Skip to content

Relay Agent Reverse TCP listener

The relay type of listener represents a distinctive approach in the network communication strategy, differing from traditional listeners that create direct listening sockets or receivers in Command and Control (C2). Here's a detailed explanation of how it functions:

  1. No Direct Listening Socket in C2: Unlike typical listeners, the relay type does not establish any listening socket or receiver within the C2 infrastructure. This design choice is crucial for operational scenarios where direct communication might be detectable or impractical.

  2. Utilization of Existing Agent Connection: The operation of the relay listener is facilitated through an already existing agent connection. This method leverages the established trust and communication channel of an existing agent, enhancing operational security and stealth.

  3. Listener Configuration and Agent Selection: The configuration process of the relay listener involves selecting a specific agent and a port number. The selected agent is then configured to start listening for connections on the specified port.

  4. Creation and Connection of New Agent: When a new agent is created for this listener and executed, it attempts to connect to the selected agent using the provided hostnames or IP addresses. This is a key step in establishing the relay communication pathway.

  5. Establishing a New Agent in C2: The successful connection results in the creation of a new agent within the C2 system. However, the communication with this newly created agent does not occur directly through C2.

  6. Indirect Communication Via Selected Agent: All communications with the newly created agent are routed through the agent selected in the configuration. This means that the selected agent acts as a relay or intermediary, facilitating the flow of information and commands between C2 and the new agent.

This relay listener model is especially advantageous in complex network scenarios where minimizing direct connections to C2 is critical. By using an existing agent as a relay, it provides an additional layer of security and reduces the visibility of C2 communications, making it harder for defensive systems to detect and counter the operations.

Plugin ID: shelldot.listener.relay-agent-reverse-tcp

Configuration

  • relayAgentGuid - GUID of the existing agent that will start listening for connections
  • hosts - Hostnames/IPs of the agent defined by relayAgentGuid
  • port - On what port the TCP listener is listening for connection
  • handshakeBytes - Bytes used for initial handshake between agents. Should be random
  • startTime - If listener should not start right away then this value defines starting time (for example "2023-04-10T11:02:09Z")