Documentation and makefile improvements

Author: cbrnrd

LICENSE

@@ -3,13 +3,19 @@
   <img src="./data/maliketh_logo.png" alt="Maliketh logo" width="900" height="300"/>
 </p>
 
-# Maliketh
+<p align="center">
+  A multi-user, customizable C2 framework. 
+</p>
 
-Maliketh is a multi-user, customizable C2 framework. The goal of Maliketh is to provide a flexible, easy to use C2 framework that can be customized to fit the needs of the operator. The poster used in the initial presentation is located [here](./data/Maliketh%20C2%20Poster.png).
+---
+
+The goal of Maliketh is to provide a flexible, easy to use C2 framework that can be customized to fit the needs of the operator. The poster used in the initial presentation is located [here](./data/Maliketh%20C2%20Poster.png).
 
 ## Implant features
 
-The implant is written in C++ and targeted for Windows. The main feature of the implant is its ability to change its behavior based on the configuration file it receives from the server. This allows the operator to customize the implant to fit their needs. The implant also has the following features (see [here](./design/opcodes.md) for more info):
+The initial implant was written in C++ and targeted for Windows, but a Golang implant has also been implemented and supports all major platforms.
+
+The main feature of the implant is its ability to change its behavior based on the configuration file it receives from the server. This allows the operator to customize the implant to fit their needs. The implant also has the following features (see [here](./design/opcodes.md) for more info):
 
 * File upload/download
 * Command execution
@@ -24,17 +30,31 @@ The implant is written in C++ and targeted for Windows. The main feature of the
 
 ## Future work
 
-- [x] Implement Golang client
+- [x] Implement Golang client ([0639f87](https://github.com/cbrnrd/maliketh/commit/0639f8797838469a068d91f095e3307d2d73ecc4))
 * [x] Per-operator builder in-server ([917d514](https://github.com/cbrnrd/maliketh/commit/917d514fc6075cc15d0e45b4a1a546e6217e4139))
 * [ ] Stealer/basic looter
-* [x] AV Disable
-* [ ] UAC Bypass (SilentCleanup)
-* [ ] BOF/Custom DLL execution for plugins
+* [x] AV Disable ([0aeec4c](https://github.com/cbrnrd/maliketh/commit/0aeec4c4be8f1efaeaf15ee3d289507036c691df))
+* [ ] Change design of config to be protocol agnostic.
+  * ie Define an HTTPS layer/adapter and separate out the code better.
 * [ ] Keylogger
+* [ ] More fine grained backend roles and actions (blocking users, % bot allocation)
+* [ ] Add ability to send command to every bot
+* [ ] Floods
 * [ ] Route RabbitMQ traffic through Admin listener instead of directly connecting
 * [ ] Improved anti-vm (check BIOS information)
-  * [x] Pretty good in golang implant
+  * [x] Not bad in golang implant
 * [x] More stable file uploads/downloads ([91a40f2](https://github.com/cbrnrd/maliketh/commit/91a40f2ba1cded5a025004a6143578fa84baec66))
-* [ ] Alternate C2 channels (WireGuard, DNS, Discord, Slack, etc.)
 * [x] Basic OS functions built in ([91a40f2](https://github.com/cbrnrd/maliketh/commit/91a40f2ba1cded5a025004a6143578fa84baec66))
 * [x] Situational Awareness ([91a40f2](https://github.com/cbrnrd/maliketh/commit/91a40f2ba1cded5a025004a6143578fa84baec66))
+
+## Star History
+
+<a href="https://star-history.com/#cbrnrd/maliketh&Date">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=cbrnrd/maliketh&type=Date&theme=dark" />
+    <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=cbrnrd/maliketh&type=Date" />
+    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=cbrnrd/maliketh&type=Date" />
+  </picture>
+</a>
+
+<p align="center"><a href="https://github.com/cbrnrd/maliketh#"><img src="http://randojs.com/images/backToTopButtonTransparentBackground.png" alt="Back to top" height="29"/></a></p>

