Q240297/ransomware-c2-architecture

GitHub: Q240297/ransomware-c2-architecture

一个用于学术和防御性安全研究的三层勒索软件C2架构模拟系统,演示了完整的攻击生命周期与加密通信机制。

Stars: 0 | Forks: 0

# 勒索软件 C2 基础设施 — 教育模拟 一个复杂的**三层勒索软件架构**,演示了真实的网络威胁基础设施、安全的命令与控制 (C2) 通信以及加密生命周期管理。专为 HELMo 的**学术和防御性安全研究**而构建。 ## 📋 概述 该系统对现代勒索软件操作进行建模,包含: - **恶意软件 Agent** (`ransomware/`):文件发现、加密和受害者指纹识别 - **密钥服务器** (`serveur_cles/`):集中式 512 位密钥管理和受害者状态追踪 - **前端服务器** (`serveur_frontal/`):多线程受害者界面和勒索谈判 - **控制控制台** (`console_controle/`):用于管理受感染系统的操作员仪表板 - **安全传输** (`utile/`):TLS 加密、Diffie-Hellman 密钥交换、加密实用程序 ### 攻击生命周期 ``` 1. Malware Agent runs on victim ↓ System fingerprinting (SHA256), disk enumeration 2. Establishes encrypted C2 tunnel to Frontend ↓ Diffie-Hellman DHKE, AES-256-GCM authenticated encryption 3. Frontend routes commands via secure channel to Key Server ↓ Request victim RSA public key for file encryption 4. Agent encrypts files with victim-specific key (state: CRYPT) ↓ Files locked, ransom demand displayed 5. Operator manages victims via Control Console ↓ Monitor victim states, issue decryption commands 6. Key Server generates decryption key on demand ↓ Change victim state to DECRYPT, issue key to agent 7. Victim decrypts files, payment confirmed ``` ## 📁 项目结构 ``` . ├── ransomware/ # Malware agent │ ├── ransomware.py # Main agent (file encryption, state management) │ ├── message_ransomware.py # Message protocol definitions │ ├── demande_rancon.py # Ransom demand display UI │ └── config/ │ └── ransomware.cfg # Agent configuration (C2 address, ports) │ ├── serveur_cles/ # Key Management Server │ ├── serveur_cles.py # Core KMS logic (multi-threaded) │ ├── create_schema.py # SQLite3 database schema initialization │ ├── populate_schema.py # Seed test victims │ └── script/ │ └── victims_schema.sql # SQL schema (victim states, keys, logs) │ └── data/ │ └── victims.sqlite # Persistent victim database │ ├── serveur_frontal/ # Frontend Server (victim-facing interface) │ └── serveur_frontal.py # Multi-threaded server (TLS + message routing) │ ├── console_controle/ # Operator Control Console │ └── console_controle.py # Interactive CLI for incident management │ ├── utile/ # Shared utilities │ ├── network.py # TLS/socket I/O, message serialization │ ├── security.py # Cryptographic operations (DHKE, AES-256-GCM) │ ├── message.py # Protocol message classes │ ├── config.py # Configuration parsing │ ├── data.py # Data models (Victim, Key, State) │ └── __init__.py # Package initialization │ ├── README.md # This file └── .gitignore # Git ignore rules ``` ## 🔐 加密组件 ### 安全通信流水线 **Diffie-Hellman 密钥交换 (DHKE)** ``` Victim ←→ Frontend 1. Victim generates ephemeral DH keypair 2. Sends DH public key to Frontend 3. Frontend responds with own DH public key 4. Both compute shared session key (256-bit) 5. Authenticated encryption with AES-256-GCM ``` **AES-256-GCM 身份验证** ``` All C2 traffic: - 256-bit symmetric key (derived from DHKE) - GCM mode for authenticated encryption - Prevents tampering, replay attacks, forgery ``` **文件加密** ``` Each victim file: - Victim-specific 512-bit RSA key (generated server-side) - Files encrypted with victim's public key - Decryption key held on Key Server - Release on operator command only ``` ### 受害者状态机 ``` PENDING ─→ CRYPT ─→ DECRYPT ─→ PAID (awaiting) (encrypted) (redeemed) ``` SQLite3 追踪状态转换、时间戳和加密材料,以用于取证。 ## 🚀 快速开始 ### 前置条件 - Python 3.8+ - PyCryptodome(用于 AES-256-GCM 加密) - Linux/macOS(socket API;Windows 需要少量修改) ### 安装 ``` # Clone the repository git clone https://github.com/Q240297/ransomware-c2-architecture.git cd ransomware-c2-architecture # Install dependencies pip install -r requirements.txt --break-system-packages # OR: pip install pycryptodome ``` ### 运行基础设施 #### 1. 初始化密钥服务器和数据库 ``` cd serveur_cles python3 create_schema.py # Create victims.sqlite python3 populate_schema.py # Seed test data python3 serveur_cles.py # Start KMS on port 8443 ``` **输出:** ``` [Key Server] Listening on 0.0.0.0:8443 [Key Server] Database initialized with test victims ``` #### 2. 启动前端服务器 ``` cd ../serveur_frontal python3 serveur_frontal.py # Start on port 8380 ``` **输出:** ``` [Frontend] Listening for victims on 0.0.0.0:8380 [Frontend] Key Server connected to 127.0.0.1:8443 ``` #### 3. 运行恶意软件 Agent(受害者模拟) ``` cd ../ransomware python3 ransomware.py ``` **Agent 操作:** - 识别系统指纹(主机名、OS、硬件) - 发现目标文件(主目录中的 *.txt, *.pdf, *.doc) - 建立加密的 C2 隧道 - 加密文件并转换为 CRYPT 状态 - 显示勒索要求 UI #### 4. 操作员控制台 ``` cd ../console_controle python3 console_controle.py # Connect to Key Server on 127.0.0.1:8443 ``` **可用命令:** ``` 1. List all infected victims (CRYPT, PENDING, DECRYPT states) 2. Display victim details (last seen, encrypted file count) 3. Issue decryption key (transition CRYPT → DECRYPT) 4. View operation logs (timestamps, state changes) ``` ## 📊 示例输出 **受害者加密过程:** ``` [Ransomware] System fingerprint: DESKTOP-XYZ | Win10 | Intel i7 [Ransomware] Discovered 45 files for encryption [Ransomware] Establishing encrypted C2 tunnel... [Ransomware] DHKE completed ✓ Shared key: a7c3f... [Ransomware] Requesting victim public key... [Ransomware] Encrypting files: [████████████░░░░░░] 60% [Ransomware] All files encrypted. State: CRYPT [Ransomware] Displaying ransom demand... ``` **操作员视图:** ``` === Victim Management Console === Active Victims: 3 1. DESKTOP-ABC (CRYPT) | 128 files encrypted | Last seen: 2 min ago 2. WORKPC-DEF (PENDING) | Awaiting encryption | Last seen: 5 min ago 3. SERVER-GHI (DECRYPT) | Key issued | Last seen: 1 min ago Command: 1 [List all] Command: 3 [Issue decryption] → DESKTOP-ABC ✓ Key generated and sent ✓ Victim state transitioned to DECRYPT ``` ## 🔬 技术亮点 ### 多线程架构 - **密钥服务器**:用于并发受害者连接的线程池 - **前端**:带有 FIFO 消息队列的异步 socket 处理 - **线程安全状态**:受锁保护的全局受害者数据库 ### 加密稳健性 - Diffie-Hellman 防止被动窃听 - AES-256-GCM 提供身份验证加密 - 512 位 RSA 密钥抵御暴力破解攻击 - 身份验证采用常量时间比较 ### 取证日志记录 SQLite3 schema 捕获: ``` CREATE TABLE victims ( hash TEXT PRIMARY KEY, -- System fingerprint state TEXT, -- PENDING | CRYPT | DECRYPT | PAID encrypted_count INTEGER, -- Number of files encrypted rsa_public_key BLOB, -- Victim's encryption key rsa_private_key BLOB, -- Server-held decryption key timestamp_created TEXT, -- When first seen timestamp_last_seen TEXT -- Last C2 contact ); ``` ## 📚 教育应用 本项目非常适合用于: ✅ 了解真实的勒索软件攻击链 ✅ 设计防御对策(EDR、C2 检测) ✅ 取证分析(识别攻击 artifacts) ✅ 安全编码(加密、密钥管理、状态机) ✅ 网络安全(C2 流量模式、加密分析) ## ⚠️ 法律与道德声明 **此模拟仅供授权的教育和防御性研究使用。** - ✗ **切勿**将其用于您不拥有的系统 - ✗ **切勿**将其部署为功能性恶意软件 - ✗ **切勿**与未经授权的各方分享 - ✓ 务必研究攻击/防御机制 - ✓ 务必开发检测特征码 - ✓ 务必在学术/企业安全团队内负责任地分享发现 根据《计算机欺诈和滥用法》(CFAA) 及全球同等法律,未经授权访问计算机是违法行为。 ## 👨‍💻 作者 **Ibrahim El Komey** 和 **Ayoub** – HELMo 网络安全学生 UE-14 安全集成项目 | 2025 年春季 [LinkedIn](https://linkedin.com/in/ibrahim-el-komey) | [GitHub](https://github.com/yourusername) ## 📄 许可证 仅供教育使用。允许修改和研究;重新分发需要注明出处。 **对架构或防御应用有疑问?** 请提交 issue 或联系作者。
标签:C2基础设施, IP 地址批量处理, Python, SQLite3, 勒索软件, 密码学, 底层编程, 手动系统调用, 无后门, 逆向工具