package server

Get desktop application:
View/edit binary Protocol Buffers messages

CertificateRPC - Calls and responses for Certificate management.

• rpc AddCertificate (Add, Added)

  certs.proto:30

  AddCertificate - Add a new CertificateKeyPair to the DB.

  message Add

  certs.proto:51

  Add - Add a new CertificateKeyPair to the DB.

  • string CAType = 1

  • string Hostname = 2

  • string KeyType = 3

  • bytes Certificate = 4

  • bytes PrivateKey = 5

  message Added

  certs.proto:60

  Response

  • bool Added = 1

  • optional CertificateKeyPair Cert = 2

• rpc GetCertificate (Get, CertificateKeyPair)

  certs.proto:28

  GetCertificate - Ask DB for certificate.

  message Get

  certs.proto:36

  Get a certificate matching fields of this one

  • optional CertificateKeyPair Cert = 1

• rpc RemoveCertificate (Remove, Removed)

  certs.proto:32

  RemoveCertificate - Erase a certificate from DB.

  message Remove

  certs.proto:66

  Remove certificate

  • optional CertificateKeyPair Cert = 1

  message Removed

  certs.proto:71

  Response

  • bool Removed = 1

  • optional CertificateKeyPair Cert = 2

Compiler - Manages all compilation (console & implants) in Wiregost.

• rpc CompileConsole (BuildConsoleRequest, BuildConsole)

  ghost_build.proto:32

  CompileConsole - Request to compile a user console.

  message BuildConsoleRequest

  ghost_build.proto:86

  BuildConsoleRequest - Get Configs of previously built ghosts

  (message has no fields)

  message BuildConsole

  ghost_build.proto:89

  BuildConsole - Configs of previously built ghosts

  (message has no fields)

• rpc CompileGhost (BuildGhostRequest, BuildGhost)

  ghost_build.proto:30

  CompileGhost - Request to compile a ghost implant.

  message BuildGhostRequest

  ghost_build.proto:73

  BuildGhostRequest - Get Configs of previously built ghosts

  • optional GhostBuild Profile = 1

  message BuildGhost

  ghost_build.proto:78

  BuildGhost - Configs of previously built ghosts

  (message has no fields)

• rpc GetGhostProfiles (GhostProfilesRequest, GhostProfiles)

  ghost_build.proto:28

  GetGhostProfiles - Returns all saved ghost implants build profiles.

  message GhostProfilesRequest

  ghost_build.proto:65

  GhostProfilesRequest - Get Configs of previously built ghosts

  (message has no fields)

  message GhostProfiles

  ghost_build.proto:68

  GhostProfiles - Configs of previously built ghosts

  • optional GhostBuild Profiles = 1

Events - The Event system in Wiregost is built around a gRPC server, to which potential event subscribers can connect and register some events. The subscriber is always the client here.

• rpc EventPush (Event, client.Empty)

  event.proto:63

  EventPush - A client pushes a new event to the server.

• rpc Events (client.Client, stream Event)

  event.proto:60

  Events - Receive events from the server.

• rpc EventsSubscribe (SubscribeRequest, Subscribe)

  event.proto:55

  EventsSubscribe - The client subscribes to some types of events.

  message SubscribeRequest

  event.proto:80

  SubscribeRequest - A client subscribes to some types of events

  (message has no fields)

  message Subscribe

  event.proto:84

  (message has no fields)

• rpc EventsUnsubscribe (UnsubscribeRequest, Unsubscribe)

  event.proto:57

  EventsUnsubscribe - The client unsubscribes from some types of events.

  message UnsubscribeRequest

  event.proto:89

  UnsubscribeRequest - A client unsubscribes from some types of events

  (message has no fields)

  message Unsubscribe

  event.proto:93

  (message has no fields)

JobRPC - All RPC calls to control jobs.

