data/profile.toml

# Conquest default configuration file 
name = "cq-default-profile"

# Important file paths and locations
private-key-file = "data/keys/conquest-server_x25519_private.key"
database-file = "data/conquest.db"

# Team server settings (WebSocket server port, users, ...)
[team-server]
host = "0.0.0.0"
port = 37573

# ----------------------------------------------------------
# HTTP GET 
# ----------------------------------------------------------
# Defines URI endpoints for HTTP GET requests
[http-get]
user-agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"

# Defines URI endpoints for HTTP GET requests
# This has to be an array, even if it only has one member
endpoints = [
    "/get",
    "/api/v1.2/status.js"
]

# Defines where the heartbeat is placed within the HTTP GET request
# Allows for optional data transformation using encoding (base64, hex, ...), appending and prepending of strings
# Metadata can be stored in a Header (e.g. JWT Token, Session Cookie), URI parameter or request body 
# Encoding is only applied to the payload and not the prepended or appended strings
[http-get.agent.heartbeat]
placement = { type = "header", name = "Authorization" }
encoding = { type = "base64", url-safe = true }
prefix = "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
suffix = ".######################################-####"

# Example: PHP session cookie 
# placement = { type = "header", name = "Cookie" }
# encoding = { type = "base64", url-safe = true }
# prefix = "PHPSESSID="
# suffix = ", path=/"

# Example: Hex string in GET parameter
# placement = { type = "query", name = "id" }
# encoding = { type = "hex" }

# Example: Data encoded with multiple techniques in GET request body
# placement = { type = "body" }
# encoding = [
#     { type = "rot", key = 5 },
#     { type = "base64" }
# ] 

# Example: Binary prefix (PDF header)
# placement = { type = "body" }
# encoding = { type = "xor", key = 100 }
# prefix = [0x25, 0x50, 0x44, 0x46]  
# suffix = [0x25, 0x25, 0x45, 0x4F, 0x46] 

# Defines arbitrary URI parameters that are added to the request
[http-get.agent.parameters]
id = "#####-#####"
lang = [
    "en-US",
    "de-AT"
]

# Defines arbitrary headers that are added by the agent when performing a HTTP GET request 
[http-get.agent.headers]
Host = [ 
    "wikipedia.org", 
    "google.com",
    "127.0.0.1"
]
Connection = "Keep-Alive"
Cache-Control = "no-cache"

# Defines arbitrary headers that are added to the server's response
[http-get.server.headers]
Server = "nginx"
Content-Type = "application/octet-stream" 
Connection = "Keep-Alive"

# Defines how the server's response to the task retrieval request is rendered
# Allows same data transformation options as the agent metadata, allowing it to be embedded in benign content 
# e.g base64-encoded in a svg/img
[http-get.server.output]
placement = { type = "body" }
# encoding = { type = "base64" }
# prefix = "<!DOCTYPE html><html class=client-nojs lang=en dir=ltr><head><meta charset=UTF-8/><title>Wikipedia</title><script>document.documentElement.className = document.documentElement.className.replace( /(^|s)client-nojs(s|$)/, $1client-js$2 );</script><script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({wgCanonicalNamespace:,wgCanonicalSpecialPageName:false,wgNamespaceNumber:0,,wgBetaFeaturesFeatures:[],wgMediaViewerOnClick:true,wgMediaViewerEnabledByDefault:true,wgVisualEditor:{pageLanguageCode:en,pageLanguageDir:ltr,usePageImages:true,usePageDescriptions:true},wgPreferredVariant:en,wgMFDisplayWikibaseDescriptions:{search:true,nearby:true,watchlist:true,tagline:false},wgRelatedArticles:null,wgRelatedArticlesUseCirrusSearch:true,wgRelatedArticlesOnlyUseCirrusSearch:false,wgULSCurrentAutonym:English,wgNoticeProject:wikipedia,wgCentralNoticeCookiesToDelete:[],wgCentralNoticeCategoriesUsingLegacy:[Fundraising,fundraising],wgCategoryTreePageCategoryOptions:{mode:0,hideprefix:20,showcount:true,namespaces:false},wgWikibaseItemId:"
# suffix = ",wgCentralAuthMobileDomain:false,wgVisualEditorToolbarScrollOffset:0,wgEditSubmitButtonLabelPublish:false});mw.loader.state({ext.globalCssJs.user.styles:ready,ext.globalCssJs.site.styles:ready,site.styles:ready,noscript:ready,user.styles:ready,user:ready,user.options:loading,user.tokens:loading,wikibase.client.init:ready,ext.visualEditor.desktopArticleTarget.noscript:ready,ext.uls.interlanguage:ready,ext.wikimediaBadges:ready,mediawiki.legacy.shared:ready,mediawiki.legacy.commonPrint:ready,mediawiki.sectionAnchor:ready,mediawiki.skinning.interface:ready,skins.vector.styles:ready,ext.globalCssJs.user:ready,ext.globalCssJs.site:ready});mw.loader.implement(user.options@0j3lz3q,function($,jQuery,require,module){mw.user.options.set({variant:en});});mw.loader.implement(user.tokens@1dqfd7l,function ( $, jQuery, require, module )</script><link rel=stylesheet href=/w/load.php?debug=false&amp;lang=en&amp;modules=ext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.interface%7Cskins.vector.styles%7Cwikibase.client.init&amp;only=styles&amp;skin=vector/><script async= src=/w/load.php?debug=false&amp;lang=en&amp;modules=startup&amp;only=scripts&amp;skin=vector></script><meta name=ResourceLoaderDynamicStyles content=/><link rel=stylesheet href=/w/load.php?debug=false&amp;lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector/>"

