{"id":18964560,"url":"https://github.com/waived/exile-botnet","last_synced_at":"2025-03-05T04:23:19.369Z","repository":{"id":243951984,"uuid":"813881347","full_name":"waived/exile-botnet","owner":"waived","description":"Botnet in Python3 - DDoS + self-rep","archived":false,"fork":false,"pushed_at":"2024-07-16T17:15:48.000Z","size":167,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-15T14:33:56.799Z","etag":null,"topics":["botnet","botnet-source","c2","cnc","ddos","ddos-attacks","denial-of-service","denial-of-service-attack","malware","python","self-replicating","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/waived.png","metadata":{"files":{"readme":"README.txt","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-11T23:36:10.000Z","updated_at":"2025-01-05T08:23:24.000Z","dependencies_parsed_at":null,"dependency_job_id":"7eeee0a9-420c-4d38-8b5e-6fb696f98b28","html_url":"https://github.com/waived/exile-botnet","commit_stats":null,"previous_names":["waived/exile-botnet"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waived%2Fexile-botnet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waived%2Fexile-botnet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waived%2Fexile-botnet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waived%2Fexile-botnet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/waived","download_url":"https://codeload.github.com/waived/exile-botnet/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241962277,"owners_count":20049638,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["botnet","botnet-source","c2","cnc","ddos","ddos-attacks","denial-of-service","denial-of-service-attack","malware","python","self-replicating","vulnerability-scanners"],"created_at":"2024-11-08T14:25:02.453Z","updated_at":"2025-03-05T04:23:19.349Z","avatar_url":"https://github.com/waived.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"██████████████████      ██  ██████  ██      ██  ██████      ██████████████\n█████████████████  ████████  ██   █████  ████  ██████  ███████████████████\n▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓    ▓▓▓▓▓▓▓▓   ▓▓▓▓▓▓▓  ▓▓▓▓  ▓▓▓▓▓▓    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓\n▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒  ▒▒▒▒▒▒▒▒   ▒  ▒▒▒▒▒▒  ▒▒▒▒  ▒▒▒▒▒▒  ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒\n░░░░░░░░░░░░░░      ░░   ░░░░░  ░░      ░░      ░░      ░░░░░░░░░░░░░░░░░░\n──────────────────────────────────────────────────────────────────────────\n                                  ABOUT\n──────────────────────────────────────────────────────────────────────────\nProgram: Exile Botnet (server + client) / Proof-of-Concept\nServer version: 3.0\nClient version: 19.0\n\nLanguages: Python 3.11.9\n           Shell BASH/SH\n\nTested on: KaOS amd64 minimal-2024\n           Kali Linux 2024.1\n           Ubuntu 24.01\n           Microsoft Windows 11 (Version 23H2)\n           \nC2 communication method: TCP sockets\n           \nEffected platforms: Linux/Unix environments\n           \nAuthor: Waived\n──────────────────────────────────────────────────────────────────────────\n                               CAPABILITIES \n──────────────────────────────────────────────────────────────────────────\n\n--- Denial-of-Service\n    ExileBot weilds a total of fourteen different attack vectors, based on\n    standard UDP, TCP, and the HTTP protocol.\n    \n--- Binary Loader\n    Exile also acts as a loader, where C, PY, SH, and ELF files can be\n    loaded and executed on the client machines.\n    \n--- C2 manipulation\n    Like any bot/loader, Exile's C2 infrastructure allows for TCP connection\n    manipulation: termination of connections, refreshing of connections, and\n    disconnection from TCP connections. Additionally, ExileBot provides the\n    option to update the current running client with a more recent build. \n    \n--- Self-replication\n    Once a client/s are connected to the C2, at the command of the botmaster,\n    said client/s can then begin scanning the internet for hosts that are\n    running SSH and Telnet services. Via password spraying of commonly used\n    credentials, ExileBot attempts to hijack a session and inject a copy of\n    the client onto said machines. This allows for Exile to gain a wider scope\n    of connected machines.