Creating an HTTP C2

The issue with brazenly presenting your commands in URLs is that even a half-asleep log analyst will spot it. There are multiple methods of hiding requests, but when you don't know what the response text is going to look like, you need to provide a solid method of disguising the output and returning it to your server.

We will create a script that masks command and control activities as HTTP traffic, takes commands from comments on a web page, and returns the output into a guestbook.

Getting Started

For this, you will need a functioning web server with two pages, one to host your comments and one to host your retrieval page.

Your comment page should just have standard content. For this, I'm using the Nginx default home page and ...

Get Python Web Penetration Testing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Python Web Penetration Testing Cookbook by Cameron Buchanan, Terry Ip, Andrew Mabbitt, Benjamin May, Dave Mound

Creating an HTTP C2

Getting Started

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly