Eun0us/espilon-source
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ε - Add Discord webhook notification on push

Browse Source
This commit is contained in:
Eun0us 2026-02-28 14:40:38 +01:00
parent 8b6c1cd53d
commit d1b89f6fd5
5 changed files with 1085 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
.github/workflows/discord-notify.yml vendored Normal file
View File

@ -0,0 +1,53 @@
name: Discord Push Notification
on:
push:
branches: ['**']
jobs:
notify:
runs-on: ubuntu-latest
steps:
- name: Send Discord notification
env:
DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK_URL }}
COMMIT_MSG: ${{ github.event.head_commit.message }}
run: |
BRANCH="${GITHUB_REF#refs/heads/}"
REPO="${{ github.repository }}"
AUTHOR="${{ github.event.head_commit.author.username }}"
COMMIT_SHA="${{ github.sha }}"
SHORT_SHA="${COMMIT_SHA:0:7}"
COMMIT_URL="${{ github.event.head_commit.url }}"
COMPARE_URL="${{ github.event.compare }}"
COMMIT_COUNT="${{ github.event.size }}"
TIMESTAMP="$(date -u +%Y-%m-%dT%H:%M:%S.000Z)"
# Truncate commit message for embed
FIRST_LINE=$(echo "$COMMIT_MSG" | head -n1 | cut -c1-256)
curl -s -o /dev/null -w "%{http_code}" -H "Content-Type: application/json" \
-X POST "$DISCORD_WEBHOOK" \
-d @- <<EOF
{
"embeds": [{
"title": "Push on \`${BRANCH}\`",
"url": "${COMPARE_URL}",
"color": 16312092,
"author": {
"name": "${AUTHOR}",
"url": "https://github.com/${AUTHOR}",
"icon_url": "https://github.com/${AUTHOR}.png"
},
"description": "[\`${SHORT_SHA}\`](${COMMIT_URL}) ${FIRST_LINE}",
"fields": [
{ "name": "Repository", "value": "[${REPO}](https://github.com/${REPO})", "inline": true },
{ "name": "Branch", "value": "\`${BRANCH}\`", "inline": true }
],
"timestamp": "${TIMESTAMP}",
"footer": {
"text": "GitHub Push"
}
}]
}
EOF

15
.gitignore vendored
View File

@ -38,11 +38,22 @@ tools/flasher/__pycache__/
tools/flasher/devices.json
tools/flasher/devices.*.json
tools/C3PO/config.json
tools/deploy.json
**/config.local.json
# C3PO runtime / secrets
tools/C3PO/keys.json
tools/C3PO/*.db
tools/C3PO/data/
# Honeypot runtime databases (can appear anywhere)
honeypot_events.db
honeypot_events.db-shm
honeypot_events.db-wal
honeypot_alerts.db
honeypot_geo.db
*.db-shm
*.db-wal
# Logs
*.log
@ -106,6 +117,10 @@ htmlcov/
*.backup
*_backup
# Internal planning
plan.md
*.plan.md
# Hardware-specific configs (optional)
# Uncomment if you don't want to track these
# espilon_bot/partitions.csv

796
MODULE_IDEAS.md Normal file
View File

@ -0,0 +1,796 @@
# Espilon Module Ideas
Future module ideas for the Espilon agent framework, organized by category. Each entry includes hardware requirements, estimated cost, complexity (1-5), and key C2 commands.
> **Legend**: Complexity 1 = simple wrapper, 5 = full protocol stack. Cost = additional hardware beyond ESP32.
---
## Table of Contents
- [Radio & Wireless](#radio--wireless)
- [USB & HID](#usb--hid)
- [Hardware Hacking](#hardware-hacking)
- [Network & Protocols](#network--protocols)
- [Industrial & SCADA](#industrial--scada)
- [Exfiltration & Covert Channels](#exfiltration--covert-channels)
- [Sensors & Environment](#sensors--environment)
- [Crypto & WiFi Attacks](#crypto--wifi-attacks)
- [Automotive](#automotive)
- [Physical Security](#physical-security)
---
## Radio & Wireless
### mod_ble — Bluetooth Low Energy
**Hardware**: ESP32 built-in | **Cost**: 0 EUR | **Complexity**: 3/5
BLE scanning, GATT enumeration, beacon spoofing, and device tracking.
**Commands**:
- `ble_scan [duration]` — Discover BLE devices (name, RSSI, services)
- `ble_enum <addr>` — Enumerate GATT services and characteristics
- `ble_read <addr> <handle>` — Read characteristic value
- `ble_write <addr> <handle> <hex>` — Write to characteristic
- `ble_beacon <uuid> [major] [minor]` — Spoof iBeacon/Eddystone
- `ble_track <addr> [duration]` — Track device RSSI over time
- `ble_flood [count]` — Broadcast random BLE advertisements
**Use cases**: IoT device recon, BLE lock testing, asset tracking, Bluetooth phishing.
---
### mod_zigbee — IEEE 802.15.4 / Zigbee
**Hardware**: CC2530/CC2531 module via UART | **Cost**: ~4 EUR | **Complexity**: 4/5
Sniff, inject, and replay Zigbee/802.15.4 frames. Targets smart home (Philips Hue, SmartThings, Ikea).
