BYOB is an open-source post-exploitation framework for students, researchers and developers. It includes features such as:
- Command & control server with intuitive user-interface
- Custom payload generator for multiple platforms
- 12 post-exploitation modules
It is designed to allow students and developers to easily implement their own code and add cool new features without having to write a C2 server or Remote Administration Tool from scratch.
This project has 2 main parts: the original console-based application (/byob
) and the web GUI (/web-gui
).
Getting Started
The first thing you need to do to start using BYOB is download the code from Github.
You will need to install Docker and Python to use this software.
Once you have downloaded the code from Github and installed the necessary software, navigate to the /byob/web-gui directory and run the setup.sh script. This will build some Docker images that are used by the payload generator to cross-compile executables.
After completing the installation and setup, you can now launch the web GUI by running the command python3 run.py from the /byob/web-gui directory.
Once it is running, you can now open your browser and go to http://0.0.0.0:5000 to use the web GUI.
Step 1: Create an Account
Once the web app is up and running, you are now ready to create an account. You can do this clicking on the register button at the top right.
This will you up as the sole administrator of the command & control server and restrict others from accessing it.
Step 2: Generate a Payload
Once you are logged in, the first thing you need to do is generate a payload. To get started, click the Payloads button at the top of the screen to navigate to the payloads page.
The payloads page has 2 main parts:
- Payload Generator
- Payloads Table
Payload Generator
Python
Select “Python” format as the format to generate an obfuscated Python script.
Python is platform independent, so you will not need to select a target operating system and architecture.
The file size is small, however, Python must be installed on the target machine to execute it.
Executable
Select “Executable” format to compile a binary executable for a target operating system and architecture.
You must select the operating system and architecture of the target machine(s) in order to compile an executable.
This will run on systems which do not have Python installed, however, the file size is substantially larger.
Payloads Table
Below the payload generator you can see the payloads table, where you can download payloads you have generated by selecting the “download” icon on the right as seen below.
You can use the sort by “created” to find the most recently generated payload. There is also a search bar at the top right of the table that you can use to view only your Windows payloads, for example.
Step 3: Create Bots
After downloading a payload, you can create bots by executing the payload on target machines.
This platform is strictly for authorized testing and education purposes, so this is done by simply downloading the payload onto your virtual machine or testing environment.
In a real world scenario an attacker would most likely use a social-engineering trick to get the target to execute the payload, such as sending it as an email attachment disguised as a software update.
Step 4: Command & Control
Once you have a payload running on a target machine, you are ready to command and control your bots!
To get started, click the Control Panel button at the top of the screen to navigate to your command and control dashboard.
The control panel dashboard is designed to provide an intuitive command & control interface. It has 3 main parts:
- Post-Exploitation Modules
- Bots Table
- Shell Access
Post-Exploitation Modules
Select a post-exploitation module using the panel on the left. Each module contains a description and a list of supported platforms.
Next, select the bots to execute it on by either clicking “select all bots” or selecting bots from the Bots Table below.
Now click execute and watch the results stream in!
Bots Table
The bots table contains identifying information about your bots and allows you to monitor their status and interact with them directly. It is fully searchable and sortable by column for your convenience.
If your bots are mining monero, the “Hashes/Second” column and “Hashrate Graph” will update every second so you monitor their progress in real time.
You can view a bot’s history of commands and results by clicking the “Results” button on the right, or kill the bot by clicking the Trash icon.
And yes, clicking the terminal icon provides direct shell access to the bot!
Shell Access
Click the terminal icon for any bot to connect directly to the bot via reverse TCP shell.
A fully-featured terminal emulator runs in the browser which behaves exactly the same as the terminal on the machine.
This provides you with direct access full control over the machine so you can run standard red team operations which require terminal access.
Console Application
Client
Generate fully-undetectable clients with staged payloads, remote imports, and unlimited post-exploitation modules
- Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them
- Nothing Written To The Disk: clients never write anything to the disk – not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process
- Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host
- Add New Features With Just 1 Click: any python script, module, or package you copy to the
./byob/modules/
directory automatically becomes remotely importable & directly usable by every client while your command & control server is running - Write Your Own Modules: a basic module template is provided in
./byob/modules/
directory to make writing your own modules a straight-forward, hassle-free process - Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client’s file size
- Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed
- Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into a portable executable (Windows) or bundled into a standalone application (macOS)
- Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections
- Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning
- Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it
- Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected
Modules
Post-exploitation modules that are remotely importable by clients
- Persistence (
byob.modules.persistence
): establish persistence on the host machine using 5 different methods - Packet Sniffer (
byob.modules.packetsniffer
): run a packet sniffer on the host network & upload .pcap file - Escalate Privileges (
byob.modules.escalate
): attempt UAC bypass to gain unauthorized administrator privileges - Port Scanner (
byob.modules.portscanner
): scan the local network for other online devices & open ports - Keylogger (
byob.modules.keylogger
): logs the user’s keystrokes & the window name entered - Screenshot (
byob.modules.screenshot
): take a screenshot of current user’s desktop - Webcam (
byob.modules.webcam
): view a live stream or capture image/video from the webcam - Outlook (
byob.modules.outlook
): read/search/upload emails from the local Outlook client - Process Control (
byob.modules.process
): list/search/kill/monitor currently running processes on the host - iCloud (
byob.modules.icloud
): check for logged in iCloud account on macOS - Miner (
byob.core.miner
): mine Monero in the background using the built-in miner or XMRig
Server
Command & control server with persistent database and console
- Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines
- Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance
- Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines
Core
Core framework modules used by the generator and the server
- Utilities (
byob.core.util
): miscellaneous utility functions that are used by many modules - Security (
byob.core.security
): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128) - Loaders (
byob.core.loaders
): remotely import any package/module/scripts from the server - Payloads (
byob.core.payloads
): reverse TCP shell designed to remotely import dependencies, packages & modules - Stagers (
byob.core.stagers
): generate unique payload stagers to prevent analysis & detection - Generators (
byob.core.generators
): functions which all dynamically generate code for the client generator - DAO (
byob.core.dao
): handles interaction between command & control server and the SQLite database - Handler (
byob.core.handler
): HTTP POST request handler for remote file uploads to the server
byob (this link opens in a new window) by malwaredllc (this link opens in a new window)
An open-source post-exploitation framework for students, researchers and developers.