https://github.com/idigitalflame/thunderstorm

Golang C2 Server and Agents using XMT (https://github.com/iDigitalFlame/xmt)
https://github.com/idigitalflame/thunderstorm

c2 ctf go golang golang-application hacking offensive-security python python3 redteam

Last synced: 10 months ago
JSON representation

Golang C2 Server and Agents using XMT (https://github.com/iDigitalFlame/xmt)

• Host: GitHub
• URL: https://github.com/idigitalflame/thunderstorm
• Owner: iDigitalFlame
• License: agpl-3.0
• Created: 2021-07-26T15:50:42.000Z (almost 5 years ago)
• Default Branch: main
• Last Pushed: 2024-11-10T22:38:44.000Z (over 1 year ago)
• Last Synced: 2025-04-19T13:45:38.212Z (about 1 year ago)
• Topics: c2, ctf, go, golang, golang-application, hacking, offensive-security, python, python3, redteam
• Language: Python
• Homepage:
• Size: 891 KB
• Stars: 34
• Watchers: 5
• Forks: 8
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

README

          
# The ThunderStorm Project

[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![Latest](https://img.shields.io/github/v/tag/iDigitalFlame/ThunderStorm)](https://github.com/iDigitalFlame/ThunderStorm/releases)

![cirrus](icons/cirrus.png) ![doppler](icons/doppler.png) ![bolt](icons/bolt.png) ![stormfront](icons/stormfront.png) ![jetstream](icons/jetstream.png) ![flurry](icons/flurry.png) ![cloudseed](icons/cloudseed.png)

---

Golang Full C2 Solution using [XMT](https://github.com/iDigitalFlame/xmt)

ThunderStorm is made up of multiple components that work together.

[Documentation repository](docs) is live with new stuff, including:

- The [Quickstart Guide](docs/Quickstart.md)!

- [Bolt Console Command Line Reference](docs/Commands.md) guide.

- [Data Identifiers Reference](docs/Identifiers.md) guide.

## ![cirrus](icons/cirrus.png) Cirrus

*I smell a storm comming*

Cirrus is a ReST cradle for XMT and acts as the primary "teamserver". This can

be used to control and task Bolts (implants).

Cirrus will automatically capture Jobs and new Bolts and has a websocket interface

that can be used to get quick up-to-date information on what's happening.

__ReST documentation is in progress (I swear!)__

## ![bolt](icons/bolt.png) Bolt

*Sometimes lighting does strike twice*

A Bolt is a basic implant that can be used on any client device. Bolts can be

built in multiple modes and will initially talk to the C2 with whatever their

built-in Profile is.

Bolts can be customized to run as services/daemons or as DLLs.

## ![jetstream](icons/jetstream.png) JetStream

*Fly Forward, Fast*

JetStream is a compact, complex Bolt builder engine. JetStream is able to create

new Bolts for many different platforms (including Windows DLLs) and can obfuscate,

encrypt, sign and pack binaries easily.

## ![cloudseed](icons/cloudseed.png) CloudSeed

*Let it Pour*

CloudSeed complements JetStream and is able to build Bolts and Flurries in batches.

Using JetStream, CloudSeed can build hundreds of instances ready to be deployed.

It's __OUR__ answer to Defense-in-Depth.

## ![flurry](icons/flurry.png) Flurry

*Just layer it on*

Flurry (old name Launcher) taps into the Guardian function of XMT and can automatically

resurrect a killed or crashed Bolt in a dirrent process. These rely on a configured Guardian

type and a list of stored filesystem paths (or URLS!) to get a Bolt from.

## ![doppler](icons/doppler.png) Doppler

*You gotta find the eye of the Storm to know where the action is*

Doppler is a Python frontend CLI that can be used to interact with Cirrus. Doppler

supports multiple users at once (it can be run multiple times) and uses the Cirrus

websocket to get real time data on Jobs and Bolts.

The layout of how commands work is similar to the PowerShell Empire format (except

exiting the shell doesn't kill the server). Doppler will automatically manage

filepaths for you (for downloads, uploads, shellcode) and can manage multiple Bolts

Doppler can take command-line arguments, environment variables, or even a config file!

The layout of the config file with the matching env and arguments is below:

```json

{

    "cirrus": "http://localhost:7777", // env:DOPPLER_HOST args:[-a, --api]

    "cirrus_password": "", //env:DOPPLER_PW args:[-p, --password]

    "default_exec": true, // env:DOPPLER_NO_EMPTY args:[-N, ==no-empty]

    "default_asm": "", // env:DOPPLER_ASM args:[-A, --as,]

    "default_dll": "", // env:DOPPLER_DLL args:[-D, --dll]

    "default_pipe": "" // env:DOPPLER_PIPE args:[-P, --pipe]

}

```

Actual JSON config file:

```json

{

    "cirrus": "http://localhost:7777",

    "cirrus_password": "",

    "default_exec": true,

    "default_asm": "",

    "default_dll": "",

    "default_pipe": ""

}

```

## TODOs:

*Updated 02/24/23*

- Write Cirrus API documentation

- WC2 Setup / Config API

- Interactive way to create Profiles

__DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get__

__in trouble for using this improperly or if someone owns your environment and is__

__using ThunderStorm (or a derivative of it).__

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Z8Z4121TDS)