# ----------------------------------------------------------
# HTTP POST 
# ----------------------------------------------------------
[http-post]
user-agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"

# Defines URI endpoints for HTTP POST requests
# This has to be an array, even if it only has one member
endpoints = [
    "/post",
    "/api/v2/get.js"
]

# Post request can also be sent with a different HTTP verb (PUT, GET, ...)
request-methods = [
    "POST",
    "PUT"
]

# Defines arbitrary request headers that are added to the POST request
[http-post.agent.headers]
Host = [ 
    "wikipedia.org", 
    "google.com",
    "127.0.0.1"
]
Content-Type = "text/plain" 
Connection = "Keep-Alive"
Cache-Control = "no-cache"

# Defines arbitrary query parameters that are added to the URI
[http-post.agent.parameters]
lang = [
    "en-US",
    "de-AT"
]
page = "1$"     # The $ character is replaced with a random number

# Defines how the POST requests made by the agents look like
# For modules that involve large file transfers, it is not recommended to place the task output in a header or query parameter, as this will exceed the header size
# Placing this type of data in the body is highly recommended
[http-post.agent.output]
placement = { type = "body" }
encoding = { type = "hex" }
# prefix = "<START>"
# suffix = "<END>"

# Defines arbitrary response headers added by the server
[http-post.server.headers]
Server = "nginx"

# Defines data that is returned in the body of the server's response
[http-post.server.output]
body = "Ok"
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`# Conquest default configuration file`
Refine profile structure. 2025-08-13 21:42:58 +02:00			`name = "cq-default-profile"`
Started implementing profile system. 2025-08-13 19:32:51 +02:00
Refine profile structure. 2025-08-13 21:42:58 +02:00			`# Important file paths and locations`
Created nimble package and installation instructions. 2025-08-22 10:48:00 +02:00			`private-key-file = "data/keys/conquest-server_x25519_private.key"`
			`database-file = "data/conquest.db"`
Started implementing profile system. 2025-08-13 19:32:51 +02:00
Removed prompt user intreface; Team server and Client are now fully separated. 2025-10-01 13:25:15 +02:00			`# Team server settings (WebSocket server port, users, ...)`
			`[team-server]`
Host for the websocket server can now be specified in the team server profile. 2025-11-03 09:52:01 +01:00			`host = "0.0.0.0"`
Removed prompt user intreface; Team server and Client are now fully separated. 2025-10-01 13:25:15 +02:00			`port = 37573`

Refine profile structure. 2025-08-13 21:42:58 +02:00			`# ----------------------------------------------------------`
			`# HTTP GET`
			`# ----------------------------------------------------------`
			`# Defines URI endpoints for HTTP GET requests`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`[http-get]`
Updated documentation. 2025-10-30 17:08:50 +01:00			`user-agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"`

			`# Defines URI endpoints for HTTP GET requests`
Added youtube video example profile. 2025-11-07 20:22:13 +01:00			`# This has to be an array, even if it only has one member`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`endpoints = [`
			`"/get",`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`"/api/v1.2/status.js"`
			`]`

