andrew.rioux/sparse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
sparse/sparse-05
History

README.md

Sparse 0.5

Sparse 0.5 is a stopgap solution until the C2 framework itself is more mature. It has several improvements over the proof of concept version, to include:

  • The client is no longer bound to the server, the configuration can be shared
  • A richer CLI with Sparse specific commands such as #upload, #download, and #edit
  • A Windows version using winpcap, with both standalone binary and service versions

Obtaining

Currently, there are no prebuilt binaries. However, sparse can easily be built if the Nix package manager is installed. Just clone this repository and run nix build .#sparse-05-client and the client will be placed in result/bin.

Use

Using sparse centers around the client. The client can generate new servers as well as the configuration file necessary to connect to the server, connect to a server for a shell, and verify the connection against a server.

Generating a new server

Sparse supports 3 different targets:

  • Linux
  • Windows
  • Windows service

The basics center around sparse-05-client generate <name> [-p <port>] [-t <target>]. This generates both a server and the configuration file necessary to connect to the server. The keys and port ensure that the connection is unique, which has the added property that multiple versions of sparse-05 can be running on a target system with the same port.

If the port is not specified, it defaults to 54248.

Linux

To install the Linux service, there are a few options:

  • Run as root
  • Run with CAP_NET_RAW and CAP_SETUID as a non-root user
  • Run in a Docker container running as root on Linux with kernel version 5.13 or greater and the --privileged and --pid=host flags

Windows

The Windows version requires an installation of winpcap 4.1, which can be downloaded from their website.

As of Jan 25 2023, Windows Defender is suspicious of exe builds of the sparse server but only tries to submit samples and does not declare it malicious.

Windows service

The Windows service has the same requirements, but can be installed with sc create <service name> DisplayName= <service name> binPath= <service exe path>.

As of Jan 25 2023, Windows Defender marks the Windows service binary as malicious

Connect

After installing and running the server, it is possible to connect using the generated scon file and sparse-05-client with sparse-05-client connect <name>.scon <service ip>:<service port>.

This brings up a shell that can run commands. However, there are special commands that are injected:

  • #help: shows sparse specific help
  • #sysinfo: prints information about the system being connected to
  • #upload [local] [remote]: uploads a file from the local path to the remote path