\n    \n--- Anti-viral manuvers\n    Exile makes use of a BotKiller, or routine that will check for suspicious\n    processes that are known to belong to other Bots, Loaders, Vertexes, etc.\n    \n──────────────────────────────────────────────────────────────────────────\n                             ATTACK FUNCTIONS \n──────────────────────────────────────────────────────────────────────────\n--- UDP: \n    Standard junk flood via UDP. Dynamic data buffer with non-fixed length.\n\n--- TCP:\n    Standard junk flood via UDP. Dynamic data buffer with non-fixed length.\n\n--- RHEX:\n    UDP flood using random hexadecimal values. Dynamic data buffer with non-\n    fixed length. Effective against some OVH-based services.\n    \n--- HTTPBYPASS:\n    An HTTP-GET flood that implements proxification per each request. HTTP\n    headers such as User-agent, Referer, and URI query are randomized. \n    Effective against CDNs, WAFs, and other reverse-proxy implementations.\n    \n--- HOLD:\n    Much like the 'Xerxes' attack, a HOLD flood will open a series of TCP\n    sockets. After the user-specified delay has passed, a null byte '\\x00'\n    will be send through the sockets to keep them alive. If used against\n    single thread-based socket spawning services such Apache Tomcat, \n    Microsoft IIS, dhttpd Dart, etc, one machine can take a server down.\n    However, HTTP services such as NGINX can manage this quite well. In\n    terms of a botnet, will several hundred if not several thousand clients\n    requesting socket-connections all at once, even such service can be\n    crippled. Effectivity in lies on the amount of clients connected to Exile.\n    \n--- RECOIL:\n    Originally taken from NewEraCracker's LOIC HiveMind edition, the ReCoil\n    flood is a slow-download attack via HTTP. The botmaster will find a site\n    that is hosting a relatively large file. Once the download on the client\n    machine has started, each byte is streamed to the client over the TCP\n    socket very slowly. The botmaster will specify the delay in seconds before\n    receiving the next byte in the sequence. Alike the HOLD flood, the more\n    clients acting against the specific file will yield a greater ability to\n    paralyze the target.\n    \n--- STDHEX:\n    Modeled off of the well known STD.c attack, and STD packet via UDP, using\n    hexadecimal values will be send to the target. The data-buffer in each\n    UDP packet will not exceed 50 bytes, however this method is a PPS dependent\n    flood, where the volume to requests are hurled at the target in a rapid\n    succession.\n    \n--- QUAKE3:\n    A UDP-based attack that effects Quake V3 gaming servers. Each packet makes\n    use of QUAKE3 query vulnerabilities.\n    \n--- HTTP:\n    Standard HTTP flood with user-agent randomization and keep-alive headers.\n    TCP socket responsible for sending the HTTP headers will remain open until\n    forcibly closed by the endpoint. Upon closure, more sockets are spawned \n    until duration is complete or cancelled by the botmaster.\n    \n--- FIVE-M:\n    A UDP-based attack that effects GTA-V (Grand Theft Auto 5) modding game-\n    servers. Each packet makes use of FIVE-M query vulnerabilities.\n    \n--- HTTPHEX:\n    An HTTP-GET flood that appends junk hexadecimal payloads at the end of\n    each HTTP request. User-agent randomization and keep-alive headers are\n    sent.\n    \n--- TLS:\n    This attack attempts to exhaust SSL/TLS slates on HTTPS protected\n    websites. It begins the TLS encryption process, then drops the connection\n    and quickly spawns a new TLS agreement. This process is done repeatedily\n    over the same TCP socket until forcibly closed by the endpoint. Upon \n    closure, more sockets are spawned until duration is complete or cancelled\n    by the botmaster. \n    \n--- VSE:\n    This UDP-based attack manipulates the VSE (Value Source Engine) protocol\n    on game-servers ran by the gaming platform Steam. Each packet makes use \n    of VSE query vulnerabilities.\n    \n--- TS3:\n    This UDP-based attack manipulates the TS3 (Team Speak Ver3.0) protocol\n    on TS3-servers. Each packet makes use of TS3 query vulnerabilities.