Disclaimer: This project was developed exclusively for academic and educational purposes as part of a Masters in Cybersecurity and Digital Forensics at the Polytechnic University of Leiria. It is a Proof of Concept (PoC) designed to study post-exploitation communication models, vulnerabilities, and defensive strategies. Do not use this software on systems where you do not have explicit permission.
Outdated vulnerabilities in commonly used software are still one of the primary ways malware infiltrates a network. Attackers exploit these weaknesses to establish Command and Control (C2) infrastructures, enabling persistent access and expansion of the attack surface.
This project presents the design and analysis of a modular C2 framework that explores post-exploitation communication models. By leveraging Google Remote Procedure Call (gRPC) and Protocol Buffers, together with Mutual TLS (mTLS), this work examines how modern communication and security mechanisms can improve traditional C2 designs. The architecture is built to be fast, highly modular, and easily upgradable.
The framework follows a distributed client-server architecture, comprising two main entities:
- C2 Server (Python): The central command hub, responsible for managing agents, distributing tasks, handling plugins, and processing exploits. It features a Terminal User Interface (TUI) for administration and SQLite for database management.
- Agent (Go): The payload deployed on target machines. It connects back to the C2 server using secure, mutually authenticated channels.
- mTLS (Mutual TLS): Ensures both the C2 server and the agents cryptographically verify each other's certificates before establishing a connection, preventing rogue agents or server spoofing.
- gRPC & Protobuf: A highly efficient, strongly typed communication protocol that ensures fast, cross-platform data serialization and remote procedure execution.
- Modular Plugin System: Extend agent functionality dynamically without needing to recompile the core agent binary.
- Exploit Engine: Built-in modules to test known vulnerabilities and establish initial footholds.
- Encrypted Tunnels: Secure communication channels that mask post-exploitation traffic using encrypted proxies.
sysinfo: Retrieves system architecture and OS details.networkscan: Discovers active hosts on the local network.miniransom: Educational implementation of file encryption and decryption.pivot-proxy-go: Facilitates lateral movement and network pivoting.pivot-check: Validates pivoting routes.webploit: Web-based exploitation testing tools.
sambacry(CVE-2017-7494)webmin(CVE-2019-15107)
This project utilizes Docker to streamline the setup of the C2 infrastructure.
- Python 3.x (for local testing and scripting)
- Go (for compiling the Go-based agent)
-
Clone the repository:
git clone [https://github.com/monico18/SRC-malware_project.git](https://github.com/monico18/SRC-malware_project.git) cd SRC-malware_project -
Generate Certificates: Before starting the server, you must generate the necessary mTLS certificates.
cd C2/scripts chmod +x mkca.sh ./mkca.sh python3 gen_keys.py -
Start the C2 Infrastructure: Use Docker Compose to build and run the C2 server.
docker compose up --build
-
Compile an Agent: Navigate to the
Agent-Godirectory to build a payload.cd Agent-Go make build
- Miguel Roma - 2025138654@my.ipleiria.pt
- Tomás Santos - 2023104770@my.ipleiria.pt
Masters in Cybersecurity and Digital Forensics, Polytechnic University of Leiria, Portugal.
This project is licensed under the terms found in the LICENSE file.