HackPath
BBoooottccaammppNEWCCoouurrsseessRRooaaddmmaappPPrraaccttiicceePPrriicciinngg
>_
HACKPATH

COURSE.EXE

C2 & Post-Exploitation

0%
UNDERSTANDING C2
01What is a C2?
40m
02Listener / Agent / Teamserver Architecture
45m
ADVANCED METASPLOIT
03Advanced Meterpreter
50m
04Metasploit Post-Exploitation Modules
48m
05Pivoting with Metasploit
55m
COBALT STRIKE CONCEPTS
06Beacon and Listeners — C2 Concepts
45m
07Malleable C2 Profiles
52m
PERSISTENCE
08Windows Persistence
58m
09Linux Persistence
52m
PIVOTING & TUNNELING
10SSH Port Forwarding
44m
11Proxychains and SOCKS
48m
12Chisel and ligolo-ng
60m
Lesson 01·1 / 12·40 min

What is a C2?

Define what a C2 is, why it exists, and how it differs from a simple shell.

C2 & Post-Exploitation/What is a C2?

What is a C2?

A Command & Control (C2 or C&C) is the infrastructure an attacker uses to control their agents deployed on compromised systems. It is the brain of the offensive operation: without a C2, an attacker cannot maintain access, run commands, or exfiltrate data.

◆
A C2 is an infrastructure: operator → teamserver → listener(s) ↔ agent (check-ins + task queue).

The attacker / agent / C2 model

In any offensive operation, three elements coexist:

ElementRoleExamples
Attacker (operator)Sends orders, receives resultsRed teamer, pentester
C2 server (teamserver)Receives agent connections, relays ordersMetasploit, Cobalt Strike, Sliver
Agent (beacon / implant)Runs on the compromised target, executes commandsMeterpreter, Beacon, custom implant
C2 agent teamserver operator
◆

Why a C2 and not just a reverse shell?

A basic reverse shell (bash -i >& /dev/tcp/...) is fragile:

  • It dies on the slightest network interruption
  • It does not support multiple operators simultaneously
  • It does not encrypt communications
  • It is trivial to detect (raw TCP connection)

A professional C2 provides:

FeatureWhat it provides
Encrypted communications (TLS, HTTPS)Evades IDS/IPS that inspect traffic
Sleep / jitterThe agent wakes up randomly → less detectable
Multi-sessionsManage dozens of agents from a single interface
Built-in pivotingHop into internal networks that are not exposed
Post-exploitation modulesKeylogger, screenshot, dump credentials, privilege escalation
PersistenceSurvives reboots via registry, services, scheduled tasks
encryption sleep/jitter multi-sessions persistence
◆

The most well-known C2s

C2LicenseAgentUsed by
Metasploit FrameworkOpen sourceMeterpreterPentesters, CTF
Cobalt StrikeCommercial (5,000$/year)BeaconRed teams, APTs (cracked versions)
SliverOpen source (BishopFox)Go implantModern red teams
HavocOpen sourceDemonAdvanced red teams
Brute Ratel C4CommercialBadgerRed teams, APT groups
Metasploit Cobalt Strike Sliver Havoc
◆

C2 communication protocols

An agent must communicate with its server without getting detected. Modern C2s support multiple protocols to mimic legitimate traffic:

ProtocolAdvantageDrawback
HTTPSWorks almost everywhere, natively encryptedInspected by corporate proxies
DNSRarely filtered, traverses firewallsVery low bandwidth
SMB (named pipe)Internal lateral movement, no external trafficLimited to internal networks
HTTP via CDNTraffic looks legitimate (Cloudflare, AWS)More complex configuration
HTTPS DNS SMB CDN
◆

C2 in the attack cycle (Kill Chain)

C2 happens after the initial compromise:


Reconnaissance → Weaponization → Delivery → Exploitation
→ Installation (agent deployed) → C2 (communication) → Actions on Objectives

C2 phases include:

  • Lateral movement: reach other machines from the agent
  • Privilege escalation: move from user to SYSTEM/root
  • Exfiltration: extract sensitive data
  • Persistence: survive reboots
kill chain lateral movement exfiltration
◆

Flashcards

FLASHCARDS · 1/4
CARD #0001
_□×
UNSEEN

What is the difference between a reverse shell and a C2 agent?

◆
Open Questions

Question 1 — What are the trade-offs between responsiveness and stealth (sleep/jitter) in a C2?

◆

Next Lesson

You now understand C2 fundamentals. The next lesson covers C2 architecture in detail: listeners, agents, and how a teamserver coordinates command and control.

Next: C2 Architecture — Listener, Agent, Teamserver

Hands-on challenge

Practice what you learned — run it on your machine.

Do the challenge →

You're on a free lesson

Ready to go further?

Unlock all courses, exercises, real-world scenarios and flashcards — everything to build real skills.

Unlock full access →

No commitment · Cancel anytime

Sign in to track your progress.

Sign in to validate →

11 lessons locked in this course · 800+ students enrolled

$99/year — save 31% vs monthly

Unlock full access →