From 58ebd3bc0f00c532e97e9a5571471ffab87934ba Mon Sep 17 00:00:00 2001 From: AL-LCL Date: Fri, 19 May 2023 10:39:49 +0200 Subject: GOD-VIEW --- README.md | 646 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 646 insertions(+) create mode 100644 README.md (limited to 'README.md') diff --git a/README.md b/README.md new file mode 100644 index 0000000..263e1ea --- /dev/null +++ b/README.md @@ -0,0 +1,646 @@ +# GOD-VIEW +Free, open-source remote access tool for Windows, Mac & Linux. + +## Description +GOD-VIEW (3/3) hosts an TCP & HTTP server, supporting C&C with extensive features & flexibility. It has a CLI along with a desktop / web GUI. Supporting Windows, Mac & Linux, responsive design & an organized CLI. All commands can be run on 100+ clients without impacting the response time. + + + +## Installation +* git clone https://git.alvinhavel.com/GOD-VIEW && cd GOD-VIEW +* pip install -r build/requirements.txt +* **Windows** + * pip install pipwin && pipwin install PyAudio && pipwin install VideoCapture + * start python host.py && start python bot.py +* **Mac / Linux** + * Download PyAudio from https://www.lfd.uci.edu/~gohlke/pythonlibs/#pyaudio + * pip3 install \[.wheel filename\] + * **Terminal 1:** python3 host.py + * **Terminal 2:** python3 bot.py + +## Usage +* **Terminal** + * Use the **help** command to list all available commands + * **Constructing a command** + * **Part 1:** the command name + * **Part 2:** the command arguments (boolean / string) + * **String**: --flag \[input\] + * **Boolean**: --flag + * **Commands may look like this** + * list + * session --id abcd + * session --id abcd --remove + * screenshot --monitor 1 --show +* **GUI** + * **Default login credentials** + * **Username:** god + * **Password:** view + * **Click the button above "No Active Windows To Manage" to view all available commands** + * Commands with a link icon beside them requires an active session + * Commands with a list icon beside them has arguments (flags) + * If the command does not take any parameters, it might simply run the command + without creating a window + * **Click on a command button** + * Fill out the command arguments if necessary before executing the command + * **To enter a session with a client simply click on the client row & right-click** + * **Shift + click & control + click is also supported to select multiple rows** +* **Outside of LAN** + * Edit the **client/state.py** file with the appropriate server address + * Static.IP = \[Your server's IP\] + * Static.PORT = \[Your server's port\] + +## Executable +* *Requires pyinstaller in path* + * build --file host.py --icon build/gv.ico --window + * build --file bot.py --icon build/gv.ico + +The difference between the builds is that the client script is windowless, becoming a background process operation without the interference of the user. + +## Features +* TCP Network Stream (IPV4 & IPV6) +* OS Support (Windows, Mac & Linux) +* UI Options (Terminal, Desktop & Web) +* Secure & Fast Network Transfer + * AES128 Encryption + * Deflate Compression + * JSON Serialization + * Cross-Language Encoding +* ~8MB Client Executable +* Stable Reverse Shell +* Independent Streaming Sockets + * Audio Stream (Mic) + * Desktop Stream (Any Monitor) + * Webcam Stream (Any Device) + * Keylogger Stream + * Clipper Stream +* Autotask ANY Command / Commands +* Credentials Recovery +* Persistence +* Privilege Escalation +* Upload / Download (& Execute) +* Keystroke / Mouse Injection +* Python Interpreter +* Process Management +* System Actions + +### Network Architecture + + +> The architecture has the Terminal window as the main server, the GUI as an interface for the Terminal & then the connecting clients. + +## Documentation +**Introduction** + +* What is GOD-VIEW? + * What Does GOD-VIEW Achieve? + * Who can use GOD-VIEW? + * What Makes GOD-VIEW Different? + * How was GOD-VIEW Built? +* What are GOD-VIEW's Features? + * Operating Systems + * IP Versions + * Usage + * Data Transport + * Protocol + * Encryption + * Compression + * Encoding + * Serialization + * Surveillance + * Action + * Execution + * Management + * Connection + * Utility + * Live + * Multiplex + * Terminal + +**The Different Ways of Running GOD-VIEW** + +**Program / File Structure** + +**GOD-VIEW Outside of the Local Network** + +**What GOD-VIEW Doesn’t Implement** + +Introduction +------------ + +### What is GOD-VIEW? +GOD-VIEW is a networking application, with the name referring to a view +from up above, the all seeing eye. GOD-VIEW is the third iteration of +developing a Remote Access Tool, driven