README.md

@@ -15,19 +15,40 @@ The C2 server keeps some additional information about each implant. This informa
 | `os` | The operating system of the target system | Windows version |
 | `arch` | The architecture of the target system | x86, x64, etc. |
 | `user` | The user that the implant is running as | |
-| `aes_key` | The AES key used to encrypt the implant's communications with the C2 | Base64 encoded |
-| `aes_iv` | The AES IV used to encrypt the implant's communications with the C2 | Base64 encoded |
+| `server_sk` | The NaCl key to use to decrypt messages from the implant | Base64 encoded |
+| `implant_pk` | The NaCL key to use to encrypt messages to the implant | Base64 encoded |
 | `created_at` | The time the implant was created | |
 | `last_seen` | The time the implant was last seen | |
-| `kill_date` | The time the implant should be killed | |
-| `jitter` | The percentage value (as a float <= 1.0) of jitter to add to the implant's check-in interval | For example, if the implant checks in every 60 seconds and the jiter is `0.2`, $60<= sleep <= 60 + (60 * 0.2)$|
+
+
+## Implant configuration
+
+Each implant has a configuration stored in the database. This is intentionally separate from the implant server info because the configuration will be sent to the implant and will be used to configure the implant. The configuration is stored in the `implant_config` table in the database. The following fields are stored:
+
+| Field | Meaning | Notes |
+|:-----|:--------|:------|
+| `id` | The internal ID | DB primary key|
+|`implant_id`| The implant ID this config belongs to | this is not the `id` field of Implant, rather the `implant_id` field |
+| `cookie` | The cookie name used for implant identification | |
+| `kill_date` | The timestamp of the kill date | |
+| `user_agent` | The user agent to use for HTTP requests | |
+| `auto_self_destruct` | Self destruct on failed checkins | |
+| `sleep_time` | The number of seconds to sleep between tasks and checkins | |
+| `jitter` | The % amount of jitter to add to the sleep time | |
+| `max_retries` | The maximum number of retries to attempt before giving up | |
+| `retry_wait` | The number of seconds to wait between retries | |
+| `retry_jitter` | The % amount of jitter to add to the retry wait time | |
+| `enc_key` | The base64 encoded public key of the server to use for encryption | |
+| `tailoring_hash_function` | The hash function to use for the tailoring hash | Unused |
+| `tailoring_hash_rounds` | The number of rounds to use for the tailoring hash | Unused |
+| `tailoring_hashes` | A list of hashes to use for tailoring | Unused |
 
 ## Registration and authentication
-Mostly TODO, but here's the general idea.
 
-There are a few approaches that could work for authentication:
+Implants register with the C2 after an initial sleep time. There is a hardcoded AES key for the initial registration. The implant sends a JSON payload containing the following information:
 
-1. Use PKI and ECC keys to encrypt the C2 channel. The client and server would exchange public keys on the first request, then encrypt everything with those keys.
-2. Use some sort of Password Authenticated Key Exchange (PAKE) to generate a shared secret key. This would be similar to the above, but would use a password instead of a key pair. (OPAQUE, SPAKE2, etc.)
-3. Use Authenticated Encryption (ChaCha20Poly1305, AES-GCM, etc)
+| Field | Meaning | Notes |
+|:-----|:--------|:------|
+|`txid`| The base64 encoded, encrypted,  NaCl public key of the implant | `Base64(AES(implant_public_key))` |
 
+The C2 decrypts the payload and stores the implant's public key in the database. The C2 then generates a NaCl keypair and sends the public key and the configured initial configuration to the implant. All further communication is encrypted with the NaCl keypair, and then base64 encoded.

design/implant.md

@@ -26,64 +26,94 @@ Arguments for each opcode must be a valid JSON type supported by [SQLAlchemy](ht
 Args: List of strings (command and arguments)
 Ex: `["ipconfig", "/all"]`
 
+Expected response: The output of the command, if any.
+
 ## SELFDESTRUCT
 
 Args: None
 
+Expected response: None
+
 ## SYSINFO
 
 Args: None
 
+Expected response: A map of strings (key, value) of system information.
+
 ## SLEEP
 
 Args: 1 integer (seconds to sleep)
 
+Expected response: None
+
 ## UPDATE_CONFIG
 
 Args: A map of strings (key, value) to update the malleable configuration.
 Invalid keys will be ignored. See [profile.md](profile.md#client-options) for a list of valid keys.
 Ex: `{"kill_date": "2021-01-01"}`
 