\n──────────────────────────────────────────────────────────────────────────\n                             NOTABLE FEATURES \n──────────────────────────────────────────────────────────────────────────\nSERVER:\n=======\nClear:\nSimply put, this command will clear the terminal environment of Exile to\nallow for a more clear working interface.\n\nGoodbye:\nThis command was designed to eliminate the \u003cCTRL+C\u003e abort feature in\nPython and to safely power-down the TCP Listener and other currently\nrunning routines.  \n\nV\u0026:\nThe V\u0026 (\"vanned\") command is a panic feature. Once executed, Exile\nwill terminate all client connection via the \"uninstall\" command.\nIt also will self terminate (via BASH) by deleting the active\nserver.py script.\n\nBe careful! There is no confirmation when processing this request!\n\n=======\nCLIENT:\n=======\n\nResurrection:\nUpon execution, the client will locate the Linux/Unix CronTab (if supported)\nand will (via BASH) add itself to the CronTab. Per every reboot, Exile will\nreconnect to the C2.\n\nConnection management:\nExile will take commands from the C2 in regards to the active TCP connection\nrunning on the machine. At any given point, the client wields the ability\nto either restart the connection to the C2, drop it entirely, or \"uninstall\"\nwhich not only drops the connection but (via BASH) will self-destruct the client\nscript entirely.\n\nVerbose output:\nSince ExileBot serves as a POC and for the purpose of dev-testing, the client\nwill output verbose information after connecting/reconnection to the C2 and\nwhen processing commands.\n\nSERVER:\n=======\n    \n──────────────────────────────────────────────────────────────────────────\n                           KNOWN BUGS / ISSUES\n──────────────────────────────────────────────────────────────────────────\nExileBot aims to make multi-platform Linux/Unix use smooth and compatible\nwith as many systems as possible. It is possible that due to certain system\nlimitations or lack of permissions, ExileBot is unable properly process a\ncommand. At any point be sure to leave a bug report!\n\nKeyboard Interrupt:\nWhereas the 'disconnect' command from the C2 functions flawlessly, using the\nkeyboard interrupt \u003cCTRL+C\u003e maybe yeild an interrupt-error when breaking. This\ndoesn't necessarily need handeled since the client should run silently on the\ninfected machine without hinderance.\n\nDisconnect:\nBecause of certain activity during data transversal, taking the 'disconnect' \ncommand from the C2 may not exit immediately. The TCP socket may hang for\nup to another 30 seconds before exiting. This is more of a performance issue\nrather than an actual bug.\n\nAnything else that may arise during execution of ExileBot that does not\nwork correctly, please leave a bug report.\n\n──────────────────────────────────────────────────────────────────────────\n                              AUTHOR'S NOTES\n──────────────────────────────────────────────────────────────────────────\nPython is an interpreted language, NOT compiled! This means two things:\n\n    1) Since Python is interpreted, it is slower than other compiled\n       languages like C, Delphi, GoLang, etc. It may not be as suitable\n       in the field for this reason alone.\n       \n    2) Because ExileBot is not compiled, the server/client can simply be\n       opened up/viewed. There is no ability to hide the C2 connections\n       within the code. This may requires some level of third-party\n       obfuscation.\n\nAdditionally, there is no level of encryption/encoding between the server\nand clients. Having encryption would be a beneficial feature to have when\nconducing illicit activities. I felt no reason to include such a feature.\n\n──────────────────────────────────────────────────────────────────────────\n                              LEGAL STATEMENT\n──────────────────────────────────────────────────────────────────────────\nBy downloading, modifying, redistributing, and/or executing ExileBot, the\nuser agrees to the contained LEGAL.txt statement found in this repository.\n\nI, Waived, the creator, take no legal responsibility for unlawful actions\ncaused/stemming from this program. Use responsibly and ethically!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaived%2Fexile-botnet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwaived%2Fexile-botnet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaived%2Fexile-botnet/lists"}