by the motivation of +understanding the web, it’s foundation, but more specifically the +communication between computers in networks & processes. This might seem +simple, but it has a multitude of layers below when it comes to +development of a truly great program. Gathering from my previous +attempts which started with the NexRAT project & continued by NeoRAT, +both of which are available on Github as open source projects with major +flaws. But these projects provide the foundation of how communication +between networks & processes can look. + +In practice GOD-VIEW hosts a TCP socket that the client connects to & a +HTTP server that communicates with the server through a websocket +allowing real time communication. + +### What Does GOD-VIEW Achieve? +The GOD-VIEW program supports a large amount of powerful features, that +I will discuss later on. But on a foundational level, GOD-VIEW allows +for secure, fast & non-limiting communication between it’s server & +clients. It accepts connections using the TCP transport protocol & works +with streams of data. It keeps these connections alive by sending beacon +messages in intervals & provides persistent attempts to connect / +reconnect if it fails to establish a connection or in the case that the +connection is ever closed with the server. + +This might seem non-descriptive or difficult to understand what it +means, but it will all make sense as I will in detail walk through +everything the application archives & how the program works. + +### Who can use GOD-VIEW? +The program makes availability one of its core foundational beliefs. +GOD-VIEW supports the Windows, Linux & Mac operating systems. + +Both the server & client program supports these operating systems. The +server also supports a Desktop GUI application that requires Google +Chrome installed. This GUI application can also be used in a browser, +this does not require Google Chrome installed. This desktop / web GUI +supports all major browsers except for Internet Explorer with device +support from 320x320+ (iPhone 5+) & supports mobile specific +interactions when right clicks for example is not possible. + +The program also supports both the IPV4 & IPV6 protocols & can be run +from any directory on the filesystem (all paths are accepted, relative +or absolute). + +Overall GOD-VIEW is very flexible & supports all the major operating +systems & different ways to interact with an application, be it through +the terminal, desktop or web. + +GOD-VIEW also supports running the program with an interpreter or as an +executable. + +### What Makes GOD-VIEW Different? +The things that make GOD-VIEW different can be both seen as positive & +negative. The major difference is the availability as mentioned. It also +provides a neat & well thought out design, with soothing color schemes & +responsive action-reaction design thinking. It provides for +beginner-to-advanced usage, but always, even when used in the terminal +with describing colors & never leaves with the “what is happening” +interaction. + +The desktop / web is built using sustainable methods & complete custom +design. + +The availability is not the only thing that is different, GOD-VIEW +provides an extremely powerful zero-limitations of actions when it comes +to performing a command to 1 or 100 clients at the same time, however +taxing / complex the command is, with no extra delay between responses +from every client. GOD-VIEW also never writes / stores anything on the +client’s filesystem. + +### How was GOD-VIEW Built? +GOD-VIEW was built using the Python (blessing & a curse) programming +language, following the object oriented paradigm, for the client / +server & supports *Python 3.7+*. + +The program also utilizes third party libraries, which are required, +with specific intentions to avoid bloating the program. These can be +installed using *pip* / direct download link to a .whl file. The program +uses multiple formats to store data, using sqlite3 for the local +database, text files, csv files & the PNG format for images. + +To build the executable file requires *pyinstaller* to be in the path +variable. + +The desktop / web GUI was built using ReactJS with +TypeScript**\[front-end\]**, redux for global state management & styled +components for the custom design. It communicates with the server using +websockets **\[back-end\]**. + +As mentioned previously, the desktop GUI requires *Google Chrome* +installed & if it’s not available will default to web GUI. + +What are GOD-VIEW's Features? +----------------------------- + +### Operating Systems +* Windows +* Linux +* Mac + +### IP Versions +* IPV4 +* IPV6 + +### Usage +* Terminal (Command Line) +* Desktop Application +* Web Application + * All Major Browsers + * Responsive Design (320x320+) + * Mobile friendly + * Login Protection + +### Data Transport +#### Protocol +* Transmission Control Protocol (TCP) + * Transport Level Protocol +#### Encryption + +* AES128 Encryption +* \[Not SSL\] + * Self-Signed Certificates Require OpenSSL + * Requires Certification Expiration Date + * Requires DNS Hostname + +#### Compression +* Deflate Compression +* PNG Image Compression +* \[Not JPEG\] + * Can be Less Effective + * *Implementations difficulties* + * *Supports Lossy Compression* + +#### Encoding +* UTF-8 + * Windows Code Page Support +* Base64 + +#### Serialization +* JSON +* \[Not Pickle\] + * A lot Easier Usage + * Allows Remote Code Execution + +### Surveillance +GOD-VIEW supports multiple ways of gathering large amounts of +information, with 30 data points upon initial connection, this is among +other things the country, operating system, antivirus & privileges of +the connected client. + +There is also more specific information that can be gathered about the +clients which are about the GPU, CPU, Memory, Disk, Network & IO. +**\[Sysinfo\]** + +GOD-VIEW provides the ability to upload files from the server or an URL +& the option to execute this file upon upload. It’s also possible to +download files or directories to the server & execute the file upon +successful download. **\[Upload / Download\]** + +The recover commands allow you to get the WIFI passwords stored on the +client's computer, the browser history & bookmarks of most browsers. +**\[Recover\]** + +You can capture a screenshot of one or all monitors & have the options +to display the image on the server. You also have the option to take a +snapshot from the webcam, working the same as taking a screenshot, but +without the option of taking a single snapshot of all connected webcams. +**\[Screenshot / Snapshot\]** + +### Action +The action namespace holds commands with the intent to perform specific +system actions. You can shutdown, restart, logout, hibernate & standby +the clients computer. **\[System\]** + +You can alert the client’s computer with a messagebox, of which you can +set the title, the text & specify the symbol of the messagebox. The +symbol can represent a question, information, danger or warning. +**\[Alert\]** + +The process command allows you to list all running tasks & the clients +open network connections, providing information about them. You then +have the option to kill anyone of these processes. **\[Process\]** + +The clipboard command allows you to copy data to the clipboard, empty +the clipboard & get the data of the clipboard. **\[Clipboard\]** + +The browse command allows you to enter one or more URLs to be opened in +the default browser of the client system. **\[Browse\]** + +### Execution +When it comes to the execution namespace, it holds some of the most +interesting & vital commands. It allows inline injection of keyboard / +mouse actions or running a script from a file. The language of this +injection is GOD-VIEW’s own. It’s very simple & not very strict. + +The language consists of key, value pairs, separated by a space. + +**press \[Key / Button\]** + +**hold \[Key / Button\]** + +**release \[Key / Button\]** + +**type \[Text\]** + +**position \[X,Y\]** + +**move \[X,Y\]** + +**scroll \[X,Y\]** + +**mhold \[Mouse Button\]** + +**mrelease \[Mouse Button\]** + +**click \[Mouse Button\]** + +**dclick \[Mouse Button\]** + +*Unique flow control commands* + +* **sleep \[Seconds\]** +* **repeat \[Times\]** + * Repeats all subsequent actions for Z times, this is recursive & + * allows nested repeat statements. + +* **\[position / move / scroll\] random \[min X, max X,min Y,max Y\]** + * Can be used by any command taking an X & Y parameter, & + * requires instead of X & Y four values, for the minimum & + maximum random value for the X, respectively the Y. + +The injection command can be used to perform automated keyboard / mouse +activity, supporting recursive loops & random coordinates, making it +quite a powerful tool. **\[Inject\]** + +Next there is the python command, allowing the inline execution of +Python code. Everything that would be written to the terminal on the +client’s computer will instead be read on the server, making it +seamlessly natural. This command also supports, like injection, +execution from a file. **\[Python\]** + +Finally, arguably the most important command in GOD-VIEW, is the shell +command, allowing the remote execution of terminal commands. A reverse +shell, supporting all commands. Commands that do not return any data +will time out, after Z amount of time, therefore interactive programs +like Python or Node would simply timeout. **\[Shell\]** + +### Management +The management namespace is about simplifying tasks & specifying how the +program shall operate. This is done with the blacklist command by +allowing the rejection of specific connecting IP addresses. The alias +command allows the translation of a word written using the server's +terminal to a corresponding value. Then there is the very powerful +autotask command, giving great freedom & automation, for the simple +reason that any command that interacts with clients is supported. It +will perform the request upon connection of the client & write the +results to a text file. Finally, also one of the most important & +influential commands is the environment command. It holds a number of +variables that have a great impact on how the program will run, for +example alerting an email upon client connection. **\[Blacklist / Alias +/ Autotask / Environment\]** + +### Connection +The connection namespace focuses on the handling of anything that +specifically handles the connection or the file on the client’s +filesystem. Starting off by targeting persistence of the client program, +by having the program run even after the computer shuts off or the user +logs out. This is done with the autostart directory, to schedule a task, +or by adding an autostart registry key, these features are Windows +specific & won’t work on any other operating system & would require +other implementations. **\[Autostart\]** + +The session & delete commands allow specifying which clients to either +interact with or to remove. **\[Session / Delete\]** + +Additional quite straight forward commands are disconnect, reconnect & +uninstall. Disconnect might seem like the delete command just mentioned, +but has the specific difference in that it makes the client exit itself, +which won’t have the client reconnecting until it’s rerun, which delete +does not always guarantee. Uninstall removes all registry keys made for +persistence along with any autostart files & finally removes itself. +**\[Disconnect / Reconnect / Uninstall\]** + +Lastly we have an important command, only supported in Windows, again, +which is escalate. It will try to perform an user authentication bypass +(UAC) bypass, rerunning the program with administrative privileges +without ever having to ask the user. **\[Escalate\]** + +### Utility +The utility namespace is very straight forward, with a couple of +commands that support the general flow of the program. The build command +allows you to build GOD-VIEW into an executable program, being able to +build any file, specify the icon & if it should have a window or be a +background process. **\[Build\]** + +Next is the note command, this simply writes the data to a text file, +with an attached timestamp. **\[Note\]** + +The who command is especially neat for the terminal, as it will list +every single data point of a specific connected client. **\[Who\]** + +The gui command will simply reopen the desktop application, to be used +in case you close the window. **\[Gui\]** + +### Live +Live is one of the most challenging namespaces, these are the most +powerful commands GOD-VIEW has to offer, providing live streams of data, +each with their own socket connection. This holds a difficult challenge +of having different types of client connections to the server if the +server is to be only hosted on a single socket, or if multiple sockets +should be opened on the server for each one of these live streams of +data. You also have the problem of not wanting the client to be able to +dictate when a certain stream of data should be opened, as the client +has to connect to the server first. The solution was a token-like +system, generating a universally unique id on the server side, allowing +the connection with this token to be accepted if sent by the client +within X amount of time, of which the token is valid, this requires the +server to always initiate the request of a specific connection type from +the client & is a great solution for the reason of only requiring a +single server socket. + +The audio command enables the microphone, allowing a live audio stream +of the microphone to the server & be directly streamed to the default +output device. Making the client a hot-mic. + +The next command is desktop, it provides an extremely powerful & +relatively