A Remote Access Tool using Google Apps Script as the proxy for command and control.
TODO
Support multiple masters. Any given HTTP POST/GET request from a master can fail due to another master or server having modified the Google Sheets database first for a specific client.
Support built-in key logging for each client type. Depending on the client type and OS platform, the ability to log user keystrokes changes.
Support built-in screenshot capture for each client type. Depending on the client type and OS platform, the ability to capture a screenshot image changes.
Support built-in "dissolve" functionality for each client type.
Update C2 diagram to remove number of chunks from payload format.
Dependencies
NOTE: These only apply to running master.py and test.py on your local machine. Client dependencies (if any) are listed in each client's README.
Deploy (top right corner) > New Deployment > Web App (as the deployment type)
Fill in the description field with something
Make sure the app is executed as Me
Make sure Anyone can access the app
Click Deploy
Click Authorize Access > Your fake account > Advanced > Go to ... (unsafe) > Allow
NOTE: If you do not see this step, make sure you are using a private browser session
Save the application URL (it should end in /exec). This is what the clients and master will connect to.
2️⃣ Test Server Connection
Run ./client/test.py in order to test your server URL connection and MASTER_KEY:
NOTE:Running this test will leave an empty inactive client in the Google Sheets database. Simply delete that row to remove this inactive client.
3️⃣ Select Clients
Select your client and add the Google Apps Server URL from step 1 into the correct payload variable for your client's type as defined in the client's README
Example server transaction between a master and client in Google Sheets:
General Notes:
This design allows for multiple servers to be ran simultaneously against the same backend Google Sheets "database" for client redundancy and availability.
All master requests to the server must present a unique key in order for their request to be processed. This key is hardcoded into each server's JavaScript with the MASTER_KEY variable.
Each payload is base64 encoded except for the the command type. This is seperated by the | character as the delimiter in the payload.
Limitations
All data sent to/from the server is chunked into 50000 (50 KB) chunks. This is because Google Sheets currently has a single cell size limitation of 50000 characters:
Google applies daily quotas and limitations for execution of its services. Getting around these limitations is as simple as creating other duplicate copies of the same server.js code for more servers in your design. Each client is able to cycle through multiple servers for loadballancing.
请发表评论