{"id":25268638,"url":"https://github.com/fbutros/favic2","last_synced_at":"2025-10-27T06:31:47.257Z","repository":{"id":276587709,"uuid":"929711838","full_name":"FButros/FaviC2","owner":"FButros","description":"FaviC2 is a proof-of-concept Command \u0026 Control framework that embeds commands in a website’s favicon.ico file. It demonstrates how attackers—or authorized red teams—might leverage benign icon requests to stealthily send commands to a compromised host and receive execution results. Use this only in authorized security tests or lab environments","archived":false,"fork":false,"pushed_at":"2025-02-09T07:54:38.000Z","size":0,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-09T08:27:55.494Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FButros.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-09T07:45:20.000Z","updated_at":"2025-02-09T07:54:42.000Z","dependencies_parsed_at":"2025-02-09T08:37:59.305Z","dependency_job_id":null,"html_url":"https://github.com/FButros/FaviC2","commit_stats":null,"previous_names":["fbutros/favic2"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FButros%2FFaviC2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FButros%2FFaviC2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FButros%2FFaviC2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FButros%2FFaviC2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FButros","download_url":"https://codeload.github.com/FButros/FaviC2/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238454833,"owners_count":19475316,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-12T10:30:13.129Z","updated_at":"2025-10-27T06:31:46.930Z","avatar_url":"https://github.com/FButros.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FaviC2 - A Favicon Command \u0026 Control (C2) Proof of Concept\n\n**FaviC2** is a proof-of-concept Command \u0026 Control framework that embeds commands in a website’s `favicon.ico` file. It demonstrates how attackers or authorized red teams might leverage seemingly benign icon requests to stealthily send commands to a compromised host and receive execution results. **Use this only in authorized security tests or lab environments.**\n\n---\n\n## Table of Contents\n\n- [Features](#features)  \n- [How It Works](#how-it-works)  \n- [Project Structure](#project-structure)  \n- [Installation and Setup](#installation-and-setup)  \n- [Usage](#usage)  \n  - [Starting the C2 Server](#starting-the-c2-server)  \n  - [Running the Implant](#running-the-implant)  \n  - [Queueing Commands](#queueing-commands)  \n  - [Viewing Results](#viewing-results)  \n- [Demonstration Flow](#demonstration-flow)  \n- [Disclaimer](#disclaimer)  \n- [License](#license)  \n\n---\n\n## Features\n\n1. **Covert Channel via Favicon**  \n   - Commands are hidden in the server’s response to `/favicon.ico`, either appended to the icon file or embedded in a custom header.\n\n2. **SQLite Database Storage**  \n   - Simple, lightweight database for tracking implants, queued commands, and execution results.\n\n3. **Lightweight Implant (Agent)**  \n   - Polls the server at configurable intervals, executes received commands, and reports back.\n\n4. **Minimal Dependencies**  \n   - Server side uses [Flask](https://flask.palletsprojects.com/).  \n   - Implant side uses [requests](https://pypi.org/project/requests/).\n\n---\n\n## How It Works\n\n1. **Implant Registration**  \n   - The implant calls `/favicon.ico?i=\u003cimplant_id\u003e` to register/update itself in the database.\n\n2. **Command Injection**  \n   - If a command is queued for that implant, the server base64-encodes it and inserts it into the `.ico` response or an HTTP header.\n\n3. **Command Execution**  \n   - The implant decodes the command and executes it locally (e.g., via `subprocess` in Python).\n\n4. **Result Reporting**  \n   - The implant sends command output back to `/report`, and the server stores it in the SQLite database.\n\n5. **Operator Inspection**  \n   - The operator (red team) can review saved results by hitting `/results` or by building a custom interface.\n\n---\n\n## Project Structure\n\n```bash\nFaviC2/\n├── c2_server/\n│   ├── db.py             # SQLite DB creation and query logic\n│   ├── server.py         # Flask server handling C2 logic\n│   └── static/\n│       └── base_favicon.ico  # Base icon file to be served/modified\n└── implant/\n    └── implant.py        # The implant script that polls for commands and reports results\n```\n\n## Installation and Setup\n\n### 1. Clone the Repository\n\n```bash\ngit clone https://github.com/\u003cYourUsername\u003e/FaviC2.git\ncd FaviC2\n```\n\n### 2. Server Environment Setup\n\n```bash\ncd c2_server\npython3 -m venv venv\nsource venv/bin/activate       # On Linux/Mac\n# On Windows: venv\\Scripts\\activate\n\npip install flask\n```\n\n### 3. Implant Environment Setup\n\n```bash\ncd ../implant\npython3 -m venv venv\nsource venv/bin/activate\npip install requests\n```\n\n### 4. Base Favicon\n\nIn `c2_server/static/`, ensure you have a valid `base_favicon.ico`. You can download or create one using any icon generator.\n\n---\n\n## Usage\n\n### Starting the C2 Server\n\nFrom `c2_server`, run:\n\n```bash\ncd c2_server\nsource venv/bin/activate  # Activate your virtual environment if not already\npython server.py\n```\n\nBy default, this starts the Flask server on `http://127.0.0.1:5000`. You can change ports and settings in `server.py`.\n\n### Running the Implant\n\nIn another terminal, navigate to `implant`:\n\n```bash\ncd implant\nsource venv/bin/activate\npython implant.py\n```\n\nThe implant will poll `http://localhost:5000/favicon.ico?i=test_implant` every 10 seconds (configurable in `implant.py`).\n\n### Queueing Commands\n\nUse `curl`, Postman, or similar to queue a command:\n\n```bash\ncurl -X POST -H \"Content-Type: application/json\" \\\n     -d '{\"implant_id\":\"test_implant\",\"command\":\"whoami\"}' \\\n     http://127.0.0.1:5000/queue_command\n```\n\nWhen the implant polls again, it will receive and execute `whoami`, then send the results back.\n\n### Viewing Results\n\nRetrieve stored results with:\n\n```bash\ncurl http://127.0.0.1:5000/results\n```\n\nYou’ll see a JSON response containing implant IDs, commands, outputs, and timestamps.\n\n---\n\n## Demonstration Flow\n\n1. **Start the C2 Server**\n\n    ```bash\n    python server.py\n    ```\n\n2. **Run the Implant**\n\n    ```bash\n    python implant.py\n    ```\n\n3. **Queue a Command**\n\n    ```bash\n    curl -X POST -H \"Content-Type: application/json\" \\\n         -d '{\"implant_id\":\"test_implant\",\"command\":\"whoami\"}' \\\n         http://127.0.0.1:5000/queue_command\n    ```\n\n4. **Check Implant**\n\n    - The implant logs the fetched command and executes it.\n    - Output is sent back to the server.\n\n5. **View Results**\n\n    - Access `http://127.0.0.1:5000/results` to confirm the command’s output.\n\n---\n\n## Disclaimer\n\nThis tool is intended for authorized security testing and educational research purposes only. You are solely responsible for complying with all relevant laws. Do not use this software in unauthorized ways. The author(s) assume no liability for any misuse or damage.\n\n---\n\n## License\n\n**MIT License**\n\nFeel free to adapt or enhance the code for your use cases within the bounds of the license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffbutros%2Ffavic2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffbutros%2Ffavic2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffbutros%2Ffavic2/lists"}