74 lines
3.4 KiB
Markdown
74 lines
3.4 KiB
Markdown
<!--
|
|
Copyright (C) 2023 Andrew Rioux
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as
|
|
published by the Free Software Foundation, either version 3 of the
|
|
License, or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
-->
|
|
|
|
# Sparse 0.5
|
|
|
|
Sparse 0.5 is a stopgap solution until the C2 framework itself is more mature. It has several improvements over the proof of concept version, to include:
|
|
|
|
- The client is no longer bound to the server, the configuration can be shared
|
|
- A richer CLI with Sparse specific commands such as #upload, #download, and #edit
|
|
- A Windows version using winpcap, with both standalone binary and service versions
|
|
|
|
# Obtaining
|
|
|
|
Currently, there are no prebuilt binaries. However, sparse can easily be built if the [Nix package manager](https://nixos.org/download) is installed. Just clone this repository and run `nix build .#sparse-05-client` and the client will be placed in `result/bin`.
|
|
|
|
# Use
|
|
|
|
Using sparse centers around the client. The client can generate new servers as well as the configuration file necessary to connect to the server, connect to a server for a shell, and verify the connection against a server.
|
|
|
|
## Generating a new server
|
|
|
|
Sparse supports 3 different targets:
|
|
- Linux
|
|
- Windows
|
|
- Windows service
|
|
|
|
The basics center around `sparse-05-client generate <name> [-p <port>] [-t <target>]`. This generates both a server and the configuration file necessary to connect to the server. The keys and port ensure that the connection is unique, which has the added property that multiple versions of `sparse-05` can be running on a target system with the same port.
|
|
|
|
If the port is not specified, it defaults to 54248.
|
|
|
|
### Linux
|
|
|
|
To install the Linux service, there are a few options:
|
|
|
|
- Run as root
|
|
- Run with CAP_NET_RAW and CAP_SETUID as a non-root user
|
|
- Run in a Docker container running as root on Linux with kernel version 5.13 or greater and the `--privileged` and `--pid=host` flags
|
|
|
|
### Windows
|
|
|
|
The Windows version requires an installation of winpcap 4.1, which can be downloaded from [their website](https://www.winpcap.org/install/default.htm).
|
|
|
|
As of Jan 25 2023, Windows Defender is suspicious of exe builds of the sparse server but only tries to submit samples and does not declare it malicious.
|
|
|
|
### Windows service
|
|
|
|
The Windows service has the same requirements, but can be installed with `sc create <service name> DisplayName= <service name> binPath= <service exe path>`.
|
|
|
|
As of Jan 25 2023, Windows Defender marks the Windows service binary as malicious
|
|
|
|
## Connect
|
|
|
|
After installing and running the server, it is possible to connect using the generated `scon` file and `sparse-05-client` with `sparse-05-client connect <name>.scon <service ip>:<service port>`.
|
|
|
|
This brings up a shell that can run commands. However, there are special commands that are injected:
|
|
|
|
- `#help`: shows sparse specific help
|
|
- `#sysinfo`: prints information about the system being connected to
|
|
- `#upload [local] [remote]`: uploads a file from the local path to the remote path
|