**Commands**:
- `zigbee_scan [channel]` — Discover Zigbee networks and devices
- `zigbee_sniff <channel> [duration]` — Capture 802.15.4 frames
- `zigbee_inject <channel> <hex_frame>` — Inject raw frame
- `zigbee_replay` — Replay captured frames
- `zigbee_key_sniff [duration]` — Capture transport key exchange
- `zigbee_jam <channel>` — Channel jamming
**Use cases**: Smart home testing, IoT protocol analysis, Zigbee network penetration.
---
### mod_nfc — RFID / NFC
**Hardware**: RC522 (MIFARE) or PN532 (full NFC) via SPI | **Cost**: ~3 EUR | **Complexity**: 3/5
Read, write, clone, and emulate RFID/NFC tags. Supports MIFARE Classic, NTAG, and ISO 14443.
**Commands**:
- `nfc_scan` — Detect tags in range (UID, type, ATQA, SAK)
- `nfc_read <sector> [key]` — Read MIFARE sector
- `nfc_write <sector> <hex> [key]` — Write to sector
- `nfc_clone` — Read tag → store → emulate (UID-level clone)
- `nfc_crack <sector>` — MIFARE Classic key recovery (nested/hardnested)
- `nfc_dump` — Dump full tag contents
- `nfc_emulate <uid>` — Emulate tag UID
**Use cases**: Access card cloning, NFC payment research, badge system testing.
---
### mod_subghz — Sub-GHz Radio (433/868/915 MHz)
**Hardware**: CC1101 module via SPI | **Cost**: ~3 EUR | **Complexity**: 4/5
Sniff, decode, record, and replay sub-GHz radio signals. Targets garage doors, remotes, weather stations, sensors.
**Commands**:
- `subghz_rx <freq_mhz> [modulation]` — Listen on frequency (ASK/FSK/GFSK)
- `subghz_tx <freq_mhz> <hex_data> [repeat]` — Transmit raw data
- `subghz_scan <start_mhz> <end_mhz>` — Frequency scanner (find active freqs)
- `subghz_record <freq_mhz> [duration]` — Record raw signal
- `subghz_replay [speed]` — Replay recorded signal
- `subghz_decode <protocol>` — Decode known protocols (Oregon, LaCrosse, etc.)
- `subghz_bruteforce <freq_mhz> <bits> [delay]` — Brute-force fixed codes
**Use cases**: Garage door testing, remote control analysis, sensor spoofing, ISM band recon.
---
### mod_lora — LoRa Long-Range Mesh
**Hardware**: SX1276/SX1278 module via SPI | **Cost**: ~5 EUR | **Complexity**: 3/5
LoRa-based backup C2 channel and mesh network for long-range, low-bandwidth communication.
**Commands**:
- `lora_start <freq_mhz> [sf] [bw]` — Init LoRa radio (spreading factor, bandwidth)
- `lora_send <hex_data>` — Send raw LoRa packet
- `lora_listen [duration]` — Receive packets
- `lora_mesh_start` — Enable mesh relay mode (multi-hop)
- `lora_c2_enable` — Use LoRa as backup C2 channel
- `lora_range_test` — Ping-pong range measurement
**Use cases**: Backup C2 (1-10 km range), field mesh network, exfiltration when WiFi unavailable.
---
### mod_ir — Infrared TX/RX
**Hardware**: IR LED + IR receiver (VS1838B) | **Cost**: ~1 EUR | **Complexity**: 2/5
Capture, decode, and replay infrared remote signals. Universal remote functionality.
**Commands**:
- `ir_learn [timeout]` — Record IR signal from any remote
- `ir_send <protocol> <code>` — Send known protocol (NEC, Sony, RC5, Samsung)
- `ir_replay` — Replay last captured signal
- `ir_scan` — Brute-force common power codes (TV-B-Gone style)
- `ir_raw_send <timing_data>` — Send raw pulse/space timing
**Use cases**: TV/AC control, IR protocol analysis, physical access (some locks use IR).
---
### mod_espnow_swarm — Coordinated ESP-NOW Swarm
**Hardware**: Additional ESP32 agents | **Cost**: 0 EUR per agent | **Complexity**: 4/5
Coordinate multiple Espilon agents via ESP-NOW for distributed operations. Mesh-aware task distribution.
**Commands**:
- `swarm_discover` — Find nearby Espilon agents
- `swarm_broadcast <command>` — Send command to all agents
- `swarm_assign <agent_id> <command>` — Targeted task assignment
- `swarm_sync` — Synchronize clocks for coordinated actions
- `swarm_scan_distributed <target>` — Parallel network scanning from multiple positions
- `swarm_relay <agent_id>` — Use agent as relay for out-of-range C2
**Use cases**: Distributed WiFi scanning, coordinated deauth, coverage extension, multi-angle recon.
---
### mod_tpms — Tire Pressure Monitoring
**Hardware**: CC1101 (315 or 433 MHz) | **Cost**: ~3 EUR | **Complexity**: 3/5
Sniff and spoof TPMS sensors at 315/433 MHz. Vehicle identification via unique sensor IDs.
**Commands**:
- `tpms_listen [duration]` — Capture TPMS broadcasts
- `tpms_decode` — Show decoded sensor data (pressure, temp, ID)
- `tpms_track <sensor_id>` — Track specific vehicle presence
- `tpms_spoof <sensor_id> <pressure> <temp>` — Inject fake reading
**Use cases**: Vehicle tracking via TPMS IDs, TPMS protocol research.
---
## USB & HID
### mod_badusb — USB HID Injection
**Hardware**: ESP32-S2 or ESP32-S3 (native USB) | **Cost**: 0 EUR | **Complexity**: 3/5
Keystroke injection attack via USB HID. Triggered remotely from C2.
