Ender and Eshu
Ender and Eshu are common language platforms designed for red-team operators who utilize multiple command and control (C2) frameworks during engagements. These platforms enable operators to perform exploitation and post-exploitation tasks in a framework-agnostic manner, simplifying multi-C2 management and improving operational efficiency.
The project addresses the growing complexity of managing multiple C2 frameworks simultaneously. While different C2s perform varying tasks in varying manners, the end goal remains consistent: execute operations on target machines. Eshu handles post-exploitation operations, while Ender provides a unified exploit engine for active exploitation across multiple frameworks.
Eshu: Post-Exploitation Platform
Eshu is a common language platform for post-exploitation across multiple C2 frameworks. It enables operators to query and manage already established implants regardless of which C2 framework was used to create them, standardizing commands for retrieving host information and executing remote commands.
- 01Framework Agnostic Session Management
Eshu registers C2 instances and maintains session storage that maps which framework each exploit session is engaged with.
- 02Get-Hosts Command
Identifies and retrieves all active exploits or sessions capable of being managed by Eshu across all registered frameworks.
- 03Run-Command Function
Executes commands against active sessions using unique session IDs that specify both the C2 and session count, while remaining agnostic to the operator.
Uses Metasploit's RPC client via Pymetasploit3 library. Supports querying active sessions and executing commands against Meterpreter shells.
Uses SliverPy library which communicates via gRPC protocol. Currently supports Sliver beacons with session support planned for future development.
Ender: Exploit Engine
Ender is a common language exploit engine that provides a unified interface for active exploitation across multiple C2 frameworks. Built with a client-server architecture, Ender enables operators to search for exploits, configure modules, and execute them through a single command-line interface.
Ender uses a lightweight client-server model where:
Ender Client
Provides the operator interface, handling user input and displaying feedback.
Ender Server
Performs all remote procedure calls to each independent C2 framework on the backend.
- [1]Search and list available Metasploit exploit and auxiliary modules
- [2]Configure module parameters programmatically with interactive prompts
- [3]Execute exploits and catch Meterpreter shells through automated listener setup
- [4]Create and manage Sliver beacons, profiles, and HTTP listeners
- [5]Support for multiplayer mode and general command queries across frameworks
Ender's Metasploit implementation allows operators to:
- Search for exploit and auxiliary modules by keyword
- Run modules with interactive parameter configuration
- Automatically set up listeners and upgrade shells to Meterpreter sessions
- Manage active Meterpreter sessions
Ender's Sliver implementation provides:
- Beacon generation with configurable profiles
- HTTP listener setup and management
- Multiplayer mode support for team collaboration
- General command querying capabilities
Project Team
- 01Alexander Aviles
- 02Yousif Alsabah
- 03Alan Ingersoll
- 04Xun-Yang Leong
- 05Prateek Ravindran
Complete research paper detailing methodologies, solutions, and future work for both Ender and Eshu platforms.