Winton

Yet another Command and Control (C2) framework written in Golang

Winton is an open-source cross-platform C2 framework written for the purposes of learning adversary emulation and C2 infrastructure.

🐒 Winton was designed solely for educational purposes, it is still nowhere close to being operationally functional for red team engagements!

Table of Contents

• Winton
  • Table of Contents
  • Features
    • Teamserver
    • Implant
    • Client
  • Installation
    • Teamserver
    • Implant
    • Client
  • Usage
    • Teamserver
    • Client
  • OPSEC Considerations
    • Implant
    • Client
    • Teamserver

Features

Teamserver

Written in Golang 1.21.1 with Gin (stable on Windows 11 x64/AMD64 & Debian 12.x / Kali 2023.3)

• Support for multiple listeners (HTTP implemented)
• Multiplayer-mode
• Cross-platform binary

Implant

Written in Golang 1.21.1 (Windows only*)

• Process migration and process injection
• In-memory .NET assembly execution (creds to: @ropnop)
• Built-ins via os/exec & os/user

Client

Dark themed UI written in Python with Tkinter

• Multi-player
• In-memory .NET assembly execution via execute-assembly
  • creds: SharpAwareness by @CodeXTF2
  • for some reason, if you try to load .NET assemblies that are too large, the CLR will just not load lol.
• Updated list of supported commands available: here
• Athena - A bot integrated with Winton for collaborative red team operations over Discord

Installation

Winton

git clone https://github.com/gatariee/Winton
cd Winton

Teamserver

cd teamserver
make linux # or windows
cd ./bin && chmod +x ./teamserver-x64

Implant

cd ./implant
make windows

Client

cd ./client
python3 -m pip install -r requirements.txt
chmod +x ./winton.py

Usage

Teamserver

./teamserver-x64 <ip> <port> <password>

Client

./winton.py

OPSEC Considerations / Notes

Implant

• The stable implant is written in Go and produces a binary of ~7,747,072 bytes, or ~7.38MB.
• shell pipes the input of the operator to cmd.exe /c {task}, which spawns a new cmd.exe process on the target and returns the output via stdout & stderr.
• Heavy reliance on Golang's os/exec and os/user packages for cross-platform compatibility and built-ins (whoami, pwd, ls), may be OPSEC unsafe.
• inject uses CreateRemoteThread and doesn't check for architecture, may result in the process and/or shellcode crashing- use ps to check for architecture before injection.
  • VirtualAllocEx is called with PAGE_EXECUTE_READWRITE & unbacked memory allocation
  • Thread start address is 0x0

Client

• Unencrypted communication with the teamserver over HTTP
• Authentication with teamserver not implemented yet
• Interacts with the listener rather than the teamserver, the operator should be interacting with the internal teamserver API instead of the listener. (modularity)

Teamserver

• Unencrypted communication with the implant over HTTP
• Teamserver expects agent to be legitimate and doesn't check for authentication (in fact, the password param used to start the teamserver is completely unused 🤡)