In the world of cybersecurity and red teaming, creating stealthy communication channels between attackers and compromised systems is an art. Traditional C2 infrastructures often get flagged, blocked, or sinkholed by defenders. To stay a step ahead, I decided to build a Command and Control (C2) server that operates entirely over the Tor network.
This post documents the design, development, and challenges I faced while creating a fully operational Tor-based C2 server.
Leveraging Tor’s hidden services would help keep the server location concealed, while providing encrypted communication between infected clients and the server.
1. The Core Idea
My goal was to create a fully functional C2 framework that:
- Connects clients (bots/agents) to the server through Tor.
- Supports encrypted command execution, file transfers, screenshots, and keylogging.
- Offers session management, multi-target control, and stealth operations.
I structured the project into four main modules:
c2.py: The Command and Control server.bot.py: The session manager for connected bots.agent.py: The client-side agent connecting through Tor.tor_network.py: Handles starting the Tor process and creating SOCKS5 connections.
2. Tor Integration: Achieving Anonymity
Problem: Direct connections can be traced.
Solution: Route all communications through Tor.
In tor_network.py, I embedded a Tor expert bundle and created a Tor class that:
- Starts the Tor process (
tor.exe) dynamically when the agent launches. - Sets a SOCKS5 proxy using
PySocksso all network traffic is routed through Tor. - Reads the
.onionaddress and port for connecting back to the C2 server.
pythonCopyEditsocks.set_default_proxy(socks.SOCKS5, '127.0.0.1', 9050)
socket.socket = socks.socksocket
On the C2 side, I exposed a hidden service via Tor to receive incoming connections anonymously.
3. C2 Server Architecture
The server (c2.py) performs several critical tasks:
- Socket Binding: Listens on
127.0.0.1:5555(Tor forwards connections to this port). - Session Handling: Each incoming connection creates a new
Botobject (bot.py). - Command Dispatcher: Allows selecting a bot session to interact with, backgrounding sessions, and sending mass commands.
It supports commands like:
targets: List active bots.session <id>: Open a shell to interact with a bot.kill <id>: Terminate a session.sendall <command>: Broadcast a command to all bots.
All these operations are threaded to handle multiple sessions simultaneously.
4. Bot Management: Flexible and Interactive
Each Bot object (in bot.py) is a wrapper around a session, allowing:
- Reliable JSON-based communication (with error handling).
- File upload/download with progress tracking.
- Screenshot capture.
- Webcam image capture.
- Keylogging control.
- Privilege escalation checks.
Example of reliable communication:
pythonCopyEditdef reliable_send(self, data):
jsondata = json.dumps(data)
self.target.send(jsondata.encode('utf-8'))
This design ensures the bots are resilient to broken connections and can perform a wide range of post-exploitation tasks.
5. Agent Development: The Foot Soldier
The agent (agent.py) runs on the compromised machine. It:
- Boots up and starts a hidden Tor connection.
- Connects back to the server’s
.onionaddress via SOCKS5. - Enters a loop waiting for commands from the C2 server.
- Executes system commands, file transfers, screenshots, keylogging, WiFi dumps, and privilege escalation attempts.
Each feature (like file uploads, screenshots) is modularized and robust against connection interruptions.
Example — File Upload Handling:
pythonCopyEditif command_data['command'] == 'upload':
filename = command_data['filename']
size = command_data['size']
# Receive file in chunks
If a connection drops, the agent sleeps and tries reconnecting automatically.
6. Challenges and Solutions
| Challenge | Solution |
|---|---|
| Handling unstable Tor connections | Implemented retries and timeout handling. |
| Reliable JSON messaging | Added length-prefixed JSON messaging for larger payloads. |
| Scaling sessions | Used multi-threaded session management. |
| File transfer reliability | Chunked file sending with progress bars. |
| Avoiding detection | All traffic routed through Tor and optional pluggable transports possible for future versions. |
7. Future Enhancements
- OpSec Improvements: Randomized beaconing intervals to avoid traffic patterns.
- Encryption Over Tor: End-to-end encryption on top of Tor for double security.
- Multi-Channel C2: Adding I2P, WebSocket fallback.
- GUI Dashboard: For more intuitive control.
Final Thoughts
Building a C2 server over the Tor network was a deeply educational project. It gave me firsthand experience in:
- Secure networking
- Socket programming
- Multi-threaded systems
- Tor integration and traffic obfuscation
- Real-world attack techniques (for defense understanding)
Important Note:
This project is strictly for educational purposes, ethical red teaming, and to better understand how attackers operate — with the goal of improving defenses.
By understanding the attacker’s toolbox, defenders can better predict, prevent, and mitigate real-world threats.
To source code is provided here : https://github.com/Suryah07/Stealth-Ruler