**Commands**:
- `badusb_run <payload_name>` — Execute named payload
- `badusb_type <text>` — Type arbitrary text
- `badusb_key <combo>` — Send key combo (e.g., `WIN+R`, `CTRL+ALT+DEL`)
- `badusb_delay <ms>` — Wait between keystrokes
- `badusb_upload <script>` — Upload Ducky Script payload
- `badusb_list` — List stored payloads
- `badusb_os_detect` — Detect target OS via timing analysis
**Use cases**: Physical access exploitation, credential harvesting, reverse shell deployment.
---
### mod_rubber_ducky — Ducky Script Interpreter
**Hardware**: ESP32-S2/S3 | **Cost**: 0 EUR | **Complexity**: 2/5
Full Ducky Script interpreter for scripted USB HID payloads. Companion to mod_badusb.
**Commands**:
- `ducky_load <script>` — Load script from NVS or C2
- `ducky_exec` — Execute loaded script
- `ducky_store <name> <script>` — Save payload to NVS
- `ducky_list` — List stored scripts
---
### mod_usb_mitm — USB Man-in-the-Middle
**Hardware**: ESP32-S3 (dual USB ports) | **Cost**: 0 EUR | **Complexity**: 5/5
Transparent USB proxy: sniff, modify, or inject traffic between host and device.
**Commands**:
- `usb_mitm_start` — Start USB proxy
- `usb_mitm_sniff [class]` — Log traffic (HID, mass storage, etc.)
- `usb_mitm_inject <hex>` — Inject USB packets
- `usb_mitm_filter <rule>` — Modify packets in transit
**Use cases**: USB protocol analysis, keyboard sniffing, mass storage interception.
---
## Hardware Hacking
### mod_jtag — JTAG/SWD Debug Interface
**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 4/5
Bit-bang JTAG/SWD for firmware extraction, debug access, and boundary scan on target devices.
**Commands**:
- `jtag_scan` — Detect JTAG chain (IDCODE scan)
- `jtag_read <addr> <size>` — Read memory via debug port
- `jtag_write <addr> <hex>` — Write memory
- `jtag_dump <addr> <size>` — Dump firmware to C2
- `swd_scan` — Detect SWD target
- `swd_read <addr> <size>` — Read via SWD
- `swd_halt` / `swd_resume` — Halt/resume target CPU
**Use cases**: Firmware extraction from IoT devices, bypassing read-out protection, live debugging.
---
### mod_uart_bridge — UART Sniff/Inject
**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 2/5
UART bridge: sniff serial console traffic or inject commands. Auto-detect baud rate.
**Commands**:
- `uart_scan [gpio]` — Auto-detect baud rate on GPIO pin
- `uart_listen <baud> <rx_gpio> [duration]` — Sniff UART traffic
- `uart_send <baud> <tx_gpio> <data>` — Send data
- `uart_bridge <baud> <rx> <tx>` — Bidirectional bridge (relay to C2)
**Use cases**: Router console access, IoT device debug ports, embedded system exploitation.
---
### mod_i2c_scan — I2C Bus Discovery
**Hardware**: GPIO wires | **Cost**: 0 EUR | **Complexity**: 2/5
Scan, read, and write I2C devices. EEPROM dumping and sensor spoofing.
**Commands**:
- `i2c_scan [sda] [scl]` — Discover devices on bus
- `i2c_read <addr> <reg> <len>` — Read registers
- `i2c_write <addr> <reg> <hex>` — Write registers
- `i2c_dump_eeprom <addr> <size>` — Dump EEPROM contents
**Use cases**: EEPROM credential extraction, sensor data manipulation, I2C device enumeration.
---
### mod_spi_flash — SPI Flash Dumper
**Hardware**: SOIC-8 clip + GPIO wires | **Cost**: ~5 EUR | **Complexity**: 3/5
Read/write SPI NOR flash chips (25xx series). In-circuit or off-board.
**Commands**:
- `spi_flash_detect` — Read JEDEC ID, detect chip
- `spi_flash_read <addr> <size>` — Read flash to C2
- `spi_flash_write <addr> <hex>` — Write data
- `spi_flash_erase <addr> <size>` — Erase sectors
- `spi_flash_dump` — Full chip dump
**Use cases**: Firmware extraction, credential recovery, flash image modification.
---
### mod_glitch — Voltage/Clock Glitching
**Hardware**: MOSFET + GPIO (voltage glitch) or clock inject circuit | **Cost**: ~5 EUR | **Complexity**: 5/5
Fault injection: precise voltage or clock glitches to bypass secure boot, skip instructions, or corrupt crypto.
**Commands**:
- `glitch_config <width_ns> <offset_ns> <repeat>` — Set glitch parameters
- `glitch_arm <trigger_gpio>` — Arm, fire on trigger edge
- `glitch_fire` — Manual trigger
- `glitch_sweep <start_ns> <end_ns> <step>` — Automated parameter sweep
**Use cases**: Secure boot bypass, read-out protection defeat, crypto fault injection.
---
## Network & Protocols
### mod_dns — DNS Spoofing & Tunneling
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
DNS server for spoofing + DNS tunnel for covert data exfiltration through firewalls.
**Commands**:
- `dns_spoof_start <domain> <ip>` — Spoof specific domain resolution
- `dns_spoof_all <ip>` — Redirect all DNS queries to IP
- `dns_spoof_stop` — Stop spoofing
- `dns_tunnel_start <domain>` — Start DNS tunnel (data over TXT/CNAME)
- `dns_tunnel_send <hex>` — Exfiltrate data via DNS
**Use cases**: Pharming, captive portal bypass, firewall evasion, covert exfiltration.
---
### mod_dhcp — DHCP Attacks
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
DHCP starvation and rogue DHCP server for MitM via gateway redirection.
