1
0
mirror of https://github.com/CPunch/Laika.git synced 2024-12-26 12:50:06 +00:00
Cross-platform RAT, written in Modern C
Go to file
CPunch e6dbada6ec Handled edgecase of shell peer disconnecting
- minor refactor of shell client, added shellC_isShellOpen()
2022-03-03 10:28:43 -06:00
.vscode Deprecated panel, added shell, lrsa.h -> lsodium.h 2022-02-24 22:13:05 -06:00
bot Added 'shell' command to LaikaShell 2022-03-02 10:38:16 -06:00
cmake-modules Misc. cmake refactoring 2022-01-29 17:16:29 -06:00
cnc Handled edgecase of shell peer disconnecting 2022-03-03 10:28:43 -06:00
img Handled edgecase of shell peer disconnecting 2022-03-03 10:28:43 -06:00
lib Added 'shell' command to LaikaShell 2022-03-02 10:38:16 -06:00
panel Major refactoring 2022-02-28 16:27:55 -06:00
shell Handled edgecase of shell peer disconnecting 2022-03-03 10:28:43 -06:00
tools Deprecated panel, added shell, lrsa.h -> lsodium.h 2022-02-24 22:13:05 -06:00
.gitignore Added 'lconfig.h' to .gitignore 2022-01-31 15:55:19 -06:00
CMakeLists.txt Deprecated panel, added shell, lrsa.h -> lsodium.h 2022-02-24 22:13:05 -06:00
README.md updated readme 2022-03-02 10:54:31 -06:00

Laika

Laika is a simple Remote Access Toolkit stack for red teaming. It allows authenticated communication across a custom protocol with generated key pairs which are embedded into the executable (only the public key is embedded in the bot client ofc).

Some notable features thus far:

  • Lightweight, the bot alone is 270kb (22kb if not statically linked with LibSodium) and uses very little resources.
  • Uses obfuscation techniques also seen in the wild (string obfuscation, tiny VMs executing sensitive operations, etc.)
  • Simple configuration using CMake
    • Setting keypairs (-DLAIKA_PUBKEY=? -DLAIKA_PRIVKEY=?)
    • Obfuscation modes

Would this work in real world scenarios?

My hope is that this becomes complete enough to be accurate to real RAT sources seen in the wild. However since Laika uses a binary protocol, the traffic the bot/CNC create would look very suspect and scream to sysadmins. This is why most RATs/botnets nowadays use an HTTP-based protocol, not only to 'blend in' with traffic, but it also scales well with large networks of bots where the CNC can be deployed across multiple servers and have a generic HTTP load balancer.

I could add some padding to each packet to make it look pseudo-HTTP-like, however I haven't given much thought to this.

Directories explained

  • /cmake-modules holds helper functions for finding things like libSodium.
  • /lib is a shared static library between the client, peer & panel clients.
  • /cnc is the Command aNd Control server.
  • /bot is the bot client to be ran on the target machine.
  • /shell is the main shell to connect to the CNC server with to issue commands.
  • /panel is a very incomplete & broken ncurses client. ignore for now.
  • /tools holds tools for generating keypairs, etc.

Configuration and compilation

Make sure you have the following libraries and tools installed:

  • CMake (>=3.10)
  • LibSodium (static library)

First, compile the target normally

$ cmake -B build && cmake --build build

Now, generate your custom key pair using genKey

$ ./bin/genKey

Next, rerun cmake, but passing your public and private keypairs

$ rm -rf build &&\
    cmake -B build -DLAIKA_PUBKEY=997d026d1c65deb6c30468525132be4ea44116d6f194c142347b67ee73d18814 -DLAIKA_PRIVKEY=1dbd33962f1e170d1e745c6d3e19175049b5616822fac2fa3535d7477957a841 -DCMAKE_BUILD_TYPE=MinSizeRel &&\
    cmake --build build

Output binaries are put in the ./bin folder