Refine profile structure. 2025-08-13 21:42:58 +02:00			`# Defines where the heartbeat is placed within the HTTP GET request`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`# Allows for optional data transformation using encoding (base64, hex, ...), appending and prepending of strings`
			`# Metadata can be stored in a Header (e.g. JWT Token, Session Cookie), URI parameter or request body`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`# Encoding is only applied to the payload and not the prepended or appended strings`
Refine profile structure. 2025-08-13 21:42:58 +02:00			`[http-get.agent.heartbeat]`
Updated to TOML v1.0.0. 2025-11-21 15:55:41 +01:00			`placement = { type = "header", name = "Authorization" }`
			`encoding = { type = "base64", url-safe = true }`
			`prefix = "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."`
			`suffix = ".######################################-####"`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00
			`# Example: PHP session cookie`
Refine profile structure. 2025-08-13 21:42:58 +02:00			`# placement = { type = "header", name = "Cookie" }`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`# encoding = { type = "base64", url-safe = true }`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`# prefix = "PHPSESSID="`
			`# suffix = ", path=/"`

Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`# Example: Hex string in GET parameter`
Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00			`# placement = { type = "query", name = "id" }`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`# encoding = { type = "hex" }`

Implemented chaining multiple encoding techniques for data transformation. 2025-11-21 20:14:21 +01:00			`# Example: Data encoded with multiple techniques in GET request body`
Updated to TOML v1.0.0. 2025-11-21 15:55:41 +01:00			`# placement = { type = "body" }`
Implemented chaining multiple encoding techniques for data transformation. 2025-11-21 20:14:21 +01:00			`# encoding = [`
			`# { type = "rot", key = 5 },`
			`# { type = "base64" }`
Implemented support for binary prefix/suffix. 2025-11-23 20:40:48 +01:00			`# ]`

			`# Example: Binary prefix (PDF header)`
			`# placement = { type = "body" }`
			`# encoding = { type = "xor", key = 100 }`
			`# prefix = [0x25, 0x50, 0x44, 0x46]`
			`# suffix = [0x25, 0x25, 0x45, 0x4F, 0x46]`
Refine profile structure. 2025-08-13 21:42:58 +02:00
			`# Defines arbitrary URI parameters that are added to the request`
			`[http-get.agent.parameters]`
Added randomization to profile strings by replacing '#' with random alphanumerical chars. 2025-08-15 16:18:15 +02:00			`id = "#####-#####"`
Updated documentation. 2025-10-30 17:08:50 +01:00			`lang = [`
			`"en-US",`
			`"de-AT"`
			`]`
Refine profile structure. 2025-08-13 21:42:58 +02:00
			`# Defines arbitrary headers that are added by the agent when performing a HTTP GET request`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`[http-get.agent.headers]`
Added more randomization. The profile now supports setting keys to an array of strings, from which a random one is chosen each time (useful for e.g. Host header, etc.) 2025-08-17 16:27:48 +02:00			`Host = [`
			`"wikipedia.org",`
			`"google.com",`
			`"127.0.0.1"`
			`]`
Added profile system to agent communication. Randomized URL endpoints/request methods and dynamic data transformation based on C2 profile. Profile is defined as compile-time string for now. 2025-08-15 15:42:57 +02:00			`Connection = "Keep-Alive"`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`Cache-Control = "no-cache"`
Started implementing profile system. 2025-08-13 19:32:51 +02:00
Refactored utility functions to make them more readable and removed separate register endpoint. 2025-08-14 12:25:06 +02:00			`# Defines arbitrary headers that are added to the server's response`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`[http-get.server.headers]`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`Server = "nginx"`
			`Content-Type = "application/octet-stream"`
			`Connection = "Keep-Alive"`
Refine profile structure. 2025-08-13 21:42:58 +02:00
			`# Defines how the server's response to the task retrieval request is rendered`
			`# Allows same data transformation options as the agent metadata, allowing it to be embedded in benign content`
Improved working with profiles by adding helper retrieval functions. 2025-08-14 19:33:32 +02:00			`# e.g base64-encoded in a svg/img`
Refine profile structure. 2025-08-13 21:42:58 +02:00			`[http-get.server.output]`
			`placement = { type = "body" }`
Implemented server output encoding for task retrieval. 2025-08-17 17:01:50 +02:00			`# encoding = { type = "base64" }`
			# prefix = "<!DOCTYPE html><html class=client-nojs lang=en dir=ltr><head><meta charset=UTF-8/><title>Wikipedia</title><script>document.documentElement.className = document.documentElement.className.replace( /(^\|s)client-nojs(s\|$)/, $1client-js$2 );</script><script>(window.RLQ=window.RLQ\|\|[]).push(function(){mw.config.set({wgCanonicalNamespace:,wgCanonicalSpecialPageName:false,wgNamespaceNumber:0,,wgBetaFeaturesFeatures:[],wgMediaViewerOnClick:true,wgMediaViewerEnabledByDefault:true,wgVisualEditor:{pageLanguageCode:en,pageLanguageDir:ltr,usePageImages:true,usePageDescriptions:true},wgPreferredVariant:en,wgMFDisplayWikibaseDescriptions:{search:true,nearby:true,watchlist:true,tagline:false},wgRelatedArticles:null,wgRelatedArticlesUseCirrusSearch:true,wgRelatedArticlesOnlyUseCirrusSearch:false,wgULSCurrentAutonym:English,wgNoticeProject:wikipedia,wgCentralNoticeCookiesToDelete:[],wgCentralNoticeCategoriesUsingLegacy:[Fundraising,fundraising],wgCategoryTreePageCategoryOptions:{mode:0,hideprefix:20,showcount:true,namespaces:false},wgWikibaseItemId:"
			# suffix = ",wgCentralAuthMobileDomain:false,wgVisualEditorToolbarScrollOffset:0,wgEditSubmitButtonLabelPublish:false});mw.loader.state({ext.globalCssJs.user.styles:ready,ext.globalCssJs.site.styles:ready,site.styles:ready,noscript:ready,user.styles:ready,user:ready,user.options:loading,user.tokens:loading,wikibase.client.init:ready,ext.visualEditor.desktopArticleTarget.noscript:ready,ext.uls.interlanguage:ready,ext.wikimediaBadges:ready,mediawiki.legacy.shared:ready,mediawiki.legacy.commonPrint:ready,mediawiki.sectionAnchor:ready,mediawiki.skinning.interface:ready,skins.vector.styles:ready,ext.globalCssJs.user:ready,ext.globalCssJs.site:ready});mw.loader.implement(user.options@0j3lz3q,function($,jQuery,require,module){mw.user.options.set({variant:en});});mw.loader.implement(user.tokens@1dqfd7l,function ( $, jQuery, require, module )</script><link rel=stylesheet href=/w/load.php?debug=false&lang=en&modules=ext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.interface%7Cskins.vector.styles%7Cwikibase.client.init&only=styles&skin=vector/><script async= src=/w/load.php?debug=false&lang=en&modules=startup&only=scripts&skin=vector></script><meta name=ResourceLoaderDynamicStyles content=/><link rel=stylesheet href=/w/load.php?debug=false&lang=en&modules=site.styles&only=styles&skin=vector/>"
Started implementing profile system. 2025-08-13 19:32:51 +02:00
Refine profile structure. 2025-08-13 21:42:58 +02:00			`# ----------------------------------------------------------`
			`# HTTP POST`
			`# ----------------------------------------------------------`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`[http-post]`
Updated documentation. 2025-10-30 17:08:50 +01:00			`user-agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"`