**Commands**:
- `dhcp_starve [count]` — Exhaust DHCP pool with fake MACs
- `dhcp_rogue_start <gateway_ip> <dns_ip>` — Start rogue DHCP server
- `dhcp_rogue_stop` — Stop rogue server
- `dhcp_discover` — Passive DHCP monitoring
**Use cases**: MitM setup, network disruption, rogue gateway for traffic interception.
---
### mod_mdns — mDNS/Bonjour Discovery
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
Discover and spoof local services via mDNS (Bonjour, Avahi).
**Commands**:
- `mdns_scan [duration]` — Discover all mDNS services
- `mdns_query <service>` — Query specific service type (_http._tcp, _ssh._tcp, etc.)
- `mdns_spoof <hostname> <ip>` — Spoof mDNS response
- `mdns_register <service> <port>` — Advertise fake service
**Use cases**: Local service enumeration, service spoofing, printer/AirPlay impersonation.
---
### mod_mqtt — MQTT Broker/Client
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
MQTT client for IoT device interaction + rogue broker for message interception.
**Commands**:
- `mqtt_connect <broker> [user] [pass]` — Connect to broker
- `mqtt_sub <topic>` — Subscribe and stream messages to C2
- `mqtt_pub <topic> <payload>` — Publish message
- `mqtt_enum` — Enumerate all topics (wildcard subscribe)
- `mqtt_broker_start [port]` — Start rogue MQTT broker
- `mqtt_intercept <topic>` — MitM specific topic
**Use cases**: IoT device control, smart home exploitation, message injection, credential sniffing.
---
### mod_coap — CoAP Discovery & Exploitation
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
CoAP client for constrained IoT device interaction (UDP-based REST).
**Commands**:
- `coap_discover <ip>` — Discover CoAP resources (.well-known/core)
- `coap_get <uri>` — GET resource
- `coap_put <uri> <payload>` — PUT resource
- `coap_observe <uri>` — Subscribe to resource changes
**Use cases**: IoT device enumeration, sensor data extraction, actuator control.
---
### mod_upnp — UPnP/SSDP Discovery
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
Discover and interact with UPnP devices on the network. Map router port forwards.
**Commands**:
- `upnp_scan` — Discover UPnP devices (SSDP M-SEARCH)
- `upnp_describe <url>` — Get device description XML
- `upnp_port_map <ext_port> <int_ip> <int_port>` — Add port mapping on router
- `upnp_port_list` — List existing port mappings
- `upnp_port_del <ext_port>` — Remove port mapping
**Use cases**: Router exploitation, port mapping for persistence, device enumeration.
---
### mod_socks — SOCKS5 Proxy
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
Full SOCKS5 proxy running on the agent for network pivoting.
**Commands**:
- `socks_start [port] [auth]` — Start SOCKS5 server
- `socks_stop` — Stop proxy
- `socks_status` — Active connections, bandwidth stats
- `socks_whitelist <ip>` — Allow only specific clients
**Use cases**: Network pivoting, traffic routing through agent, accessing internal networks.
---
### mod_wifi_rogue — Advanced Evil Twin
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 5/5
WPA2-Enterprise Evil Twin with EAP credential interception (EAP-TTLS, PEAP, MSCHAPv2).
**Commands**:
- `rogue_start <ssid> [eap_type]` — Start evil twin with RADIUS
- `rogue_stop` — Stop
- `rogue_creds` — List captured credentials
- `rogue_deauth <bssid> <station>` — Force client reconnection to rogue AP
**Use cases**: Enterprise WiFi credential harvesting, WPA2-Enterprise testing.
---
## Industrial & SCADA
### mod_modbus — Modbus TCP/RTU
**Hardware**: None (TCP) or MAX485 (~2 EUR for RTU) | **Cost**: 0-2 EUR | **Complexity**: 3/5
Modbus protocol for SCADA/ICS reconnaissance and interaction.
**Commands**:
- `modbus_scan <ip_range>` — Discover Modbus TCP devices
- `modbus_read <ip> <unit> <addr> <count> [type]` — Read holding/input registers
- `modbus_write <ip> <unit> <addr> <value>` — Write register
- `modbus_coils <ip> <unit> <addr> <count>` — Read/write coils
- `modbus_enum <ip>` — Enumerate function codes and unit IDs
- `modbus_rtu_scan <baud>` — Scan RTU bus (RS-485)
**Use cases**: SCADA assessment, PLC interaction, industrial network mapping.
---
### mod_bacnet — Building Automation
**Hardware**: None (WiFi/Ethernet) | **Cost**: 0 EUR | **Complexity**: 4/5
BACnet protocol for building automation system interaction (HVAC, lighting, access).
**Commands**:
- `bacnet_discover` — Who-Is broadcast, discover BACnet devices
- `bacnet_read <device> <object> <property>` — Read property
- `bacnet_write <device> <object> <property> <value>` — Write property
- `bacnet_enum <device>` — Enumerate objects on device
**Use cases**: Building automation testing, HVAC control, access system research.
---
### mod_ethernet — Wired Ethernet (W5500)
**Hardware**: W5500 or ENC28J60 SPI module | **Cost**: ~4 EUR | **Complexity**: 3/5
Wired Ethernet connectivity — bypass WiFi isolation, direct LAN access.