+Expected response: None
+
 ## DOWNLOAD
 
 Args: List of 1 string (path to file on the implant)
 Ex: `"C:\\Users\\user\\Desktop\\file.txt"`
 
+Expected response: base64 encoded file content
+
 ## UPLOAD
 
 Args: List of 2 strings (path to save the file on the implant)
 Ex: `["C:\\Users\\user\\Desktop\\file.txt", "b64encoded-file-content=="]`
 
+Expected response: None
+
 ## INJECT
 
 Args: List of 2 strings (base64 encoded shellcode, process name/id)
 Ex: `["shellcode==", "notepad.exe"]`
 
+Expected response: None
+
 ## CHDIR
 
 Args: 1 string (path to change to)
 Ex: `"C:\\Users\\user\\Desktop"`
 
+Expected response: None
+
 ## PWD
 
 Args: None
 
+Expected response: 1 string (current working directory)
+
 ## GETENV
 
 Args: None
 
+Expected response: A map of strings (key, value) of environment variables.
+
 ## LS
 
 Args: None
 
+Expected response: A list of strings (file names)
+
 ## PS
 
 Args: None
 
+Expected response: A map of strings (pid, name) of running processes.
+
 ## WHOAMI
 
 Args: None
 
+Expected response: 1 string (current user)
+
 ## DISABLE_DEFENDER
 
 Args: None
+
+Expected response: None

design/opcodes.md

@@ -33,15 +33,15 @@ This will create an operator configuration file that will have a few fields.
 Field definitions:
 | Field | Meaning  | Notes |
 |:-----|:-------- | ------ |
-| name   | The name of the operator this config file is for | |
-| secret | The Base64 encoded ED25519 secret key for this operator | |  
-| c2 | The IP address or domain name of the C2 server this operator is registered for | |
-| c2_port | The TCP port to connect to the C2 server on | |
-| public | The Base64 encoded ED25519 public key for this operator |  |
-| signing_key | The Base64 encoded ED25519 secret key for signing messages to the C2 server | |
-| verify_key  | The Base64 encoded ED25519 public key for verifying messages signed by `signing_key` | |
-| server_pub | The Base64 encoded ED25519 public key for the C2 server | Used for encrypting operator -> C2 traffic|
-| login_secret | A secret string to be encrypted and signed by `secret` on authentication | |
+| `name`   | The name of the operator this config file is for | |
+| `secret` | The Base64 encoded ED25519 secret key for this operator | |  
+| `c2` | The IP address or domain name of the C2 server this operator is registered for | |
+| `c2_port` | The TCP port to connect to the C2 server on | |
+| `public` | The Base64 encoded ED25519 public key for this operator |  |
+| `signing_key` | The Base64 encoded ED25519 secret key for signing messages to the C2 server | |
+| `verify_key`  | The Base64 encoded ED25519 public key for verifying messages signed by `signing_key` | |
+| `server_pub` | The Base64 encoded ED25519 public key for the C2 server | Used for encrypting operator -> C2 traffic|
+| `login_secret` | A secret string to be encrypted and signed by `secret` on authentication | |
 
 ## Authentication
 

design/operator.md

@@ -23,7 +23,7 @@ Profiles are YAML files with three main top level directives: `client`, `server`
 | Option | Description | Required | Type |
 |--------|-------------|----------|------|
 | `user_agent` | The user agent to use when making HTTP requests | Yes | String |
-| `encoding` | The encoding to use when sending encrypted data to the C2. | Yes | One of: `base64`, `hex` |
+<!-- | `encoding` | The encoding to use when sending encrypted data to the C2. | Yes | One of: `base64`, `hex` | -->
 | `sleep_time` | The number of seconds to sleep between each HTTP request | Yes | Integer |
 | `jitter` | % jitter. The implant will sleep for a random amount of time between `sleep` and `sleep * (1 + jitter)` | Yes | Float, `[0, 0.99]` |
 | `max_retries` | The maximum number of times to retry a request before giving up | Yes | Integer |

design/profile.md

@@ -25,13 +25,13 @@ This route allows implants to register with the server. The implant should send
 
 ```json
 {
-  "txid": "base64_encoded_public_key"
+  "txid": "encrypted_base64_encoded_public_key"
 }
 ```
 
 | Field | Purpose |
 |:----- | :------ |
-| `txid` | The Base64 encoded LibSodium public key to use for encryption from server -> implant |
+| `txid` | The Base64 encoded LibSodium public key to use for encryption from server -> implant, encrypted with the C2 registration password |
 
