Skip to content
Python Server for PoshC2
PowerShell Python C# JavaScript Shell C
Branch: master
Clone or download
Latest commit 9a05c4a Aug 16, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Files Fix get-screenshotmulti Aug 16, 2019
Images Initial Commit Jul 23, 2018
Modules Fix get-screenshotmulti Aug 16, 2019
SharpSocks Updated new SharpSocks Jun 21, 2019
.gitignore Added ability to load and execute LinuxPrivChecker in memory on *nix … Jan 13, 2019
Alias.py Start code style cleanup Jun 18, 2019
AutoLoads.py Added DCOM lateral movement to Sharp Aug 4, 2019
C2Server.py Store creds in the DB, add ability to add creds/have them automatical… Jul 10, 2019
Cert.py Start code style cleanup Jun 18, 2019
Colours.py Start code style cleanup Jun 18, 2019
Config.py Start code style cleanup Jun 18, 2019
CookieDecrypter.py Start code style cleanup Jun 18, 2019
Core.py Add -credid option to other runas/smbexec/wmi/dcom commands Jul 14, 2019
DB.py Updated Notification Status from DB not Config Aug 4, 2019
HTML.py Update HTML.py Jul 11, 2019
Help.py Added DCOM lateral movement to Sharp Aug 4, 2019
Implant.py Updated Notification Status from DB not Config Aug 4, 2019
ImplantHandler.py Now compiles the Sharp_Powershell_Runner with Mono Jul 14, 2019
Install-ArchLinux.sh Add vim and nano to the install requirements and use the EDITOR varia… Jul 8, 2019
Install.ps1 Add aliases for common sharp commands May 6, 2019
Install.sh Update the fpc command to pretty print and be more reliable Aug 14, 2019
LICENSE Initial Commit Jul 23, 2018
OfflineReportGenerator.py Start code style cleanup Jun 18, 2019
Opsec.py Start code style cleanup Jun 18, 2019
PSHandler.py Fixed typo on invoke-runas Jul 16, 2019
Payloads.py Updated to hide payload - same as inject-shellcode payloads Jul 15, 2019
PyHandler.py Fixed Python3 bug for Py implants Jul 15, 2019
README.md Add section to the readme detailing how to checkout old versions Jul 15, 2019
SharpHandler.py Added get-computerinfo and get-dodgyprocesses to core Jul 30, 2019
TabComplete.py Start code style cleanup Jun 18, 2019
Tasks.py Fixed upload-file in Sharp Implant Aug 4, 2019
Testing.md Updated to include opsec as test command Feb 12, 2019
Update.sh Removed Socks Install file Jun 11, 2019
UrlConfig.py Start code style cleanup Jun 18, 2019
Utils.py Store creds in the DB, add ability to add creds/have them automatical… Jul 10, 2019
changelog.txt Update changelog Aug 14, 2019
oldurls.txt Updated new SharpSocks Jun 21, 2019
poshc2.service Fixed issue with systemd complaining about a missing "optional" Insta… Jul 4, 2019
requirements.txt Use pyreadline for Windows compatibility and when injecting shellcode… Apr 24, 2019
wordlist.txt Adding files to enable custom URL generation. Dec 14, 2018

README.md

PoshC2

PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce multiple third party libraries to the framework.

In addition to the Powershell implant, PoshC2 also has a basic dropper written purely in Python that can be used for command and control over Unix based systems such as Mac OS or Ubuntu.

The server-side component is written in Python for cross-platform portability and speed, a Powershell server component still exists and can be installed using the 'Windows Install' as shown below but will not be maintained with future updates and releases.

Linux Install Python3

Automatic install for Python3 using curl & bash

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh | bash

Manual install Python3

wget https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh
chmod +x ./Install.sh
./Install.sh

Linux Install Python2 - stable but unmaintained

Automatic install for Python2 using curl & bash

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/python2/Install.sh | bash

Manual install Python2

wget https://raw.githubusercontent.com/nettitude/PoshC2_Python/python2/Install.sh
chmod +x ./Install.sh
./Install.sh

Windows Install

Install Git and Python (and ensure Python is in the PATH), then run:

powershell -exec bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.ps1')"

Using older versions

You can use an older version of PoshC2 by referencing the appropriate tag. You can list the tags for the repository by issuing:

git tag --list

or viewing them online.

Then you can use the install one-liner but replace the branch name with the tag:

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/<tag name>/Install.sh | bash

For example:

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/v4.8/Install.sh | bash

Offline

If you have a local clone of PoshC2 you can change the version that is in use by just checking out the version you want to use:

git reset --hard <tag name>

For example:

git reset --hard v4.8

However note that this will overwrite any local changes to files, such as Config.py and you may have to re-run the install script for that version or re-setup the environment appropriately.

Running PoshC2

  1. Edit the config file by running posh-config to open it in $EDITOR. If this variable is not set then it defaults to vim, or you can use --nano to open it in nano.
  2. Run the server using posh-server or python3 -u C2Server.py | tee -a /var/log/poshc2_server.log
  3. Others can view the log using posh-log or tail -n 5000 -f /var/log/poshc2_server.log
  4. Interact with the implants using the handler, run by using posh or python3 ImplantHandler.py

Installing as a service

Installing as a service provides multiple benefits such as being able to log to service logs, viewing with journalctl and automatically starting on reboot.

  1. Add the file in systemd (this is automatically done via the install script)
cp poshc2.service /lib/systemd/system/poshc2.service
  1. Start the service
posh-service
  1. View the log:
posh-log
  1. Or alternatively us journalctl (but note this can be rate limited)
journalctl -n 20000 -u poshc2.service -f --output cat

Note that re-running posh-service will restart the posh-service. Running posh-service will automatically start to display the log, but Ctrl-C will not stop the service only quit the log in this case posh-log can be used to re-view the log at any point. posh-stop-service can be used to stop the service.

Issues / FAQs

If you are experiencing any issues during the installation or use of PoshC2 please check the known issues below and the open issues tracking page within GitHub. If this page doesn't have what you're looking for please open a new issue and we will try to resolve the issue asap.

If you are looking for tips and tricks on PoshC2 usage and optimisation, you are welcome to join the slack channel below.

License / Terms of Use

This software should only be used for authorised testing activity and not for malicious use.

By downloading this software you are accepting the terms of use and the licensing agreement.

Documentation

We maintain PoshC2 documentation over at https://poshc2.readthedocs.io/en/latest/

Find us on #Slack - poshc2.slack.com (to request an invite send an email to labs@nettitude.com)

Known issues

Error encrypting value: object type

If you get this error after installing PoshC2 it is due to dependency clashes in the pip packages on the system.

Try creating a virtualenv in python and re-install the requirements so that the exact versions specified are in use for PoshC2. Make sure you deactivate when you've finished in this virtualenv.

For example:

pip install virtualenv
virtualenv /opt/PoshC2_Python/
source /opt/PoshC2_Python/bin/activate
pip install -r requirements.txt
python C2Server.py

Note anytime you run PoshC2 you have to reactivate the virtual environment and run it in that.

The use of a virtual environment is abstracted if you use the posh- scripts on *nix.

You can’t perform that action at this time.