Q240297/ransomware-c2-architecture
GitHub: Q240297/ransomware-c2-architecture
一个用于学术和防御性安全研究的三层勒索软件C2架构模拟系统,演示了完整的攻击生命周期与加密通信机制。
Stars: 0 | Forks: 0
# 勒索软件 C2 基础设施 — 教育模拟
一个复杂的**三层勒索软件架构**,演示了真实的网络威胁基础设施、安全的命令与控制 (C2) 通信以及加密生命周期管理。专为 HELMo 的**学术和防御性安全研究**而构建。
## 📋 概述
该系统对现代勒索软件操作进行建模,包含:
- **恶意软件 Agent** (`ransomware/`):文件发现、加密和受害者指纹识别
- **密钥服务器** (`serveur_cles/`):集中式 512 位密钥管理和受害者状态追踪
- **前端服务器** (`serveur_frontal/`):多线程受害者界面和勒索谈判
- **控制控制台** (`console_controle/`):用于管理受感染系统的操作员仪表板
- **安全传输** (`utile/`):TLS 加密、Diffie-Hellman 密钥交换、加密实用程序
### 攻击生命周期
```
1. Malware Agent runs on victim
↓ System fingerprinting (SHA256), disk enumeration
2. Establishes encrypted C2 tunnel to Frontend
↓ Diffie-Hellman DHKE, AES-256-GCM authenticated encryption
3. Frontend routes commands via secure channel to Key Server
↓ Request victim RSA public key for file encryption
4. Agent encrypts files with victim-specific key (state: CRYPT)
↓ Files locked, ransom demand displayed
5. Operator manages victims via Control Console
↓ Monitor victim states, issue decryption commands
6. Key Server generates decryption key on demand
↓ Change victim state to DECRYPT, issue key to agent
7. Victim decrypts files, payment confirmed
```
## 📁 项目结构
```
.
├── ransomware/ # Malware agent
│ ├── ransomware.py # Main agent (file encryption, state management)
│ ├── message_ransomware.py # Message protocol definitions
│ ├── demande_rancon.py # Ransom demand display UI
│ └── config/
│ └── ransomware.cfg # Agent configuration (C2 address, ports)
│
├── serveur_cles/ # Key Management Server
│ ├── serveur_cles.py # Core KMS logic (multi-threaded)
│ ├── create_schema.py # SQLite3 database schema initialization
│ ├── populate_schema.py # Seed test victims
│ └── script/
│ └── victims_schema.sql # SQL schema (victim states, keys, logs)
│ └── data/
│ └── victims.sqlite # Persistent victim database
│
├── serveur_frontal/ # Frontend Server (victim-facing interface)
│ └── serveur_frontal.py # Multi-threaded server (TLS + message routing)
│
├── console_controle/ # Operator Control Console
│ └── console_controle.py # Interactive CLI for incident management
│
├── utile/ # Shared utilities
│ ├── network.py # TLS/socket I/O, message serialization
│ ├── security.py # Cryptographic operations (DHKE, AES-256-GCM)
│ ├── message.py # Protocol message classes
│ ├── config.py # Configuration parsing
│ ├── data.py # Data models (Victim, Key, State)
│ └── __init__.py # Package initialization
│
├── README.md # This file
└── .gitignore # Git ignore rules
```
## 🔐 加密组件
### 安全通信流水线
**Diffie-Hellman 密钥交换 (DHKE)**
```
Victim ←→ Frontend
1. Victim generates ephemeral DH keypair
2. Sends DH public key to Frontend
3. Frontend responds with own DH public key
4. Both compute shared session key (256-bit)
5. Authenticated encryption with AES-256-GCM
```
**AES-256-GCM 身份验证**
```
All C2 traffic:
- 256-bit symmetric key (derived from DHKE)
- GCM mode for authenticated encryption
- Prevents tampering, replay attacks, forgery
```
**文件加密**
```
Each victim file:
- Victim-specific 512-bit RSA key (generated server-side)
- Files encrypted with victim's public key
- Decryption key held on Key Server
- Release on operator command only
```
### 受害者状态机
```
PENDING ─→ CRYPT ─→ DECRYPT ─→ PAID
(awaiting) (encrypted) (redeemed)
```
SQLite3 追踪状态转换、时间戳和加密材料,以用于取证。
## 🚀 快速开始
### 前置条件
- Python 3.8+
- PyCryptodome(用于 AES-256-GCM 加密)
- Linux/macOS(socket API;Windows 需要少量修改)
