default profile
Last updated
Last updated
The "default" C2 profile is the Apfell server itself. All other C2 profiles will translate between their own special sauce back to this profile. This profile has a docker container as well that you can start that uses a simple JSON configuration to redirect traffic on another port (with potentially different SSL configurations) to the main apfell server.
This container code simply starts a small Sanic webserver that accepts messages on the specified port going to the default URL endpoint (/agent_message
) and proxies traffic to your Apfell instance. This allows you to host the Apfell instance on port 8443 for example and expose the default profile on port 443 or 80.
Clicking the "Configure" button gives a few options for how to edit and interact with the profile.
This sections allows you to edit some basic information about the C2 profile as well as upload additional files to Apfell and to the associated docker container.
The name of a c2 profile cannot be changed once it's created, but everything else can change. The Supported Payloads
shows which payload types can speak the language of this C2 profile. For each payload type selected, there will be an associated upload button to upload the code for that payload type. If the payload type is external, it should still be selected if it can speak the language of this C2 profile, you just won't need to upload any code for it. This allows apfell to properly track information when creating payloads and linking data.
There is an upload button to specifically upload files for the server side as well as for each agent. The difference here is that the payload type specific code is what will be used to create an agent whereas the server/container code is used to facilitate communications between the C2 profile and the main Apfell server. Think of it like a pipeline: agent -> C2 profile docker container -> main apfell server.
Clicking the Download / Delete Listener Files
button gives information about the files that already exist for each payload type and for the server itself.
The files are broken out by payload type and server files. Notice that you can have multiple files for each payload type. That bottom section is where a rabbitmq message gets sent to the docker container asking for a list of files and the information gets returned. While rabbitmq and the docker container are processing this request, a spinning icon will appear near there.
This dialog displays the current parameters associated with the C2 profile. These are the values you must supply when using the C2 profile to create an agent.
There are a few things to note here:
Name
- This is just a human readable name that will be shown to the user when creating a payload for this c2 profile. It can be as descriptive as you want.
Key
- When creating the actual payload, this key
keyword is replaced with the value that the user supplies when creating a payload. For example, the keyword callback_host
will be replaced with what the use types all throughout the associated payload type's c2 profile specific code.
Hint
- This is what's auto-populated as a hint for the user when creating a payload so that they have an idea of default values or what they should supply.
randomize
- This specifies if you want to randomize the value that's auto-populated for the user.
format_string
- This is where you can specify how to generate the string in the hint when creating a payload. For example, setting randomize
to true
and a format_string
of \d{10}
will generate a random 10 digit integer.
This can be seen with the same test
parameter in the above screenshot.
Every time you view the parameters, select to save an instance of the parameters, or go to create a new payload, another random instance from this format_string will be auto-populated into that c2 profile parameter's hint field.
The key AESPSK
is a special keyword in Apfell. For each operation, Apfell creates a static 32byte AES key that will be auto displayed (like above) if the key
says AESPSK
. This is simply for ease of use. If you want to use AES256 with a different value, the use can swap that out when creating a payload. If you don't use that exact key name, then a value won't be auto populated.