PoC RAT using the sneaky-creeper data exfiltration library.
Not meant to be full-featured, just a fun project to write, and a proof-of-concept/example for anyone who wants to use sneaky-creeper.
If you get annoying InsecurePlatformWarning
errors, run pip install 'requests[security]'
.
Open up implant.py
and specify which channel and encoder(s) you'd like to use, then set their parameters in channelParams
and encoderParams
. Refer to the sneaky-creeper docs for information on which parameters to set and how, as well as which channels and encoders are available.
Messages take the form of:
uid:message_type:other_stuff
Where other_stuff
is determined by the message type. Note that colons :
are used to delimit fields in the message. While an attempt is made to be resilient against user-defined colon use, it's still more risky to use them in your messages than to not.
uid
is a unique ID for each implant instance to keep them all organized, generated by each implant when it's first run.
For message_type |
other_stuff is in the format... |
---|---|
message |
message |
checkin |
(none) |
job |
jobId:jobType:cmdString |
Implant --> Console Sends a simple message to the C&C console for display.
message
- a message for the C&C console to display.
Implant --> Console Informs the C&C console that a new implant instance has come online.
None.
Console --> Implant Instructs the implant to carry out a job.
jobId
- a unique ID string for the job itself, tracked by the implant to avoid repeating jobs
jobType
- the name of the job to carry out. The implant searches for a function with this name in its Jobs
module, then executes it (if found).
cmdString
- a string passed to the job code itself, used to pass in parameters.
a5wJl0t03lQvXmT0TrFy:setSleep:10-15
will instruct the implant to set its wait time between checkins to between 10 and 15 seconds using the setSleep
function.