 Example responses:
 

design/specs/implant-c2-http.md

@@ -15,13 +15,17 @@ endif
 ifeq ($(DEBUG),1)
 	GOFLAGS:=$(GOFLAGS) -gcflags="all=-N -l" -ldflags="-X maliketh.config.DEBUG=true"
 else
-	GOFLAGS:=$(GOFLAGS) -ldflags="-s -w -X maliketh.config.DEBUG=false" -trimpath
+	GOFLAGS:=$(GOFLAGS) -ldflags="-s -w -X maliketh.config.DEBUG=false" -trimpath -gcflags=all="-l -B"
 endif
 
+
 default: native-debug
 
 native-debug:
-	$(GO) build -gcflags="all=-N -l" -ldflags="-X maliketh.config.DEBUG=true" -o implant-dev-debug $(MAIN)
+	$(GO) build $(GOFLAGS) -o implant-dev-debug $(MAIN)
+
+build:
+	$(GO) build $(GOFLAGS) -o implant-$(shell go env GOOS)-$(GOARCH) $(MAIN)
 
 all: setup deps macos linux windows
 
@@ -33,17 +37,17 @@ deps:
 
 linux:
 	@/bin/echo -n "-----> Building Linux binary ($(GOARCH))... "
-	@GOOS=linux GOARCH=$(GOARCH) $(GO) build $(GOFLAGS) -o build/$(BINARY)-linux-amd64 $(MAIN)
+	@GOOS=linux GOARCH=$(GOARCH) $(GO) build $(GOFLAGS) -o build/$(BINARY)-linux-$(GOARCH) $(MAIN)
 	@echo "DONE"
 
 macos:
 	@/bin/echo -n "-----> Building MacOS binary ($(GOARCH))... "
-	@GOOS=darwin GOARCH=$(GOARCH) $(GO) build $(GOFLAGS) -o build/$(BINARY)-macos-amd64 $(MAIN)
+	@GOOS=darwin GOARCH=$(GOARCH) $(GO) build $(GOFLAGS) -o build/$(BINARY)-macos-$(GOARCH) $(MAIN)
 	@echo "DONE"
 
 windows:
 	@/bin/echo -n "-----> Building Windows binary ($(GOARCH))... "
-	@GOOS=windows GOARCH=$(GOARCH) $(GO) build $(GOFLAGS) -o build/$(BINARY)-windows-amd64.exe $(MAIN)
+	@GOOS=windows GOARCH=$(GOARCH) $(GO) build $(GOFLAGS) -o build/$(BINARY)-windows-$(GOARCH).exe $(MAIN)
 	@echo "DONE"
 
 clean:

go_implant/Makefile

@@ -5,6 +5,34 @@ Most functions are supported on Windows, macOS, and Linux.
 
 Some functions were adapted from [Coldfire](https://github.com/redcode-labs/Coldfire).
 
+## Building
+
+To build the development implant, simply run
+
+```bash
+$ make
+```
+
+This builds the debug version of the implant for your native OS and architecture.
+
+To build for all supported OSes and architectures, run
+
+```bash
+$ make all
+```
+
+To build a stripped version of the implant, simply set `DEBUG=0` when running make. Example:
+
+```bash
+$ DEBUG=0 make all
+```
+
+You can also set the usual `GOOS` and `GOARCH` environment variables to build for a specific OS and architecture using
+
+```bash
+$ make build
+```
+
 ## Differences between this and the C++ implant
 The C++ implant is a bit more optimized for real world use. The golang implant **does not** have:
 
@@ -16,8 +44,10 @@ The C++ implant is a bit more optimized for real world use. The golang implant *
 
 ## TODO
 
-* [] Register retries
-* [] Persistence
-* [] Do something "normal" when sandbox is detected
+* [ ] Register retries
+* [ ] Persistence
+* [ ] Do something "normal" when sandbox is detected
+* [ ] Auto self destruct
+* [ ] Jitter