(no methods)

CertificateKeyPair - Used to store TLS certificates in DB and some calls

Used as response type in: CertificateRPC.GetCertificate

Used as field type in: Added, Get, Remove, Removed

• uint32 ID = 1

• string CAType = 6

• string Hostname = 2

• string KeyType = 3

• bytes Certificate = 4

• bytes PrivateKey = 5

• CORE_CHAN = 0

  This channel implements RPC stubs

• SHELL_CHAN = 1

  This channel only provides byte streams

ConsoleBuild - A console compilation profile.

• bool Obfuscated = 1

• bool SendBack = 2

  Do we send the executable back to the console compiling it ?

Event - Any asynchronous event to be pushed to one or more consoles

Used as request type in: Events.EventPush

Used as response type in: Events.Events

• EventType Type = 1

• Level Level = 2

• optional client.Client Client = 4

  Job Job = 2; Ghost Ghost = 3;

• string Message = 7

• string Module = 8

• string Err = 9

EventType - Events can range from user connect/disconnect, job cancellation, to session registering.

Used in: Event

• JOB = 0

• LISTENER = 1

• MODULE = 2

• STACK = 3

• SESSION = 4

• USER = 5

• CANARY = 6

• ROUTE = 7

GhostConfig - Stores all configuration elements needed to compile an implant.

Used in: BuildGhostRequest, GhostProfiles

• uint32 ID = 1

• string Name = 2

• string Hostname = 3

  If set, restrict to some host

• string Username = 4

  If set, restrict to some user on target

• string OS = 7

• string Arch = 8

• string Filename = 10

  Where to output binary

• uint32 WorkspaceID = 13

• bool Obfuscated = 15

• repeated transport.Transport Transports = 14

• EXECUTABLE = 0

• SHARED_LIB = 1

• SHELLCODE = 2

• OWNER = 0

• ADMIN = 1

• ALL = 2

Job - A background job running in Wiregost

• uint32 ID = 1

• string Name = 2

• string Description = 3

• string Err = 4

• optional db.User Owner = 5

Who has control over this job

• OWNER = 0

• ADMIN = 1

• ALL = 2

Level - Some components in Wiregost will push to the event system through logger hooks, for more granular output of log information, especially for modules.

Used in: Event

• TRACE = 0

• DEBUG = 1

• INFO = 2

• WARNING = 3

• ERROR = 4

• SUCCESS = 5

Session - Similarly to Metasploit, a Session object is a general means of interacting with various post-exploitation payloads through a common interface that is not necessarily tied to a network connection. For instance, if an exploit spawns a command shell over the network, the read/write operations end up reading and writing to that shell. These raw functions will be progressively reimplemented by embedders when they need more elaborated logic.

• string ID = 1

  Each session has a Universally Unique UID

• string Name = 2

  Return Name or UUID

• SessionType Type = 3

• bool Interactive = 4

• string TunnelLocal = 5

  The local side of the tunnel

• string TunnelPeer = 6

  The peer (remote) side of the tunnel

• int32 RHost = 7

  The IP address of this session

• int32 RPort = 8

  Port number

• string Description = 9

  Further description of the session type

• string LogFile = 10

  A primary log file used for basic session types.

• Status Status = 11

• optional db.User Owner = 12

  User who owns this session (derived from exploit/transport)

• ghost.Permissions Permissions = 13

  Ownership permissions on the session

• string HostID = 14

  Other fields that may be used by embedders

  The associated host for this session

• uint32 WorkspaceID = 15

• string ExploitID = 16

• string PayloadID = 17

• bool SkipRegistration = 18

• repeated transport.route.Route Routes = 22

  Routes are included in a base Session, even if list is empty.

  Route permissions

• optional ghost.core.Environment Environment = 23

  Environment variables for this session.

SessionType - The type of session (default: "unknown")

Used in: Session

• UNKNOWN = 0

  default value

• SHELL = 1

  The session is able to run basic commands on a remote shell.

Status - The current status of the session (very important later)

Used in: Session

• ALIVE = 0

  Full interaction

• DOWN = 1

  Non-networked interaction

• LOST = 2

  Unrecoverable