smooth stream, the FPS is not going to be the highest, the +performance will be based on the screen size & the power of the +computer. It’s optimized for performance, but because it uses PNG +compression, it does not support lowering the resolution, which can make +the stream performance very image-size dependent. The stream is +optimized by splitting up the work of taking the screenshot & sending +it, making it more resource intensive, but with performance +improvements, but is still throttled by the TCP-protocol bottleneck. +**\[Desktop\]** + +The modules command provides an overview of all running live streams, +with the ability to close any stream. **\[Modules\]** + +The webcam command works very similar to desktop & usually has very good +performance, this is because the webcam size is usually a lot smaller, +making the frame rate much higher. This is only supported on Windows +though, because it’s not utilizing opencv, to avoid bloating the program +on the client side, instead a library called VideoCapture is used, which +uses the Windows DirectShow API. **\[Webcam\]** + +Finally we have the logger commands, keylogger & clipper. These commands +record keystrokes & the clipboard data to be written to files on the +server, providing client side timestamps & fair representation of +performed actions. **\[Keylogger / Clipper\]** + +### Multiplex +The multiplex namespace has only two commands, all & close. These will +simply add every connected client to the session or remove every single +client from the session. **\[All / Close\]** + +### Terminal +This namespace refers to commands that are primarily used in the +terminal of the server, as it’s features are utilized by default in the +desktop / web GUI. Alternatively are they specifically to be used only +by the terminal. The clear command simply clears out the terminal, the +help command lists all available commands, listing their names, +arguments & all the data necessary about the command to be used. Then we +have the list command, which lists data about all the connected clients +& finally the exit command which simply closes the program. **\[Clear / +Help / List / Exit\]** + +The Different Ways of Running GOD-VIEW +--------------------------------------- + +The GOD-VIEW program accepts a few command line arguments. These are to +specify the type of way you want to run the program, but cannot be given +the freedom to be changed like environment variables during runtime. +These are the -TERMINAL argument, which only runs the terminal of the +server, without the desktop / web GUI. Then there is the -WEB argument, +which will run the program with the terminal, but also hosts the web +GUI, this will limit some functionality, but can be used in the case +that the primary usage will be with a browser. The disabled features are +to show screenshots / snapshots taken, nor can the desktop, audio or +webcam command be used. By default GOD-VIEW runs as both a terminal & +desktop / web GUI. + +You can specify the address with -IP, TCP port with -PORT & the HTTP +port by specifying -GUI\_PORT. You may also specify the -SECRET & -SALT +of the symmetric encryption key to be used by the server. + +The desktop / web GUI does not support exactly every command, you cannot +exit from the GUI, it’s only available to the terminal, you can also not +clear the terminal window of the server on the desktop / web GUI. + +There are slight limitations when running the client as a non-executable +file. You cannot do anything that requires the executable file to exist. +This includes autostart, reconnect, uninstall & escalate. + +Program / File Structure +------------------------ + +**host.py** +* Starts the server threads, this includes hosting the TCP server, the + * messaging thread & the desktop / web HTTP server. + +**bot.py** +* Starting the main thread, connecting to the remote server, which is + * started by running the host.py file. + +**archive** +* Contains all program data, server logs, database file & client + * specific files. The files are automatically generated & the file + * structure organized as such, this file can be deleted at any time, + * without ever disturbing anything during runtime. + +**build** +* Files that are related to running & installing the program & acts as + * a miscellaneous directory. + +**gui** +* The necessary desktop / web GUI production build files, required to + * be in the root directory of which the program is run. + +**exe** +* Stores the executable build files generated using the build command. + +**client** +* Stores client