Aura Botnet : A Super Portable Botnet Framework With A Django-Based C2 Server

Aura Botnet is a super portable botnet framework with a Django-based C2 server. The client is written in C++, with alternate clients written in Rust, Bash, and Powershell.

The botnet’s C2 server utilizes the Django framework as the backend. It is far from the most efficient web server, but this is offset by the following:

  • Django is extremely portable and therefore good for testing/educational purposes. The server and database are contained within the aura-server folder.
  • Django includes a very intuitive and powerful admin site that can be used for managing bots and commands
  • The server is only handling simple POST requests and returning text
  • Static files should be handled by a separate web server (local or remote) that excels in serving static files, such as nginx

The admin site located at http://your_server:server_port/admin can be accessed after setting up a superuser (see below).

Also Read – Stegify : Go Tool For LSB Steganography,Capable Of Hiding Any File Within An Image

Database

The C2 server is currently configured to use a SQLite3 database, bots.sqlite3. The current configuration can be changed in aura-server/aura/settings.py. You may wish to use MySQL, or even PostgreSQL instead; this easy to do thanks to Django’s portable database API.

Bot Clients

The primary client is written in C++, and can be compiled for either Linux or Windows using CMake. Alternate clients are written in Rust, Bash, and Powershell, but are may lack certain functionality as they are mostly unsupported. I will fix any major bugs that come to my attention, but they will continue to lack certain features for the time being, such as running commands in different shells.

The client will gather relevant system information and send it to the C2 server to register the new bot. Identification is done by initially creating a file containing random data — referred to as the auth file throughout the code — which will then be hashed each time the client runs to identify the client and authenticate with the C2 server. It will then install all the files in the folder specified in the code, and initialize the system service or schedule a task with the same privileges that the client was run with. The default settings have the client and other files masquerading as configuration files.

Other Notes

Because this is for testing purposes, the C2 server needs to be hard-coded into client and web delivery files. It is currently set to localhost on all the files. This is because an actual botnet would use something like a domain generation algorithm (DGA) to sync a stream of changing domains on the client side with a stream of disposable domains being registered — or just really bulletproof hosting like the original Mirai botnet.

The code is also not obfuscated nor is there any effort put toward preventing reverse engineering; this would defeat the purpose of being a botnet for testing and demonstrations.

The killswitch folder contains scripts for easy client removal when testing on your devices.

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

10 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

10 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

1 day ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago