FreshRSS

๐Ÿ”’
โŒ Secure Planet Training Courses Updated For 2019 - Click Here
โ˜ท
โ–ณ ๐Ÿ”ƒ
There are new available articles, click to refresh the page.
โ˜ โ˜† โœ‡ KitPloit - PenTest Tools!

QuickResponseC2 - A Command & Control Server That Leverages QR Codes To Send Commands And Receive Results From Remote Systems

By: Unknown โ€” April 12th 2025 at 12:30



QuickResponseC2 is a stealthy Command and Control (C2) framework that enables indirect and covert communication between the attacker and victim machines via an intermediate HTTP/S server. All network activity is limited to uploading and downloading images, making it an fully undetectable by IPS/IDS Systems and an ideal tool for security research and penetration testing.


Capabilities:

  • Command Execution via QR Codes:
    Users can send custom commands to the victim machine, encoded as QR codes.
    Victims scan the QR code, which triggers the execution of the command on their system.
    The command can be anything from simple queries to complex operations based on the test scenario.

  • Result Retrieval:
    Results of the executed command are returned from the victim system and encoded into a QR code.
    The server decodes the result and provides feedback to the attacker for further analysis or follow-up actions.

  • Built-in HTTP Server:
    The tool includes a lightweight HTTP server that facilitates the victim machine's retrieval of command QR codes.
    Results are sent back to the server as QR code images, and they are automatically saved with unique filenames for easy management.
    The attacker's machine handles multiple requests, with HTTP logs organized and saved separately.

  • Stealthy Communication:
    QuickResponseC2 operates under the radar, with minimal traces, providing a covert way to interact with the victim machine without alerting security defenses.
    Ideal for security assessments or testing command-and-control methodologies without being detected.

  • File Handling:
    The tool automatically saves all QR codes (command and result) to the server_files directory, using sequential filenames like command0.png, command1.png, etc.
    Decoding and processing of result files are handled seamlessly.

  • User-Friendly Interface:
    The tool is operated via a simple command-line interface, allowing users to set up a C2 server, send commands, and receive results with ease.
    No additional complex configurations or dependencies are needed.

Usage

  1. First, install the Dependencies - pip3 install -r requirements.txt
  2. Then, run the main.py python3 main.py
  3. Choose between the options:

1 - Run the C2 Server

2 - Build the Victim Implant

  1. Enjoy!

Demonstration

https://github.com/user-attachments/assets/382e9350-d650-44e5-b8ef-b43ec90b315d

Workflow Overview

1. Initialization of the C2 Server

  • The attacker launches QuickResponseC2, which creates a lightweight HTTP server (default port: 8080).
  • This server serves as the intermediary between the attacker and victim, eliminating any direct connection between them.

2. Command Delivery via QR Codes

  • The attacker encodes a command into a QR code and saves it as commandX.png on the HTTP server.
  • The victim machine periodically polls the server (e.g., every 1 second) to check for the presence of a new command file.

3. Victim Command Execution

  • Once the victim detects a new QR code file (commandX.png), it downloads and decodes the image to retrieve the command.
  • The decoded command is executed on the victim's system.

4. Result Encoding and Uploading

  • The victim encodes the output of the executed command into a QR code and saves it locally as resultX.png.
  • The result file is then uploaded to the HTTP server.

5. Result Retrieval by the Attacker

  • The attacker periodically checks the server for new result files (resultX.png).
  • Once found, the result file is downloaded and decoded to retrieve the output of the executed command.

TODO & Contribution

  • [x] Generate a Template for the Implant
  • [ ] Compile the implant as an .exe automatically
  • [x] Save the generated QR Code as bytes in a variable instead of a file - VICTIM Side
  • [ ] Add an obfuscation on the commands decoded from the QR Codes automatically

Feel free to fork and contribute! Pull requests are welcome.



โ˜ โ˜† โœ‡ KitPloit - PenTest Tools!

PolyDrop - A BYOSI (Bring-Your-Own-Script-Interpreter) Rapid Payload Deployment Toolkit

By: Unknown โ€” September 23rd 2024 at 11:30


BYOSI

- Bring-Your-Own-Script-Interpreter

- Leveraging the abuse of trusted applications, one is able to deliver a compatible script interpreter for a Windows, Mac, or Linux system as well as malicious source code in the form of the specific script interpreter of choice. Once both the malicious source code and the trusted script interpeter are safely written to the target system, one could simply execute said source code via the trusted script interpreter.

PolyDrop

- Leverages thirteen scripting languages to perform the above attack.


The following langues are wholly ignored by AV vendors including MS-Defender: - tcl - php - crystal - julia - golang - dart - dlang - vlang - nodejs - bun - python - fsharp - deno

All of these languages were allowed to completely execute, and establish a reverse shell by MS-Defender. We assume the list is even longer, given that languages such as PHP are considered "dead" languages.

- Currently undetectable by most mainstream Endpoint-Detection & Response vendors.

The total number of vendors that are unable to scan or process just PHP file types is 14, and they are listed below:

  • Alibaba
  • Avast-Mobile
  • BitDefenderFalx
  • Cylance
  • DeepInstinct
  • Elastic
  • McAfee Scanner
  • Palo Alto Networks
  • SecureAge
  • SentinelOne (Static ML)
  • Symantec Mobile Insight
  • Trapmine
  • Trustlook
  • Webroot

And the total number of vendors that are unable to accurately identify malicious PHP scripts is 54, and they are listed below:

  • Acronis (Static ML)
  • AhnLab-V3
  • ALYac
  • Antiy-AVL
  • Arcabit
  • Avira (no cloud)
  • Baidu
  • BitDefender
  • BitDefenderTheta
  • ClamAV
  • CMC
  • CrowdStrike Falcon
  • Cybereason
  • Cynet
  • DrWeb
  • Emsisoft
  • eScan
  • ESET-NOD32
  • Fortinet
  • GData
  • Gridinsoft (no cloud)
  • Jiangmin
  • K7AntiVirus
  • K7GW
  • Kaspersky
  • Lionic
  • Malwarebytes
  • MAX
  • MaxSecure
  • NANO-Antivirus
  • Panda
  • QuickHeal
  • Sangfor Engine Zero
  • Skyhigh (SWG)
  • Sophos
  • SUPERAntiSpyware
  • Symantec
  • TACHYON
  • TEHTRIS
  • Tencent
  • Trellix (ENS)
  • Trellix (HX)
  • TrendMicro
  • TrendMicro-HouseCall
  • Varist
  • VBA32
  • VIPRE
  • VirIT
  • ViRobot
  • WithSecure
  • Xcitium
  • Yandex
  • Zillya
  • ZoneAlarm by Check Point
  • Zoner

With this in mind, and the absolute shortcomings on identifying PHP based malware we came up with the theory that the 13 identified languages are also an oversight by these vendors, including CrowdStrike, Sentinel1, Palo Alto, Fortinet, etc. We have been able to identify that at the very least Defender considers these obviously malicious payloads as plaintext.

Disclaimer

We as the maintainers, are in no way responsible for the misuse or abuse of this product. This was published for legitimate penetration testing/red teaming purposes, and for educational value. Know the applicable laws in your country of residence before using this script, and do not break the law whilst using this. Thank you and have a nice day.

EDIT

In case you are seeing all of the default declarations, and wondering wtf guys. There is a reason; this was built to be more moduler for later versions. For now, enjoy the tool and feel free to post issues. They'll be addressed as quickly as possible.



โŒ