This is a **pet project** designed for learning and experimentation with **Command & Control (C2) frameworks**. But I'm not excluding the possibility of truning it into a full-scale usabe C2 for my future Penetration Testing experience. It features a secure C2 server written in Go and a Windows-based agent written in C. The project focuses on encrypted communication, implant management, task execution, data exfiltration and overall stealthy operations.
This project is proprietary and confidential. Unauthorized copying, distribution, modification, or public sharing of this codebase is strictly prohibited.
> ⚠️ **Usage is permitted only for personal learning and experimentation. Redistribution or commercial use is forbidden.**
### This update is pretty big and contains some radical changes in project.
- SSL, TCP and DNS communication channels have been striped and only HTTPS is left. The reason is simple - the communication architecture was not thought out from the start, and was adjusted on the fly every time any new communication-related feature was added with long and painful debugging sessions. I decided to stick with HTTPS as it may cover 99% of all engagements needs' and allows to maintain cover during operations.
- HTTPS traffic shaping is introduced via YAML config file. it allows to specify domains hosted, their respective certificate paths, content paths and headers/cookies for identifying agent and exchanging messages with server. Client that are not identified as C2 agents - are served usual web content.
- C2 communication inside of HTTPS is encrypted (not by encapsulating HTTPS protocol, but by itself and look like bening cookie strings). Currently encryption is done with hardcoded key. In next updates I will implement dynamic session key generation.
- Three injection techniques have been tested and seem to work well. Output capturing has been implemented with named piped, so currently it only captures output from specifically crafted modules.
- For every injection command you can now specify **--donut** flag with following after it donut arguments. This way you can directly inject .EXE .DDL and .NET stuff :)
- Beacon, beacon, beacon... was removed as I was fully rethinking it's purpose and understood it brings nothing to operations. It will replaced with stager or some kind of very stealthy long-haul implant or fall-back option for maintaining foothold on the target system.
- Talking about stagers - stager prototype is already in repository. It works but is not yet fully integrated into server. Plans are to add sandbox detection to it and maybe even persistence. Again I'm still building the concept of this C2 server in my head and many things can change in future.
- A lot of source files restructuring and code cleanup has been done.
PS. An interesting idea for using named pipes is hatching in my head... but I will share it later.
- HTTPS communication channel was implemented for agent. Uploading files to server is not yet supported, but will be in nearest future.
- Agent and server files have been restrucutred for convenience. Agent source files have also been split for convenience and readability.
- Operator's terminal was enchanced to better display output. Also, some comands were renamed to be more intuitive and some errors have been fixed, which led to terminal's panic. Command parses has also been enchanced to not mismatch commands and handle them strictly. Command 'tasks' now work in both general and agent contexts.
- Filepath handling was fixed in 'download', 'upload' and 'spawn' commands. Now filepaths with spaces are handled correctly.
- WolfSSL was ditched, as it is not really necessary anymore.
#### Next areas of my focus are:
- Rewrite command sending logic to use TLV approach or some custom protocol, because sending just plain strings is not opsec (even inside of SSL) and not very extensible.
- Implement HTTPS profiles to mimic legitimate traffic.
- After that I will start adding more post-exploitation modules.
- Also, I'm rethinking the purpose of beacon. Maybe I will rewrite it into more of a stager or reconn implant.
- Beacon in GO got fully replaced with Beacon written in C. Old beacon files removed.
- Added HTTP listener to server and HTTP communication channel to beacon. This was actually pretty hard for me to implement. I learned more about interfaces and abstractions in C - that's basically how I was able to add a request-response HTTP protocol to my transport abstraction, which was initially created for stream-based protocols.
- Changed project folder structure a bit. And will continue doing so, untill my internal perfectionist is satisfied.
- Small fixes like: task result parsing and reporting, cosmetic adjustments, taskID fixes, pid and ppid fixes in injection logic,
- A lot of new ideas have came to my mind since last version. I have a working prototype of DLL unhooking and API hashing, so there is a possibility of adding those soon. But, of course, first I need to polish HTTP listener's profiles logic.
- Added size optimization flags to payload generator
- Fixed preprocessor macros for transport selection
- Https implants now send all messages via GET and big messages via POST
- Move target cookies and headers inside of domain profiles
- Added task ID reporting by client, which helps identify operator who issued command. In next version task result will be reported selectively to operator who sent command
