Connect and Control (C2) is a multifunctional webapp designed for Pentesters to use on engagements.
There are three core peices of functionality: View Interactions, Manage Payloads, and Manage Endpoints.
If you send GET or POST requests to the URL specifified in the app, it'll log them. This can be used in XSS payloads to exfiltrate data.
It looks a little like so:
You can configure payloads within this functionality, which are then served by your various endpoints Interactions also get logged below.
Looks a little like this:
New in the latest update, you can now manage your endpoints - meaning multiple endpoints can be active, all serving different payloads! For maximum havoc.
You can interrogate your currently active endpoints:
...and modify them as you wish:
Clone this repository:
git clone https://github.com/Gr4y-r0se/C2.gitThen install the requirements:
pip3 install -r requirements.txtpython3 app.pydocker build -t c2-app .
docker run -p 443:443 c2-appdocker-compose up --buildThen browse to https://localhost/ to get cracking!
Pull requests are welcome - especially if you want to redesign the UI (it's pretty ugly). If you're not yet able to write the update you want to see, that's okay - just open an issue!
Please, for major changes, open an issue first to discuss what you would like to change.
This is released under the MIT license.
- Support templating for JS (so you can dynamically load files)
- Support serving files through JS objects
- Add JS obfuscation so scripts are randomised every time they are served
- Make the UI better (please open a pull request if you're good at this). (Special thanks to BDragisic for this one.)
- Migrate scripts to their own folder, and dynamically inject them into each user account.
- Add other content types (XML etc) for serving