0

I've been playing around with some of the C2's available at GitHub that I've found at https://www.thec2matrix.com/matrix

It's cool to play around with tons of Linux machines I own and send them commands and retrieve stats out of them with custom scripts at the ease of uploading them as a "payload" like execute this on all these machines. However, there's a few projects that I actually debug and I usually just plug and play those open source projects.

I don't know if there's a risk in this, I usually host and test all these stuff with GCP instances and so far I've had no issues nor detected malicious activity besides "mine", just that BYOB project that installs a cryptominer but it's easy to deactivate it on the source and on the README you are told about this.

So here's the question.

What are the dangers of using this kind of open source projects as my C2 for my machines?

I've even consider using this in a company as a private "Teamviewer" or an alternative for remote assistance for helpdesk and whatever.

Is it a possible breach? Does that makes my instances vulnerable?

I can only think about a "single point of failure" that would end up in a DISASTER as it would compromise everything easily lol but what other risks would this involve?

Napal
  • 155
  • 5

1 Answers1

0

You are correct about the single point of failure, but that's not too different from having all your SSH keys on the same box which is also common.

Like any software, your C2 software can have vulnerabilities or misconfigurations that introduce vulnerabilities. Even TeamViewer has run into issues in the past.

My worry would be that the tool is not designed with security in mind. Depending on the tool, it may have just been developed for a one-off engagement and was made to be quick and dirty. Compare it to a remote administration tool such as Ansible, which simply uses SSH, which comes with many benefits such as secure and vetted authentication and encryption out of the box. While there is probably some sort of authentication in your tool, it may not be properly implemented, or may not be enforced at all. The tool should also properly use encryption, which may not always be the case.

Besides authentication, there could be other vulnerabilities that exist within the software. However, it is impossible to know without performing a security audit on the tool. Without knowing for sure, you may be fine, or you may be exposing all of your systems to remote attackers.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • 1
    Wow Ansible is such a good reference, actually that was what I was looking for, no need to use opensource malware thanks a lot for that – Napal Jun 22 '20 at 17:16