Skip to content

Latest commit

 

History

History
100 lines (81 loc) · 5.16 KB

README.md

File metadata and controls

100 lines (81 loc) · 5.16 KB

GrayMan

C2 framework trying to be sneaky https://en.wikipedia.org/wiki/Everyday_carry#Grey_man_theory

Objectives

  • support multiple failover c2 mechanisms by leveraging a pluggable model.
    • multiple randomly selected http channels
    • multiple dns channels
    • easily issue a migration to a new channel or deprecate/demote a channel
  • time-based heirarchy of trust. (older agents/channels are more trust-worthy)
  • payload keying and instruction targeting
  • c2 channels selected by degree of interactivity and data directionality
    • Long-haul servers for "aliveness"
    • burnable interactive servers proxied by caddy?
    • separate inbound and outbound traffic.
  • Leverage well-known and trusted platforms (twitter, facebook, amazon, discord, etc.) for c2 issuance
  • e2e pluggable encryption
    • static aes keys
    • random aes keys require all clients to use a brute-force decryption method. slow down analysis.
      • 65536 possible aes keys.

Separte C2 command distribution and collection channels

We should separate the distribution and collection to help obfuscate the flow of information.

image

Commands and responses

plaintext job

{
   "valid":true,
   "timestamp":1645804244,
   "target":"uuid_here",
   "targettags":[
      "tag1",
      "tag2"
   ],
   "jobid":"uuid_here",
   "comment_for_command":"command is hex-encoded",
   "command":"646174652626686f73746e616d652626696426266375726c206966636f6e6669672e6d65"
}

image

plaintext job issued encrypted with 1337deadbeefRAND where RAND is four base16 chars

d77208cdbaf40a8e088bf4258f6338ff39d23bcb47eb7c4d8bfc74b895ab9c02a7ad0b91353f6e3f48ff90d0e729deae7f477b83e55f5449d5e114e9e5dc79745eaf1546eb7383d569f0be73539e6e597fa7a7090a166bbb2a2f5ebe23b1b7b356209d4a9f5f796d5b669d2016087d16f97f09d9b42a5efae9f1bf10b7c0e9ec1885f509941723f77bbe06729be08b927e2b4c7f4e76d2729d0194c29801cfb0c16b0ed4d41c62e23ec48ffdaf3019f118cb88fbd86172fe979489

plaintext response from agent

{
   "valid":true,
   "timestamp":1645804244,
   "host":"uuid_here",
   "jobid":"uuid_here",
   "partid":1,
   "partcount":1337,
   "payload":"467269204665622032352031313a32323a333520414d2043535420323032320d0a61646d696e6973747261746f720d0a7569643d3130303028736879667429206769643d31303030287368796674292067726f7570733d31303030287368796674292c342861646d292c3230286469616c6f7574292c3234286364726f6d292c3237287375646f292c333028646970292c343628706c7567646576292c313232286c7061646d696e292c313331286c7864292c3133322873616d62617368617265292c3133332877697265736861726b292c313337286c696276697274292c3939362876626f787573657273292c39393828646f636b6572290d0a37302e3137382e3131312e313937"
}

encrypted response from implant

d77208cdbaf40a8e088bf4258f6338ff39d23bcb47eb7c4d8bfc74b895ab9c02a7ad0b91353f6e3f48ff90d0e729deae7f47678de44c1307d5ae43f5f4ea754e29e4658b1cfbb00899ca9cd4ef52ee76a474810b177659774be6f32c1abaef3969c289ea15683cfa783f00ffa8c74b1eda9858e0826bd83818f09132420c8b94733d2e19e15e7d2eee1a53a9f2faaf63467f42e29ce055e7d0a086358a751a5474d62b69ebd87de6992a4c614bc4b4a1684caa50cb3a868405c08398f80c933c2451efc888644405ec675ca61a7db801663cd74bc93ffad381f68bcfa94b2cdf7b2fc1ccca42dcbd48199d1a2cbfc2cc94d96636eb5d81acd73fb451a17e3c75d2b13001922294ddfa024c99a587298731320bf5821715a78d1fc8a186a85d884670f4a16827fbbcb6323aae388be0b09851a2f0baa8d89fbe21cd6cb3430f5b3c1fa82bf3eadee4f91e6a370b5ad1bdccaed369859a9a9c923a64b5ebe7708b25cd0974a441b33a91b1442d8fca7f78edeac2962cfe461c3a93dc273097a1cc3f498c211782cf7b2b36b54426eed1f226264dd1eae1365199b5d69445940391b2da3c7c4224b27f53ee7b346c1959973a7f1bf86b846005b3203ca4ef2119ead67ad234b5f3f4acd0236da9eebdf71b5c94465cf065e205115a2eeda8881131cf071d269b783ac8a4e234d98bc7dd3f4539c31f6cc5515e3a44ef1cb8691b82cd511bc0c2300a0066d92c842ddd735441c22143d342bfdb8685de11cfad8fcf8d479380a18abdf7bfc6e11ddbe3e5ec3575b711060506d5f6eb7082be3b148489d6d7bf27d0c897a5b4c7b69eec79b9aeff961979047c6f8f245446e3ead3eee1c4e3e41280d895fa063958ad93402d1993808a121418f8248bec018e027737398af64c4303e8d023cedf0973a72f6fe8795ca43573610ec69fefb6bba659cfc4c357

image

image

All comms should be encrypted. Most of these should support bidirectional communications.

There is an emphasis on http-based channels for ease of implementation but other mechanisms should be considered as well.

libraries

https://github.com/ShyftXero/aes