95 lines
4.6 KiB
Markdown
95 lines
4.6 KiB
Markdown
<!--
|
|
Copyright (C) 2023 Andrew Rioux
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as
|
|
published by the Free Software Foundation, either version 3 of the
|
|
License, or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
-->
|
|
|
|
# Sparse 0.5
|
|
|
|
Sparse 0.5 is a stopgap solution until the C2 framework itself is more mature. It has several improvements over the proof of concept version, to include:
|
|
|
|
- The client is no longer bound to the server, the configuration can be shared
|
|
- A richer CLI with Sparse specific commands such as #upload, #download, and #edit
|
|
- A Windows version using winpcap, with both standalone binary and service versions
|
|
|
|
## How it works, or what makes this unique
|
|
|
|
[Read the blog post about it](https://andrew.riouxs.co/articles/20251017-direct-network-access.html)
|
|
|
|
Sparse 0.5 weaponizes libpcap to both receive and send packets. It listens at the network interface level, recreating IP packets to respond to a UDP stream inbound to a specific port. Due to how libpcap creates a raw socket, the only thing the operating system sees is arbitrary writes to the network interface, bypassing the ACLs and auditing included in the IP, UDP, and TCP protocol suites built into the operating system.
|
|
|
|
# Obtaining
|
|
|
|
Sparse 0.5 is immediately ready to build from source if using the [Nix package manager](https://nixos.org/download) ([with flakes enabled](https://nixos.wiki/wiki/Flakes)) by running `nix build .#sparse-05-client`.
|
|
|
|
## FreeBSD support
|
|
|
|
Building normally will only produce a client that can generate beacons for Linux and Windows, lacking proper FreeBSD support. To build the client with FreeBSD support, create a FreeBSD build environment by running `vagrant up` and compiling a FreeBSD sparse binary by running `sparse-build` or `sparse-build --release`. With the FreeBSD binary built, copy it from `target/x86_64-unknown-freebsd` to `sparse-05/sparse-05-freebsd-server`, and rebuild using Nix
|
|
|
|
# Use
|
|
|
|
Using sparse centers around the client. The client can generate new servers as well as the configuration file necessary to connect to the server, connect to a server for a shell, and verify the connection against a server.
|
|
|
|
## Generating a new server
|
|
|
|
Sparse supports 4 different targets:
|
|
- Linux
|
|
- Windows
|
|
- Windows service
|
|
- FreeBSD
|
|
|
|
The basics center around `sparse-05-client generate <name> [-p <port>] [-t <target>]`. This generates both a server and the configuration file necessary to connect to the server.
|
|
|
|
If the port is not specified, it defaults to 54248.
|
|
|
|
### Linux
|
|
|
|
To install the Linux service, there are a few options:
|
|
|
|
- Run as root
|
|
- Run with CAP_NET_RAW and CAP_SETUID as a non-root user
|
|
- Run in a Docker container running as root on Linux with kernel version 5.13 or greater and the `--privileged` and `--pid=host` flags
|
|
|
|
### Windows
|
|
|
|
The Windows version requires an installation of winpcap 4.1, which can be downloaded from [their website](https://www.winpcap.org/install/default.htm).
|
|
|
|
As of Jan 25 2023, Windows Defender is suspicious of exe builds of the sparse server but only tries to submit samples and does not declare it malicious.
|
|
|
|
### Windows service
|
|
|
|
The Windows service has the same requirements, but can be installed with `sc create <service name> DisplayName= <service name> binPath= <service exe path>`.
|
|
|
|
As of Jan 25 2023, Windows Defender marks the Windows service binary as malicious
|
|
|
|
### FreeBSD
|
|
|
|
Create a service to run the resulting binary as root
|
|
|
|
## Connect
|
|
|
|
After installing and running the server, it is possible to connect using the generated `scon` file and `sparse-05-client` with `sparse-05-client connect <name>.scon <service ip>:<service port>`.
|
|
|
|
This brings up a shell that can run commands. However, there are special commands that are injected:
|
|
|
|
- `#help`: shows sparse specific help
|
|
- `#sysinfo`: prints information about the system being connected to
|
|
- `#upload [local] [remote]`: uploads a file from the local path to the remote path
|
|
- `#download [remote] [local]`: downloads a file from the remote path to the local path
|
|
- `#edit [remote]`: downloads a file remotely and opens it in `$EDITOR`, and uploads the final version
|
|
|
|
## Connection test
|
|
|
|
To verify that an installed service is still alive and working, run `sparse-05-client connect-test <name>.scon <service ip>:<service port>`
|