**Commands**:
- `eth_start [dhcp|static <ip>]` — Init Ethernet interface
- `eth_status` — Link state, IP config
- `eth_scan` — ARP scan on wired LAN
- `eth_bridge` — Bridge WiFi ↔ Ethernet traffic
**Use cases**: Drop box on wired network, bypass wireless ACLs, physical pentesting.
---
## Exfiltration & Covert Channels
### mod_dns_tunnel — C2 over DNS
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
Full C2 communication over DNS queries/responses. Bypasses most firewalls.
**Commands**:
- `dns_c2_start <domain> <resolver>` — Start DNS C2 channel
- `dns_c2_stop` — Revert to TCP
- `dns_c2_status` — Throughput, latency stats
**Use cases**: Firewall bypass, restricted network C2, exfiltration through corporate DNS.
---
### mod_icmp_tunnel — C2 over ICMP
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
Backup C2 channel using ICMP echo request/reply payloads.
**Commands**:
- `icmp_c2_start <server_ip>` — Start ICMP tunnel
- `icmp_c2_stop` — Revert to TCP
- `icmp_exfil <hex_data>` — One-shot data exfiltration
**Use cases**: C2 when TCP is blocked, ping-based covert channel.
---
### mod_audio_exfil — Audio Capture
**Hardware**: INMP441 I2S MEMS microphone | **Cost**: ~3 EUR | **Complexity**: 4/5
Audio recording and optional ultrasonic covert channel for air-gapped data transfer.
**Commands**:
- `audio_record [duration] [quality]` — Record audio, stream to C2
- `audio_level` — Ambient noise level (trigger-based recording)
- `audio_vad_start` — Voice Activity Detection — record only when speaking
- `audio_ultrasonic_tx <hex>` — Transmit data via ultrasound (18-22 kHz)
**Use cases**: Environmental awareness, meeting capture, air-gap bridging.
---
### mod_sdcard — SD Card Storage
**Hardware**: MicroSD module via SPI | **Cost**: ~2 EUR | **Complexity**: 2/5
Local offline storage for dead-drop operations, large data dumps, and logging.
**Commands**:
- `sd_init` — Mount SD card
- `sd_write <filename> <data>` — Write file
- `sd_read <filename>` — Read and stream to C2
- `sd_list` — List files
- `sd_log_start` — Log all C2 traffic to SD
- `sd_space` — Free/total space
**Use cases**: Offline data collection, dead-drop exfiltration, large firmware dumps.
---
## Sensors & Environment
### mod_gps — GPS/GNSS Tracking
**Hardware**: NEO-6M/NEO-7M via UART | **Cost**: ~5 EUR | **Complexity**: 2/5
GPS positioning, geofencing, and location-stamped events.
**Commands**:
- `gps_start` — Begin GPS acquisition
- `gps_position` — Current lat/lon/alt/speed
- `gps_track [interval]` — Stream position to C2
- `gps_geofence <lat> <lon> <radius_m> <action>` — Trigger action on enter/exit
- `gps_log_start` — Log positions to NVS
**Use cases**: Asset tracking, geofenced triggers, location-aware operations.
---
### mod_environment — Environmental Sensors
**Hardware**: DHT22/BME280/PIR/LDR | **Cost**: ~3 EUR | **Complexity**: 1/5
Read temperature, humidity, pressure, motion, and light sensors.
**Commands**:
- `env_read` — Read all connected sensors
- `env_monitor [interval]` — Stream readings to C2
- `env_motion_alert` — Alert C2 on PIR trigger
- `env_trigger <sensor> <threshold> <action>` — Conditional triggers
**Use cases**: Physical security awareness, environmental monitoring, trigger-based activation.
---
### mod_power — Power Management
**Hardware**: TP4056 + LiPo battery | **Cost**: ~5 EUR | **Complexity**: 3/5
Battery management, intelligent deep sleep, and solar charging support.
**Commands**:
- `power_status` — Battery voltage, charging state, estimated runtime
- `power_sleep <seconds>` — Enter deep sleep with wake timer
- `power_sleep_until <gpio_trigger>` — Sleep until GPIO event
- `power_profile <mode>` — Power profiles (aggressive, balanced, stealth)
- `power_schedule <cron> <command>` — Scheduled wake + command execution
**Use cases**: Long-duration deployment, battery-powered field operations, solar-powered persistent presence.
---
### mod_display — OLED/TFT Display
**Hardware**: SSD1306 OLED (0.96") or ST7735 TFT via SPI/I2C | **Cost**: ~3 EUR | **Complexity**: 2/5
Local status display for field operations (no C2 needed to see agent state).
**Commands**:
- `display_text <text>` — Show text on screen
- `display_status` — Show device info, connection state, active module
- `display_qr <data>` — Generate QR code on display
- `display_off` — Turn off (stealth)
**Use cases**: Field status monitoring, debug output, one-way info display.
---
## Crypto & WiFi Attacks
### mod_deauth — 802.11 Deauthentication
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
Targeted 802.11 deauth for forcing client reconnection (handshake capture setup).
**Commands**:
- `deauth <bssid> <station> [count]` — Targeted deauth
- `deauth_all <bssid> [count]` — Broadcast deauth
- `deauth_continuous <bssid> [interval]` — Persistent deauth
**Use cases**: WPA handshake capture setup, client denial, forced AP migration.
---
### mod_wpa_crack — WPA Handshake Capture
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
Capture 4-way handshake and attempt dictionary attack with embedded wordlist.
**Commands**:
- `wpa_capture <bssid> [channel] [timeout]` — Wait for handshake (or deauth to force)
- `wpa_crack <bssid> [wordlist]` — Dictionary attack on captured handshake
- `wpa_export <bssid>` — Export handshake as pcap/hccapx to C2
**Use cases**: WiFi security assessment, credential recovery.
---
### mod_pmkid — PMKID Attack
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
Capture PMKID from AP without any connected client. Faster than handshake capture.
