HTTPWorker is a Flask-based HTTP(S) command and control framework with custom Windows implants (EXE and DLL) written in C++. It was designed to be simple to deploy and easily configurable for security competitions.
- command execution
- file upload
- file download
- fetch system information (OS, network addresses, public IP, username, device name, memory amount, region)
- DLL loading
- screenshot
- process list
- process kill
In addition to coordinating implant communication, the Flask webapp provides a simple and easy to use web interface for interacting with connected bots.
The "Bots" page shows the full list of clients which have called back to the C2 - UUID, IP addresses, and the time of last checkin.
The panel is locked behind an authentication page with user accounts. Passwords are hashed using scrypt.
- docker
- docker-compose
Clone repo
git clone https://github.com/JrM2628/httpworker.git
Go to server directory
cd httpworker/server
Start server
sudo docker-compose up
Create account
From browser: https://[C2 IP Address]:5000/signup
There are two containers in this C2 setup.
- Nginx reverse proxy which directs traffic to webapp:5000
- Exposed port: 80, 443
- Redirects any attempt to access /signup endpoint to https://www.ritsec.club
- Default cert.crt and key.pem are included, though they should be changed out to prevent against certificate fingerprinting
- Flask server which handles C2 web application/API logic
- Exposed ports: 5000
- External access to this server should be restricted with a firewall rule that only allows access from a red team-controlled device
- This is because /signup endpoint is accessible via this server, allowing anyone to create a red team account
Pwnboard is used by RIT red teams in security competitions and engagements to track beacons in one consolidated place. To enable Pwnboard integration:
- Set app.pwnboard_enabled to "true" in __ init__.py
- Set app.pwnboard_host to the hostname of the pwnboard (no scheme or URL endpoint) in __ init__.py
- Verify IP regex in heartbeat function (bot_communication.py) is set correctly. Defaults to 10.0.0.0/8
- Choose whether you want EXE, DLL, or service (coming soon) implant
- Open desired solution file from client/windows and compile in release mode
- Modify build.py configuration values to align with desired values
- Hostname, port, and sleeptime almost definitely need to be changed
- Endpoints, key, xorKey should be changed to prevent against detection but updating these values will require changing the values server-side
python3 build.py --v --i httpworker.exe --o out.exe
- (Optional) sign using self-signed cert
.\signtool.exe sign /v /a /debug /f "path\to\signingcert.pfx" /p Password123! .\out.exe