andrew.rioux/sparse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
sparse/sparse-05
History

README.md

Sparse 0.5

Sparse 0.5 is a stopgap solution until the C2 framework itself is more mature. It has several improvements over the proof of concept version, to include:

  • The client is no longer bound to the server, the configuration can be shared
  • A richer CLI with Sparse specific commands such as #upload, #download, and #edit
  • A Windows version using winpcap, with both standalone binary and service versions

How it works, or what makes this unique

Read the blog post about it

Sparse 0.5 weaponizes libpcap to both receive and send packets. It listens at the network interface level, recreating IP packets to respond to a UDP stream inbound to a specific port. Due to how libpcap creates a raw socket, the only thing the operating system sees is arbitrary writes to the network interface, bypassing the ACLs and auditing included in the IP, UDP, and TCP protocol suites built into the operating system.

Obtaining

Sparse 0.5 is immediately ready to build from source if using the Nix package manager (with flakes enabled) by running nix build .#sparse-05-client.

FreeBSD support

Building normally will only produce a client that can generate beacons for Linux and Windows, lacking proper FreeBSD support. To build the client with FreeBSD support, create a FreeBSD build environment by running vagrant up and compiling a FreeBSD sparse binary by running sparse-build or sparse-build --release. With the FreeBSD binary built, copy it from target/x86_64-unknown-freebsd to sparse-05/sparse-05-freebsd-server, and rebuild using Nix

Use

Using sparse centers around the client. The client can generate new servers as well as the configuration file necessary to connect to the server, connect to a server for a shell, and verify the connection against a server.

Generating a new server

Sparse supports 4 different targets:

  • Linux
  • Windows
  • Windows service
  • FreeBSD

The basics center around sparse-05-client generate <name> [-p <port>] [-t <target>]. This generates both a server and the configuration file necessary to connect to the server.

If the port is not specified, it defaults to 54248.

Linux

To install the Linux service, there are a few options:

  • Run as root
  • Run with CAP_NET_RAW and CAP_SETUID as a non-root user
  • Run in a Docker container running as root on Linux with kernel version 5.13 or greater and the --privileged and --pid=host flags

Windows

The Windows version requires an installation of winpcap 4.1, which can be downloaded from their website.

As of Jan 25 2023, Windows Defender is suspicious of exe builds of the sparse server but only tries to submit samples and does not declare it malicious.

Windows service

The Windows service has the same requirements, but can be installed with sc create <service name> DisplayName= <service name> binPath= <service exe path>.

As of Jan 25 2023, Windows Defender marks the Windows service binary as malicious

FreeBSD

Create a service to run the resulting binary as root

Connect

After installing and running the server, it is possible to connect using the generated scon file and sparse-05-client with sparse-05-client connect <name>.scon <service ip>:<service port>.

This brings up a shell that can run commands. However, there are special commands that are injected:

  • #help: shows sparse specific help
  • #sysinfo: prints information about the system being connected to
  • #upload [local] [remote]: uploads a file from the local path to the remote path
  • #download [remote] [local]: downloads a file from the remote path to the local path
  • #edit [remote]: downloads a file remotely and opens it in $EDITOR, and uploads the final version

Connection test

To verify that an installed service is still alive and working, run sparse-05-client connect-test <name>.scon <service ip>:<service port>