**Commands**:
- `pmkid_scan [duration]` — Scan APs and capture PMKIDs
- `pmkid_target <bssid>` — Target specific AP
- `pmkid_export` — Export PMKIDs for offline cracking
**Use cases**: WiFi testing without connected clients, faster WPA cracking.
---
### mod_rfcrack — Rolling Code Analysis
**Hardware**: CC1101 via SPI | **Cost**: ~3 EUR | **Complexity**: 5/5
Analyze and attack rolling code systems (garages, car key fobs, gates).
**Commands**:
- `rfcrack_listen <freq>` — Capture rolling code transmissions
- `rfcrack_analyze` — Identify protocol (KeeLoq, etc.)
- `rfcrack_rolljam <freq>` — RollJam attack (jam + capture + replay)
- `rfcrack_desync <freq>` — De-synchronization attack
**Use cases**: Physical security research, rolling code protocol analysis.
---
## Automotive
### mod_lin_bus — LIN Bus
**Hardware**: MCP2004A LIN transceiver | **Cost**: ~3 EUR | **Complexity**: 3/5
LIN bus (Local Interconnect Network) — sub-bus used for windows, seats, mirrors, lights.
**Commands**:
- `lin_start [baud]` — Init LIN transceiver (default 19200)
- `lin_sniff [duration]` — Capture LIN frames
- `lin_send <id> <data_hex>` — Send LIN frame
- `lin_master_start` — Become LIN master (send schedule table)
- `lin_enum` — Enumerate slave nodes
**Use cases**: Automotive body control testing, seat/window/mirror manipulation.
---
### mod_obd_tracker — OBD-II GPS Tracker
**Hardware**: MCP2515 + NEO-6M GPS | **Cost**: ~8 EUR | **Complexity**: 3/5
Autonomous vehicle tracker: logs GPS position + OBD-II data, reports to C2 when connectivity available.
**Commands**:
- `tracker_start [interval]` — Begin tracking (OBD + GPS)
- `tracker_stop` — Stop and upload buffered data
- `tracker_status` — Current position + vehicle stats
- `tracker_geofence <lat> <lon> <radius>` — Alert on geofence breach
- `tracker_trips` — Summarize recorded trips
**Use cases**: Vehicle tracking, fleet monitoring, trip analysis.
---
### mod_flexray — FlexRay Bus
**Hardware**: FlexRay transceiver (TJA1080) | **Cost**: ~15 EUR | **Complexity**: 5/5
FlexRay monitoring for premium vehicles (BMW, Mercedes, Audi). Deterministic, time-triggered protocol.
**Commands**:
- `flexray_listen <channel>` — Monitor FlexRay channel (A or B)
- `flexray_decode` — Decode known frame IDs
- `flexray_status` — Bus state, cycle time, slot info
**Use cases**: Premium vehicle bus analysis, FlexRay protocol research.
---
## Physical Security
### mod_keylogger — PS/2 Keyboard Logger
**Hardware**: PS/2 connector + GPIO wires | **Cost**: ~2 EUR | **Complexity**: 2/5
Hardware keylogger for PS/2 keyboards. Inline transparent interception.
**Commands**:
- `keylog_start` — Begin capturing keystrokes
- `keylog_stop` — Stop and send buffer to C2
- `keylog_dump` — Send current buffer
- `keylog_live` — Stream keystrokes in real-time to C2
**Use cases**: Physical access keystroke capture.
---
### mod_relay — Relay Control
**Hardware**: Relay module (1/2/4 channel) | **Cost**: ~2 EUR | **Complexity**: 1/5
GPIO relay control for physical actuators (doors, power, devices).
**Commands**:
- `relay_on <channel>` — Activate relay
- `relay_off <channel>` — Deactivate relay
- `relay_pulse <channel> <duration_ms>` — Momentary activation
- `relay_schedule <channel> <cron>` — Scheduled activation
**Use cases**: Physical access control, remote power switching, automated triggers.
---
## Priority Matrix
Modules ranked by impact/effort ratio for implementation priority:
| Priority | Module | Why |
|----------|--------|-----|
| **High** | mod_ble | Built-in hardware, zero cost, huge IoT attack surface |
| **High** | mod_deauth | Simple, essential for WiFi assessment workflows |
| **High** | mod_badusb | ESP32-S2/S3 native USB, high impact physical access |
| **High** | mod_uart_bridge | Zero cost, essential for hardware hacking |
| **High** | mod_dns | WiFi only, enables MitM and exfiltration |
| **Medium** | mod_nfc | Cheap hardware, wide applicability (access cards) |
| **Medium** | mod_subghz | CC1101 is cheap, covers huge attack surface |
| **Medium** | mod_mqtt | IoT everywhere, zero additional hardware |
| **Medium** | mod_socks | Pivoting capability, WiFi only |
| **Medium** | mod_gps | Cheap module, enables location-aware operations |
| **Medium** | mod_modbus | SCADA is a growing target, dual TCP/RTU |
| **Medium** | mod_sdcard | Simple, enables offline operations |
| **Low** | mod_lora | Good range but low throughput |
| **Low** | mod_glitch | High complexity, niche use case |
| **Low** | mod_flexray | Expensive hardware, niche vehicles |
| **Low** | mod_usb_mitm | Requires ESP32-S3 dual USB, very complex |

147
QUICKSTART.md Normal file
View File

@ -0,0 +1,147 @@
# Espilon — Quick Start Guide
Get a working C2 server in **under 5 minutes**.
