Giters

wkxaaxa399 / Winton

A cross-platform Command and Control (C2) framework written in Golang and Python.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Winton

Winton

Yet another Command and Control (C2) framework written in Golang

Winton is an open-source cross-platform C2 framework written for the purposes of learning adversary emulation and C2 infrastructure.

🐒 Winton was designed solely for educational purposes, it is still nowhere close to being operationally functional for red team engagements!

Cover

Table of Contents

Features

Teamserver

Written in Golang 1.21.1 with Gin (stable on Windows 11 x64/AMD64 & Debian 12.x / Kali 2023.3)

  • Support for multiple listeners (HTTP implemented)
  • Multiplayer-mode
  • Cross-platform binary

Implant

Written in Golang 1.21.1 (Windows only*)

  • Process migration and process injection
  • In-memory .NET assembly execution (creds to: @ropnop)
  • Built-ins via os/exec & os/user

Client

Dark themed UI written in Python with Tkinter

  • Multi-player
  • In-memory .NET assembly execution via execute-assembly execute-assembly
    • creds: SharpAwareness by @CodeXTF2
    • for some reason, if you try to load .NET assemblies that are too large, the CLR will just not load lol.
  • Updated list of supported commands available: here Help

Installation

Winton

git clone https://github.com/gatariee/Winton
cd Winton

Teamserver

cd teamserver
make linux # or windows
cd ./bin && chmod +x ./teamserver-x64

Implant

cd ./implant
make windows

Client

cd ./client
python3 -m pip install -r requirements.txt
chmod +x ./winton.py

Usage

Teamserver

./teamserver-x64 <ip> <port> <password>

Client

./winton.py

OPSEC Considerations / Notes

Implant

  • The stable implant is written in Go and produces a binary of ~7,747,072 bytes, or ~7.38MB.
  • shell pipes the input of the operator to cmd.exe /c {task}, which spawns a new cmd.exe process on the target and returns the output via stdout & stderr.
  • Heavy reliance on Golang's os/exec and os/user packages for cross-platform compatibility and built-ins (whoami, pwd, ls), may be OPSEC unsafe.
  • inject uses CreateRemoteThread and doesn't check for architecture, may result in the process and/or shellcode crashing- use ps to check for architecture before injection. Client
    • VirtualAllocEx is called with PAGE_EXECUTE_READWRITE & unbacked memory allocation
    • Thread start address is 0x0

⚠️ Beacon instability mainly caused by the implementation of task queuing and tagging in the teamserver, there is a permanent race condition between the teamserver and the implant that causes the implant to crash if the teamserver sends a task to the implant while the implant is still processing a task.

Client

  • Unencrypted communication with the teamserver over HTTP
  • Authentication with teamserver not implemented yet
  • Interacts with the listener rather than the teamserver, the operator should be interacting with the internal teamserver API instead of the listener. (modularity) Client

Teamserver

  • Unencrypted communication with the implant over HTTP
  • Teamserver expects agent to be legitimate and doesn't check for authentication (in fact, the password param used to start the teamserver is completely unused 🤡)

About

A cross-platform Command and Control (C2) framework written in Golang and Python.

License:MIT License

Languages

Language:Go 59.6%Language:Python 35.8%Language:Makefile 3.9%Language:C# 0.7%