐Handler’, this may sound odd but all will become seamless and intuitive once you start using the application. Starting the application is as simple as double‐clicking a shortcut. Take a look in the PoshC2 folder within the c:\temp directory, there will be two shortcuts, one to start PoshC2 and one to update it. Copy these to icons to your desktop for convenience.

Double‐clicking the ‘Start‐C2‐Server’ icon will initially check for administrative rights of the user and if required will elevate privileges to allow running as an administrative level user, the PoshC2 server PowerShell window will open up and the user will be asked a series of questions;

  • If multiple Ethernet adaptors are detected PoshC2 will ask which IP/Adaptor to use for its listener;
  • The user will be asked if they want to set the engagement folder name, by default this will be a time stamped folder name;
  • The user will be allowed to set a different implant beacon interval;
  • The ability to set a kill time for the implant;
  • The option to set the port for the listener, i.e. 443, but to be honest port 80 is preferred.

PoshC2 has many built‐in preset commands as shown by issuing the ‘help’ command into the ‘Implant‐Handler’, some of the preset commands make use of many of the established PowerShell ‘Hacking Tools’ such as PowerSploit, PowerView and PowerUp functionality. There are also some bespoke modules written by us for use with PoshC2, to see these take a look in the ‘Modules’ folder in the PoshC2 directory. One of the nice features of PoshC2 are that the user can copy any PowerShell module written by them or anyone else into the ‘Modules’ folder and use those directly within PoshC2 using the ListModules and LoadModules commands the user can see whats available and load new modules into the current implant.

For example we may want to use a module from PowerSploit that’s not included, lets say ‘Invoke‐ NinjaCopy.ps1’ The user can simply copy the Invoke‐NinjaCopy.ps1 file into the Modules folder and then use LoadModule Invoke‐NinjaCopy.ps1 on the Implant‐Handler to add the new module to the implant.

Proxy Aware PowerShell C2 Framework: PoshC2 Download