> For full documentation see [README.md](README.md) and [tools/C3PO/README.md](tools/C3PO/README.md).
---
## Option A: Without Docker (recommended for development)
### 1. Clone and install
```bash
git clone https://github.com/Espilon-Net/epsilon-source.git
cd epsilon-source/tools/C3PO
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```
### 2. Configure
```bash
cp .env.example .env
# Edit .env to change default passwords (optional for local testing)
```
### 3. Start the C2 server
```bash
python c3po.py
```
The TUI (terminal interface) starts automatically. You'll see a multi-pane interface with device list and logs.
### 4. Deploy to ESP32
```bash
cd tools
python deploy.py -p /dev/ttyUSB0 -d my-device-01 \
--wifi "YourSSID" "YourPassword" \
--srv 192.168.1.100
```
This will:
- Generate a unique crypto key
- Build the firmware
- Flash the ESP32
- Register the key in C3PO's keystore
The device connects automatically and appears in the TUI.
### 5. Send commands
In the C3PO TUI command bar (bottom), type:
```
send <device_id> system_info
send <device_id> ping 8.8.8.8
send <device_id> arp_scan
send <device_id> system_mem
```
Replace `<device_id>` with the ID shown in the TUI.
---
## Option B: With Docker
### 1. Start C3PO
```bash
cd tools/C3PO
cp .env.example .env
docker compose up -d
```
### 2. Open the web dashboard
Open http://localhost:8000 in your browser. Login: `admin` / `admin` (change in `.env`).
### 3. Deploy to ESP32
```bash
cd tools
python deploy.py -p /dev/ttyUSB0 -d my-device-01 \
--wifi "YourSSID" "YourPassword" \
--srv <your-machine-ip>
```
---
## Prerequisites for ESP32 hardware
- ESP-IDF v5.3.2 installed ([install guide](https://docs.espressif.com/projects/esp-idf/en/v5.3.2/esp32/get-started/))
- ESP32 connected via USB
- Python 3.8+
---
## Web dashboard
Start the web server from the TUI:
```
web start
```
Then open http://localhost:8000. Pages available:
| Page | URL | Description |
|------|-----|-------------|
| Dashboard | `/dashboard` | Device list and status |
| Cameras | `/cameras` | Live camera feeds |
| MLAT | `/mlat` | Multilateration map |
| OTA | `/ota` | Firmware build & deploy |
---
## Common commands reference
```
help Show all commands
list List connected devices
send <id> system_info Device info (chip, modules, memory)
send <id> system_mem Memory usage
send <id> ping <host> ICMP ping
send <id> arp_scan Scan local network
send <id> fakeap_start <ssid> Start a fake AP (if module enabled)
send all system_info Broadcast to all devices
group add scanners <id1> <id2> Create device group
send group scanners arp_scan Send to group
web start Start web dashboard
camera start Start camera UDP receiver
```
---
## Troubleshooting
| Problem | Solution |
|---------|----------|
| `ModuleNotFoundError: textual` | `pip install -r requirements.txt` |
| Device connects but commands fail | Check `keys.json` — the device key must match |
| Web dashboard not loading | Run `web start` in TUI first, then open http://localhost:8000 |
| `Decrypt/auth failed` | Key mismatch — re-provision the device with `deploy.py` |

96
README.md
View File

@ -9,6 +9,8 @@
[![Platform](https://img.shields.io/badge/Platform-ESP32-red.svg)](https://www.espressif.com/en/products/socs/esp32)
> **IMPORTANT**: Espilon is intended for security research, authorized penetration testing, and education. Unauthorized use is illegal. Always obtain written permission before any deployment.
>
> **New here?** Check the [Quick Start Guide](QUICKSTART.md) — get a working C2 with a simulated device in under 5 minutes, no ESP32 required.
---
@ -27,6 +29,10 @@
- [Network Module](#network-module)
- [FakeAP Module](#fakeap-module)
- [Recon Module](#recon-module)
- [Red Team Module](#red-team-module)
- [Honeypot Module](#honeypot-module)
- [CAN Bus Module](#can-bus-module-mcp2515)
- [OTA Module](#ota-module)
- [Tools](#tools)
- [Multi-Device Flasher](#multi-device-flasher)
- [C2 Server (C3PO)](#c2-server-c3po)
@ -143,7 +149,8 @@ Espilon transforms affordable ESP32 microcontrollers (~$5) into powerful network
| | | | |
| +-----------------------------------------------------+|
| | Module System (FreeRTOS) ||
| | [Network] [FakeAP] [Recon] [Custom...] ||
| | [Network] [FakeAP] [Recon] [RedTeam] [Honeypot] ||
| | [CAN Bus] [OTA] [Custom...] ||
| +-----------------------------------------------------+|
+---------------------------------------------------------+
| Encrypted TCP
@ -166,7 +173,7 @@ Espilon transforms affordable ESP32 microcontrollers (~$5) into powerful network
## Available Modules
> **Important note**: Modules are **mutually exclusive**. You must choose **only one module** during configuration via menuconfig.
> Modules are enabled independently via `idf.py menuconfig` → Espilon Bot Configuration → Modules. Multiple modules can be active simultaneously (subject to flash/RAM constraints).
