Skip to content

Latest commit

 

History

History
76 lines (66 loc) · 3.04 KB

README.md

File metadata and controls

76 lines (66 loc) · 3.04 KB

HTTPWorker

HTTPWorker is a Flask-based HTTP(S) command and control framework with custom Windows implants (EXE and DLL) written in C++. It was designed to be simple to deploy and easily configurable for security competitions.

Implant Capabilities

  • command execution
  • file upload
  • file download
  • fetch system information (OS, network addresses, public IP, username, device name, memory amount, region)
  • DLL loading
  • screenshot
  • process list
  • process kill

Server Capabilities

In addition to coordinating implant communication, the Flask webapp provides a simple and easy to use web interface for interacting with connected bots.

The "Bots" page shows the full list of clients which have called back to the C2 - UUID, IP addresses, and the time of last checkin.

The panel is locked behind an authentication page with user accounts. Passwords are hashed using scrypt.

Setup

Server

Prerequisites

  • docker
  • docker-compose

Quick Install

Clone repo

git clone https://github.com/JrM2628/httpworker.git

Go to server directory

cd httpworker/server

Start server

sudo docker-compose up

Create account

From browser: https://[C2 IP Address]:5000/signup

Containers

There are two containers in this C2 setup.

proxy
  • Nginx reverse proxy which directs traffic to webapp:5000
  • Exposed port: 80, 443
  • Redirects any attempt to access /signup endpoint to https://www.ritsec.club
  • Default cert.crt and key.pem are included, though they should be changed out to prevent against certificate fingerprinting
webapp
  • Flask server which handles C2 web application/API logic
  • Exposed ports: 5000
  • External access to this server should be restricted with a firewall rule that only allows access from a red team-controlled device
    • This is because /signup endpoint is accessible via this server, allowing anyone to create a red team account

Pwnboard

Pwnboard is used by RIT red teams in security competitions and engagements to track beacons in one consolidated place. To enable Pwnboard integration:

  1. Set app.pwnboard_enabled to "true" in __ init__.py
  2. Set app.pwnboard_host to the hostname of the pwnboard (no scheme or URL endpoint) in __ init__.py
  3. Verify IP regex in heartbeat function (bot_communication.py) is set correctly. Defaults to 10.0.0.0/8

Client

  1. Choose whether you want EXE, DLL, or service (coming soon) implant
  2. Open desired solution file from client/windows and compile in release mode
  3. Modify build.py configuration values to align with desired values
    • Hostname, port, and sleeptime almost definitely need to be changed
    • Endpoints, key, xorKey should be changed to prevent against detection but updating these values will require changing the values server-side
  4. python3 build.py --v --i httpworker.exe --o out.exe
  5. (Optional) sign using self-signed cert
    • .\signtool.exe sign /v /a /debug /f "path\to\signingcert.pfx" /p Password123! .\out.exe