package transport
Get desktop application:
View/edit binary Protocol Buffers messages
message
transport.proto:102bool Success = 1
string Err = 2
message
transport.proto:90Essentially, a transport request is either starting a reverse or a bind handler with different proto/address
uint32 GhostID = 1
optional Transport = 2
HTTP Http = 3; // Either of these fields can be empty, except one. DNS Dns = 4; // They are used to share protocol-specific details QUIC Quic = 5; KCP Kcp = 6; MTLS Mtls = 7; NamedPipe Pipe = 8;
message
transport.proto:72bool Success = 1
string Warning = 2
If force true, send a warning message (other routes passing through)
string Err = 3
If force false, send the warning as an error, and Success false
message
transport.proto:65ChangeTransportRequest - Request an implant to connect with new transport settings At the server, we should check the transport type, and if reverse, check a listener is running, otherwise return error and do not ask implant to change its transport.
uint32 GhostID = 1
uint32 TransportID = 2
bool Force = 5
message
dns.proto:44Used in:
string ID = 1
uint32 Size = 2
message
dns.proto:40repeated Blocks = 1
message
dns.proto:36DNSSessionInit - Sends the key bytes for authentication.
bytes Key = 1
message
transport.proto:117bool Success = 1
string Err = 2
message
transport.proto:108DeleteTransportRequest - Delete one or more transports from the implant transport list
uint32 GhostID = 1
int32 TransportID = 5
If TransportID != 0 delete based on ID
string Protocol = 2
Else, kill all matches
string LHost = 3
string LPort = 4
message
envelope.proto:24All messages are sent in an Envelope, giving Type of Request, Ghost ID, etc...
uint32 Type = 1
Type of Request
uint64 ID = 2
Unique ID of the envelope
int64 Timeout = 3
Command timeout
string Err = 4
Error Status
bytes Content = 9
Core of the message
message
http.proto:51bool Success = 1
string Err = 2
Add needed fields here, like registration
message
http.proto:42HTTPBindRequest - Connect to a ghost implant running remotely
string Domain = 1
string RHost = 2
int32 RPort = 3
bool Secure = 4
Enable HTTPS
bytes Cert = 6
bytes Key = 7
Maybe not needed
message
http.proto:35bool Success = 1
int32 JobID = 2
Job BackgroundJob = 3; // Pass an entire job object.
message
http.proto:24HTTPListenerRequest - Start a HTTP listener for incoming ghost connections
string Domain = 1
string LHost = 2
int32 LPort = 3
bool Secure = 4
Enable HTTPS
string Website = 5
bytes Cert = 6
bytes Key = 7
bool ACME = 8
message
http.proto:58HTTPSessionInit - Sends the key bytes for authentication.
bytes Key = 1
message
transport.proto:84repeated Transports = 1
message
transport.proto:80ListTransportsRequest - List available transports for a ghost implant
uint32 GhostID = 1
message
handler.proto:69Listener - A reverse handler, for any protocol and source
Used in:
Protocol Protocol = 1
string LHost = 2
uint32 LPort = 3
string RHost = 4
uint32 RPort = 5
uint32 GhostID = 6
In case two same addresses for two ghosts
uint32 OwnerID = 7
Permissions Permissions = 8
server.User Owner = 7;
optional CreatedAt = 38
Timestamp
optional UpdatedAt = 39
message
named-pipe.proto:30bool Success = 1
string Err = 2
message
named-pipe.proto:24NamedPipeRequest - Start a name pipe listener
uint32 GhostID = 1
string PipeName = 2
Permissions - Who has the right to kill a listener
Used in:
OWNER = 0
ADMIN = 1
ALL = 2
Protocol - Protocol used for comms
Identify Protocol
Used in: , ,
MTLS = 0
DNS = 1
HTTP = 2
QUIC = 3
KCP = 4
PIPE = 5
Used in:
SINGLE = 0
The connection does not serve any addition payload.
STAGER = 1
The connection will serve some payload.
message
handler.proto:63bool Success = 1
string Err = 2
message
handler.proto:56Bind to a reverse listener runned by an implant
Protocol Protocol = 1
string RHost = 2
uint32 RPort = 3
uint32 GhostID = 4
In case two same addresses for two ghosts
message
dns.proto:29bool Success = 1
int32 JobID = 2
Job BackgroundJob = 3; // Pass an entire job object.
message
dns.proto:24StartDNSListenerRequest - Start a DNS listener for implant C2
repeated string Domains = 1
bool Canaries = 2
message
mtls.proto:25(message has no fields)
message
mtls.proto:23(message has no fields)
message
handler.proto:39bool Success = 1
string Err = 2
message
handler.proto:29Start a listener either on the server, or on an implant
optional Listener = 1
bool Persist = 2
message
mtls.proto:30(message has no fields)
message
mtls.proto:28(message has no fields)
message
handler.proto:49bool Success = 1
string Err = 2
message
handler.proto:45Stop a reverse handler listener on the server or implant
uint32 ID = 1
message
transport.proto:48Transport - A transport is just a structure used by implants to receive/send/use transport configurations.
Used in: , , , ,
int64 ID = 1
string LHost = 2
int32 LPort = 3
string RHost = 4
int32 RPort = 5
Protocol Protocol = 6
int32 WFSDelay = 7
Wait for session delay
Type Type = 8
StagingType StagingType = 9
bool Default = 10
Type - // Do we start a listener on the implant, or do we reach back another address ?
Used in:
REVERSE = 0
DIALER
BIND = 1
LISTENER