### System Module (Built-in, always active)
@ -175,10 +182,11 @@ Basic system commands:
- `system_reboot`: Reboot the ESP32
- `system_mem`: Display memory usage (heap free, heap min, internal free)
- `system_uptime`: Uptime since boot
- `system_info`: Chip info, SDK version, active modules
### Network Module
Module for network reconnaissance and testing:
Network reconnaissance and testing:
- `ping <host> [args...]`: ICMP connectivity test
- `arp_scan`: Discover hosts on local network via ARP
@ -188,20 +196,18 @@ Module for network reconnaissance and testing:
### FakeAP Module
Module for creating simulated WiFi access points:
Simulated WiFi access points with captive portal and traffic sniffing:
- `fakeap_start <ssid> [open|wpa2] [password]`: Start a fake access point
- `fakeap_stop`: Stop the fake AP
- `fakeap_status`: Display status (AP, portal, sniffer, clients)
- `fakeap_clients`: List connected clients
- `fakeap_portal_start`: Enable captive portal
- `fakeap_portal_stop`: Disable captive portal
- `fakeap_sniffer_on`: Enable network traffic capture
- `fakeap_sniffer_off`: Disable capture
- `fakeap_portal_start` / `fakeap_portal_stop`: Captive portal
- `fakeap_sniffer_on` / `fakeap_sniffer_off`: Traffic capture
### Recon Module
Reconnaissance and data collection module. Two modes available:
Reconnaissance and data collection. Two modes:
#### Camera Mode (ESP32-CAM)
@ -213,16 +219,57 @@ Reconnaissance and data collection module. Two modes available:
- `trilat start <mac> <url> <bearer>`: Start BLE trilateration with HTTP POST
- `trilat stop`: Stop trilateration
### Red Team Module
Autonomous WiFi hunting, credential attacks, and ESP-NOW mesh relay:
- `hunt_start [profile]`: Launch autonomous WiFi scan + attack cycle
- `hunt_stop`: Stop hunting
- `hunt_status`: Current targets, progress, captured credentials
- Stealth features: MAC randomization, passive scanning, timing jitter
- ESP-NOW mesh: multi-hop relay for out-of-range C2
### Honeypot Module
Fake network services that log attacker interactions:
- Emulated services: SSH, Telnet, HTTP, FTP (configurable ports)
- WiFi monitor: detect rogue APs and deauth attacks
- Network anomaly detection: ARP spoofing, port scanning alerts
- All events streamed to C2 with attacker fingerprints
### CAN Bus Module (MCP2515)
Automotive CAN bus: sniff, inject, UDS diagnostics, OBD-II, and fuzzing via external MCP2515 SPI controller.
- `can_start [bitrate] [mode]`: Init bus (normal/listen/loopback)
- `can_sniff [duration]` / `can_record` / `can_replay`: Capture and replay
- `can_send <id> <data>`: Frame injection
- UDS: `can_scan_ecu`, `can_uds_read`, `can_uds_dump`, `can_uds_auth`
- OBD-II: `can_obd <pid>`, `can_obd_vin`, `can_obd_dtc`, `can_obd_monitor`
- Fuzzing: `can_fuzz_id`, `can_fuzz_data`, `can_fuzz_random`
See [mod_canbus documentation](espilon_bot/components/mod_canbus/README.md) for full details.
### OTA Module
Over-the-air firmware updates from C2 server:
- Secure HTTPS firmware download (optional HTTP fallback)
- Dual partition scheme (A/B) for safe rollback
- Progress reporting to C2
---
**Configuration**: `idf.py menuconfig` -> Espilon Bot Configuration -> Modules
**Configuration**: `idf.py menuconfig` → Espilon Bot Configuration → Modules
Choose **only one module**:
- `CONFIG_MODULE_NETWORK`: Enable the Network Module
- `CONFIG_MODULE_FAKEAP`: Enable the FakeAP Module
- `CONFIG_MODULE_RECON`: Enable the Recon Module
- Then choose: `Camera` or `BLE Trilateration`
- `CONFIG_MODULE_NETWORK`: Network Module
- `CONFIG_MODULE_FAKEAP`: FakeAP Module
- `CONFIG_MODULE_RECON`: Recon Module (Camera or BLE Trilateration)
- `CONFIG_MODULE_REDTEAM`: Red Team Module
- `CONFIG_MODULE_HONEYPOT`: Honeypot Module
- `CONFIG_MODULE_CANBUS`: CAN Bus Module (requires MCP2515 hardware)
- `CONFIG_ESPILON_OTA_ENABLED`: OTA Updates
---
@ -333,22 +380,27 @@ Espilon should only be used for:
## Roadmap
### V2.0 (In Progress)
### V2.0 (Complete)
- [x] ChaCha20-Poly1305 AEAD + HKDF crypto upgrade
- [x] Per-device factory NVS key provisioning
- [x] C3PO C2 rewrite with per-device crypto
- [ ] Mesh networking (BLE/WiFi)
- [ ] OTA updates
- [ ] Collaborative multilateration
- [ ] Memory optimization
- [x] OTA firmware updates
- [x] Red Team module (autonomous WiFi hunting)
- [x] Honeypot module (fake services + monitoring)
- [x] CAN Bus module (MCP2515 — sniff, inject, UDS, OBD-II, fuzzing)
- [x] Web dashboard with device management, camera, MLAT, OTA, CAN
### Future
- [ ] BLE module (scan, GATT enum, beacon spoofing)
- [ ] Sub-GHz module (CC1101 — 433/868/915 MHz)
- [ ] BadUSB module (ESP32-S2/S3 HID injection)
- [ ] Custom Espilon PCB
- [ ] ESP32-S3/C3 support
- [ ] Module SDK for third-party extensions
- [ ] Web UI for C2
See [MODULE_IDEAS.md](MODULE_IDEAS.md) for the full list of planned modules.
---