### 安装
```
# Clone the repository
git clone https://github.com/Q240297/ransomware-c2-architecture.git
cd ransomware-c2-architecture
# Install dependencies
pip install -r requirements.txt --break-system-packages
# OR: pip install pycryptodome
```
### 运行基础设施
#### 1. 初始化密钥服务器和数据库
```
cd serveur_cles
python3 create_schema.py # Create victims.sqlite
python3 populate_schema.py # Seed test data
python3 serveur_cles.py # Start KMS on port 8443
```
**输出:**
```
[Key Server] Listening on 0.0.0.0:8443
[Key Server] Database initialized with test victims
```
#### 2. 启动前端服务器
```
cd ../serveur_frontal
python3 serveur_frontal.py # Start on port 8380
```
**输出:**
```
[Frontend] Listening for victims on 0.0.0.0:8380
[Frontend] Key Server connected to 127.0.0.1:8443
```
#### 3. 运行恶意软件 Agent(受害者模拟)
```
cd ../ransomware
python3 ransomware.py
```
**Agent 操作:**
- 识别系统指纹(主机名、OS、硬件)
- 发现目标文件(主目录中的 *.txt, *.pdf, *.doc)
- 建立加密的 C2 隧道
- 加密文件并转换为 CRYPT 状态
- 显示勒索要求 UI
#### 4. 操作员控制台
```
cd ../console_controle
python3 console_controle.py # Connect to Key Server on 127.0.0.1:8443
```
**可用命令:**
```
1. List all infected victims (CRYPT, PENDING, DECRYPT states)
2. Display victim details (last seen, encrypted file count)
3. Issue decryption key (transition CRYPT → DECRYPT)
4. View operation logs (timestamps, state changes)
```
## 📊 示例输出
**受害者加密过程:**
```
[Ransomware] System fingerprint: DESKTOP-XYZ | Win10 | Intel i7
[Ransomware] Discovered 45 files for encryption
[Ransomware] Establishing encrypted C2 tunnel...
[Ransomware] DHKE completed ✓ Shared key: a7c3f...
[Ransomware] Requesting victim public key...
[Ransomware] Encrypting files: [████████████░░░░░░] 60%
[Ransomware] All files encrypted. State: CRYPT
[Ransomware] Displaying ransom demand...
```
**操作员视图:**
```
=== Victim Management Console ===
Active Victims: 3
1. DESKTOP-ABC (CRYPT) | 128 files encrypted | Last seen: 2 min ago
2. WORKPC-DEF (PENDING) | Awaiting encryption | Last seen: 5 min ago
3. SERVER-GHI (DECRYPT) | Key issued | Last seen: 1 min ago
Command: 1 [List all]
Command: 3 [Issue decryption] → DESKTOP-ABC
✓ Key generated and sent
✓ Victim state transitioned to DECRYPT
```
## 🔬 技术亮点
### 多线程架构
- **密钥服务器**:用于并发受害者连接的线程池
- **前端**:带有 FIFO 消息队列的异步 socket 处理
- **线程安全状态**:受锁保护的全局受害者数据库
### 加密稳健性
- Diffie-Hellman 防止被动窃听
- AES-256-GCM 提供身份验证加密
- 512 位 RSA 密钥抵御暴力破解攻击
- 身份验证采用常量时间比较
### 取证日志记录
SQLite3 schema 捕获:
```
CREATE TABLE victims (
hash TEXT PRIMARY KEY, -- System fingerprint
state TEXT, -- PENDING | CRYPT | DECRYPT | PAID
encrypted_count INTEGER, -- Number of files encrypted
rsa_public_key BLOB, -- Victim's encryption key
rsa_private_key BLOB, -- Server-held decryption key
timestamp_created TEXT, -- When first seen
timestamp_last_seen TEXT -- Last C2 contact
);
```
## 📚 教育应用
本项目非常适合用于:
✅ 了解真实的勒索软件攻击链
✅ 设计防御对策(EDR、C2 检测)
✅ 取证分析(识别攻击 artifacts)
✅ 安全编码(加密、密钥管理、状态机)
✅ 网络安全(C2 流量模式、加密分析)
## ⚠️ 法律与道德声明
**此模拟仅供授权的教育和防御性研究使用。**
- ✗ **切勿**将其用于您不拥有的系统
- ✗ **切勿**将其部署为功能性恶意软件
- ✗ **切勿**与未经授权的各方分享
- ✓ 务必研究攻击/防御机制
- ✓ 务必开发检测特征码
- ✓ 务必在学术/企业安全团队内负责任地分享发现
根据《计算机欺诈和滥用法》(CFAA) 及全球同等法律,未经授权访问计算机是违法行为。
## 👨💻 作者
**Ibrahim El Komey** 和 **Ayoub** – HELMo 网络安全学生
UE-14 安全集成项目 | 2025 年春季
[LinkedIn](https://linkedin.com/in/ibrahim-el-komey) | [GitHub](https://github.com/yourusername)
## 📄 许可证
仅供教育使用。允许修改和研究;重新分发需要注明出处。
**对架构或防御应用有疑问?** 请提交 issue 或联系作者。
标签:C2基础设施, IP 地址批量处理, Python, SQLite3, 勒索软件, 密码学, 底层编程, 手动系统调用, 无后门, 逆向工具