specific behaviour & implementations. To support all + * the client functionality & to fulfill requests. + +**server** +* The server specific files, but also the GUI application. This is a + * large majority of the program, as this handles everything, not + * just following directions like the client. + +**shared** +* Files that both the client & server can share, to reuse the same + * implementations, this has a lot to do with sending & receiving the + * data & shared state. + +GOD-VIEW Outside of the Local Network +------------------------------------- + +To be able for remote connections to be made to the server & to host the +server for the internet is quite simple. With three alternatives, either +use a port tunneling service like ngrok, which practically does the port +forwarding for you. The second choice is to do the port forwarding of +your router yourself. The third option would be to remotely host the +program & enable the -WEB command line argument. + +**Ngrok** +* Download ngrok at [*https://ngrok.com*](https://ngrok.com) +* Make sure ngrok is in the path variable or in your current directory +* **ngrok tcp -region=eu 5658** + * Running this makes the TCP server available to the internet. +* **ngrok http -region=us 8565** + * Running this makes the HTTP web GUI available to the internet. + +After this, you would simply change the *Static.IP* & *Static.PORT* in +the *GOD-VIEW/client/state.py* file to the IP & port ngrok redirects +traffic from, for example *tcp.eu.ngrok.io* & *1832*. Note that if +you’re using ngrok to access the web application, it does not support +HTTPS, so you have to use the HTTP version. This is sadly the library +limitation of which is used for the GUI. + +What GOD-VIEW Doesn’t Implement +------------------------------- + +There are things not implemented, this is because it might not fit the +flow of the program, it requires third-party libraries not worth using +for the features it would bring. The Python language has difficulty +implementing certain features neatly, or it’s difficult to implement +cross-platform solutions for. + +Real-Time Messaging Protocol (RTMP) server, supporting real time +streaming. There are great servers for RTMP, one of them being +Node-Media-Server +([*https://github.com/illuspas/Node-Media-Server*](https://github.com/illuspas/Node-Media-Server)), +but uses NodeJS which makes it difficult to implement interactions with +the server. But it also requires large streaming libraries, most +commonly used being FFMPEG, which is a big hassle. But the GOD-VIEW GUI +still allows you to read RTMP streams supporting flv.js +([*https://github.com/Bilibili/flv.js*](https://github.com/Bilibili/flv.js)) +using the sidebar. + +Another feature not implemented is a true remote desktop, most likely +not terribly difficult to implement using the pywin32 library, but +because it might clutter the flow of the program & also focuses a lot on +specifically Windows only functionality, it’s not been tested or +implemented. + +Toast notifications, with my will of not using the pywin32 library being +strong as it would simply put so much focus & possibility to Windows +only functionality. GOD-VIEW worked around these problems with +notifications by implementing server terminal connection notifications, +the possibility for email notifications & GUI notifications with audio +sound & a visual alert. + +GOD-VIEW avoided a lot of the malicious intent features, such as more +extensive password grabbers / cookie stealers, specific features +targeting DDOS attacks & reverse proxies. Simply because of the lack of +need for any of these features, interest in them. It does not include +anything to do with encryption of files, as it’s simply not the intent +of the program. + +Avoiding more \~basic features, such as the active window for the +keylogger / clipper & fun functions, changing wallpaper, playing sounds, +CD-popout along with other things, are not implemented as I cannot be +bothered, a lot of these require operating system specific +implementations or Windows only implementations & the pywin32 library. +Still wanting to hold most functionality cross-platform. + +Lastly, what's not implemented is any virtual machine (VM) detection & +obfuscation. This is also not the intent of the program, but also, +especially VM detection from what I've seen are implementations +supporting Windows only. The program does not try to obfuscate anything, +it’s written in Python, not C, C++, C\# or Delphi. It can be done, but +has very little purpose to be supported by GOD-VIEW. -- cgit v1.2.3