
WHAT IS MALIGNO?
================

Maligno is an open source penetration testing tool that serves Metasploit payloads.

It generates shellcode with msfvenom and transmits it over HTTP or HTTPS.
The shellcode is encrypted with AES and encoded prior to transmission.

Maligno also comes with a client tool, which supports HTTP, HTTPS and encryption
capabilities.

The client is able to connect to Maligno in order to download an encrypted
Metasploit payload. Once the shellcode is received, the client will decode it,
decrypt it and inject it in the target machine.

The client-server communications can be configured in a way that allows you to simulate specific
C&C communications or targeted attacks. In other words, the tool can be used as part
of an adversary replication engagement.



MAIN FEATURES
=============

- Adversary replication and malware simulation profiles.
  The communication mechanism can be customized with simple XML profiles.
  This allows you to shape the client requests and the server responses, which can be useful for simulating
  malware behavior or for supporting adversary replication engagements.


- Encrypted communications.
  Maligno is a web server which communicates via HTTP or HTTPS with the clients.
  Communications are encrypted with AES and encoded with Base64, hex or binary, both for HTTP and HTTPS.

  Encryption and encoding parameters can be configured easily through profile options.
  Clients do NOT validate the server certificate by default when using HTTPS mode.


- On the fly shellcode generation - per session mode.
  Maligno will generate shellcode while starting up, and it will cache it
  for later use. Maligno will serve the cached shellcode to all clients that request it
  during the session.

  Maligno will maintain a cache for each configured Metasploit payload.
  The cache is removed when Maligno is shut down.


- Multi-payload support.
  You may configure Maligno with several Metasploit payloads.
  Clients can request different payloads to the server. Payloads are referred by
  an ID, which is passed as a parameter (GET / POST / HEAD). Such parameter can be also configured through profile options.


- Multi-server support.
  Maligno can run on a single server with Metasploit or in separate machines.

  Clients will connect to Maligno, and Maligno will generate shellcode
  that points to a pre-configured Metasploit multi-handler.


- Multi-threading support.
  Maligno server can run either single or multi-threaded.


- SOCKS4a proxy support.
  Maligno helps you starting a Metasploit auxiliary socks4a proxy, which can be used
  with payloads such as reverse_https_proxy.

  This will allow you to send all your traffic through your Maligno server, in case of
  having a multi-server environment.


- Scope definition.
  Maligno allows you to define single IP addresses or ranges. This will ensure that
  your shellcode is served only to machines involved in your engagement.

  You may also use a wildcard in order to accept ANY address.


- Last resort redirection.
  Maligno will redirect hosts out of scope, or hosts sending invalid requests, to a configured URL.


- Client code generator and pseudorandom obfuscator.
  Maligno comes with a script that will generate and obfuscate (pseudorandomly) client code ready for use,
  based on your server configuration.


- Delayed client execution.
  Maligno clients can use a basic random execution delay, which attempts to bypass AV-sandboxes.


- Client proxy detection.
  Maligno clients will autodetect HTTP anonymous, Basic or NTLM-authenticated proxies before contacting Maligno server.


- Payload perpetual mode.
  It is possible to configure Maligno clients to run Windows based payloads in perpetual mode.
  In other words, the client will spawn a new shell every 20 seconds, once the original one is ended or dies.


- Metasploit resource file generator.
  Maligno generates MSF resource files based on your configuration, which can be used with msfconsole right away.


- Standalone client mode.
  Maligno clients can be generated with an embedded payload. This situation will not require communicating
  with Maligno server after execution.


- Failsafe client-server mode.
  When enabled, Maligno clients will report back to the server whether proxies are found in the target network.
  This will make Maligno server override the current payload configuration and serve a more suitable preconfigured payload.


LICENSE
=======

Maligno is licensed under the FreeBSD license.
Read http://www.freebsd.org/copyright/freebsd-license.html for more details.


Copyright 2013-2016 Encripto AS. All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

    Redistributions of source code must retain the above copyright notice,
    this list of conditions and the following disclaimer.

    Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions and the following disclaimer in the documentation
    and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY ENCRIPTO AS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED.

IN NO EVENT SHALL ENCRIPTO AS, THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those
of the authors and should not be interpreted as representing official policies,
either expressed or implied, of Encripto AS.



DISCLAIMER
==========

Maligno can only be used for legal activities.
Attacking targets without prior mutual consent is illegal.

Use this software at YOUR OWN RISK.
It is the user's responsibility to obey all applicable laws.
The developer or Encripto AS assume no liability, and are not responsible for any misuse or damage caused by this program.

Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights
that are mentioned, used or cited in this document is property of their respective owners.

Read the LICENSE section in this document for more details.



THIRD-PARTY SOFTWARE
====================

Maligno's client tool is a modified version of PyInjector.
PyInjector has been written by David Kennedy (ReL1K) @ TrustedSec.com.

Copyright 2012 TrustedSec, LLC. All rights reserved



REFERENCES
==========

GhostNet profiles based on:

"Detecting APT Activity with Network Traffic Analysis".
Trend Micro Incorporated, Research Paper 2012.


Putter Panda profile based on:

"CrowdStrike Intelligence Report".
CrowdStrike Global Intelligence Team, 2014.


Havex profile based on:

http://pastebin.com/qCdMwtZ6


Etumbot profile based on:

ASERT Threat Intelligence Brief 2014-07.
"Illuminating the Etumbot APT Backdoor", ASERT Threat Intelligence, June 2014.


CryptoWall 3.0 profile based on:

Blog post from "2015-02-13 - MAGNITUDE EK FROM 46.166.182.101"
http://www.malware-traffic-analysis.net/2015/02/13/index.html


Oldrea profile based on:

Dragonfly - Symantec Security Response
Version 1.0: June 30, 2014, 13:00 GMT


Upatre profile based on:

Dyre: Emerging threat on financial fraud landscape
Symantec Security Response. Version 1.0: June 23, 2015.



CURRENT VERSION
===============

Version 2.5, January 2016.



TESTING
=======

Maligno server has been tested on Kali Linux 1.x with Python 2.7.
The client has been tested on Windows 7 / 8.1 / 10 and Windows Server 2003 / 2008 / 2012.
Binaries were successfully generated with PyInstaller 2.x.

Testing has covered the following Metasploit payloads:
    - windows/meterpreter/reverse_https
    - windows/meterpreter/reverse_https_proxy
    - windows/meterpreter/reverse_http
    - windows/meterpreter/reverse_tcp
    - python/meterpreter/reverse_tcp

Feel free to contribute with further testing!



KNOWN ISSUES
============

- windows/meterpreter/reverse_tcp hangs the client process sometimes (high CPU usage).
- Profiles with "Transfer-Encoding" header set to "chunked" are not handled properly, probably due to bugs in httplib.
  The value is deliberately sent as "chuncked" as a workaround.
- The client HTTP(S) proxy awareness works with static proxies and WPAD when executed on Windows and non-Windows platforms. Supported authentication methods are anonymous, basic and NTLM (NTLM only on Windows).
- WPAD is not a standard implementation. It just detects all possible proxies in the PAC and uses the first one that allows internet access.



BUGS & FEEDBACK
===============

Report bugs or send your feedback to post@encripto.no
