BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet. This framework should help you in intentions to improve your ability for counter-measures development against malware and to deepen your understanding on how they works/infects a huge number of devices every year.
BYOB: Build Your Own Botnet
BYOB framework allows you to easily implement your own code and add new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.
usage: server.py [-h] [-v] [--host HOST] [--port PORT] [--database DATABASE]
Command & control server with persistent database and console
- Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells. It provides direct terminal access to the client host machines.
- Persistent SQLite Database: lightweight database that stores identifying information about client host machines, which allows reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance.
- Client-Server Architecture: all python packages/modules installed locally are automatically available. You don’t have to write them to the disk of the target machines.
usage: client.py [-h] [-v] [--name NAME] [--icon ICON] [--pastebin API] [--encrypt] [--obfuscate] [--compress] [--compile] host port [module [module ...]]
Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules
- Remote Imports: you can remotely import third-party packages from the server. You don’t have to download/install or write them to the disk.
- Nothing Written To The Disk: clients never write anything to the disk – not even temporary files.
- Zero Dependencies: client runs with just the python standard library, remotely imports any non-standard packages/modules from the server. You can compile it with a standalone python.
- New Features With 1 Click: any python script, module, or package you to copy to the
./byob/modules/directory automatically becomes remotely importable & directly usable by every client while your command & control server is running
- Write Your Own Modules: a basic module template is located in
./byob/modules/directory where you can write your own modules.
- Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client’s file size
- Fully Updatable: each client will periodically check the server for new content available for remote import. It will dynamically update its in-memory resources.
- Platform Independent: everything is written in Python. You can compile clients into portable executable or bundle them into an standalone application.
- Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections.
- Counter-Measure Against Antivirus: it will block all processes with names of well-known antiviruses from spawning
- Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random
256-bitkey which exists solely in the payload stager which is generated along with it
- Prevent Reverse-Engineering: clients will abort execution if detect a virtual machine or sandbox.
Post-exploitation modules that are remotely importable by clients
- Keylogger (
byob.modules.keylogger): logs the user’s keystrokes & the window name entered
- Screenshot (
byob.modules.screenshot): take a screenshot of current user’s desktop
- Webcam (
byob.modules.webcam): view a live stream or capture image/video from the webcam
- Ransom (
byob.modules.ransom): encrypt files & generate random BTC wallet for ransom payment
- Outlook (
byob.modules.outlook): read/search/upload emails from the local Outlook client
- Packet Sniffer (
byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap file
- Persistence (
byob.modules.persistence): establish persistence on the host machine using 5 different methods
- Phone (
byob.modules.phone): read/search/upload text messages from the client smartphone
- Escalate Privileges (
byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privileges
- Port Scanner (
byob.modules.portscanner): scan the local network for other online devices & open ports
- Process Control (
byob.modules.process): list/search/kill/monitor currently running processes on the host
Core framework modules used by the generator and the server
- Utilities (
byob.core.util): miscellaneous utility functions that are used by many modules
- Security (
byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)
- Loaders (
byob.core.loaders): remotely import any package/module/scripts from the server
- Payloads (
byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modules
- Stagers (
byob.core.stagers): generate unique payload stagers to prevent analysis & detection
- Generators (
byob.core.generators): functions which all dynamically generate code for the client generator
- Database (
byob.core.database): handles interaction between command & control server and the SQLite database