This repository contains a malicious content and was created for research and testing purposes only.
Any illegal usage of the Software in this repository is illegal and the Authors does not take any of it responsibility.
XSys-Malware is a kind of Software which enable remote access, spy and manifest networks with malicious applications.
There are two (2) main modules and utilities (1) in the repository,
1. prototype/server.py:
Server ---> run a TCP Server behind a proxy
2. prototype/bot.py:
Bot ---> run a TCP Agent that connects to that proxy
3. prototype/__init__.py:
Config --> a configuration utility which serve both Server and BotNet objects
BonetSocket --> a wrapped socket implementation which represents a BotNet socket
BotnetInterface --> an interface module which scopes the base functionalities of a Fast Flux Interface
CryptoUtils --> a class which responsible to create cipher keys, encrypt and decrypt data.
Envelope --> the Envelope class represents a wrapped transmitted data as an object between peers
Peer --> a Peer object represents the scope connection of a given endpoint / botnet in the network
Menu --> a simple CLI-GUI printable utility which display the attacker valuable information in CLI-GUI form
NgrokManager --> a support class which downloads the necessary ngrok binary according to your operating system specification
We have only 3 dependencies:
- pycryptodome ~> cryptographic module for encryption purposes
- pyngrok ~> NGROK library for proxy service support
- pyinstaller ~> a distribution library which allow your code to be compiled as binary application
You can simply install all dependencies using the following commands:
$> python3.x -m virtualenv ./venv
$> ./venv/bin/python3.x -m pip install -r ./requirements.txt
You will need to sign-in to NGROK.io and use your authtoken if you want NGROK proxy to be assigned to you faster
Assuming you sign-in,
on your computer, create a new directory ~./.ngrok2
then, create a new file under that directory ~/.ngrok2./ngrok.yml
paste this inside the file ngrok.yml
authtoken: <YOUR-NGROK-PROXY-AUTHORIZATION-TOKEN>
NGROK will not be able to download the binary proxy server.
in order to make NGROK work Drag&Drop:
./bin/* ~> ./venv/lib/python3.x/site-packages/pyngrok
First,
understand that whatever you choose to do with this tool is on your own risk and responsibility!
Now!
At the root path of this project, lays a configuration file name [config.json] .
This file contains a JSON structure configuration dataset which define the settings for the Server.
each entry in this JSON represent a set of responsible of a different section.
------------------------------------------------------------------------------
The "incomming" section':
{
"incomming": {
"port": Integer,
"backlog": Integer
}
}
the "port" represents the port number of which the server
accepts connections and the tunnel revers the target connection.
the "backlog" represents the number of connections
for which the server can handle simultaneously.
------------------------------------------------------------------------------
The "settings" section:
{
"settings": {
"buffer": Integer,
"secret": String
}
}
the "buffer" represents the number of bytes for which the
server and the agent will use for thier intercommunication.
the "secret" represets an encryption key for which all data
we send between enpoints is encypted, the key should be in one
of two (2) fixed sizes - '16bytes' or '32bytes' of a String
------------------------------------------------------------------------------
The "tunnel" section:
{
"tunnel": {
"proto": String,
"url": String / undefined / null,
"port": String / undefined / null,
}
}
the "proto" represents the type of communication protocol for which NgrokTunnel operates.
the "url" represents the actual reverse proxy domain of which our server reversed on and awaits for connections.
the "port" represents the NgrokTunnel port which directs data trafic to the mapped server session on the attacker machine.
------------------------------------------------------------------------------- You will need to run the server in order to
bot.jsonto be generated
python server.py- Use the following command to convert our source code to binary executable:
# create a spec file
pyi-makespec --onefile --nowindow --noconsole --name agent agent.py
# edit the file
sed -i 's/datas=[],/datas=[("bot.json", ".")]/' agent.spect
# compile to executable binary (use command form Windows to compile to .exe)
pyinstaller --clean agent.spec- A directory
distwill be generated and the payload is inside . - Find a way to use send the payload to your target machine.
If your server is down, the reverse connection will not direct to your server and the reverse shell will fail to operate.