Added profile system to agent communication. Randomized URL endpoints/request methods and dynamic data transformation based on C2 profile. Profile is defined as compile-time string for now. 2025-08-15 15:42:57 +02:00			`# Defines URI endpoints for HTTP POST requests`
Added youtube video example profile. 2025-11-07 20:22:13 +01:00			`# This has to be an array, even if it only has one member`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`endpoints = [`
			`"/post",`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`"/api/v2/get.js"`
			`]`

Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00			`# Post request can also be sent with a different HTTP verb (PUT, GET, ...)`
Added profile system to agent communication. Randomized URL endpoints/request methods and dynamic data transformation based on C2 profile. Profile is defined as compile-time string for now. 2025-08-15 15:42:57 +02:00			`request-methods = [`
			`"POST",`
			`"PUT"`
			`]`

Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00			`# Defines arbitrary request headers that are added to the POST request`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`[http-post.agent.headers]`
Added more randomization. The profile now supports setting keys to an array of strings, from which a random one is chosen each time (useful for e.g. Host header, etc.) 2025-08-17 16:27:48 +02:00			`Host = [`
			`"wikipedia.org",`
			`"google.com",`
			`"127.0.0.1"`
			`]`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`Content-Type = "text/plain"`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`Connection = "Keep-Alive"`
Refine profile structure. 2025-08-13 21:42:58 +02:00			`Cache-Control = "no-cache"`
Started implementing profile system. 2025-08-13 19:32:51 +02:00
Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00			`# Defines arbitrary query parameters that are added to the URI`
			`[http-post.agent.parameters]`
			`lang = [`
			`"en-US",`
			`"de-AT"`
			`]`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`page = "1$" # The $ character is replaced with a random number`
Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00
			`# Defines how the POST requests made by the agents look like`
			`# For modules that involve large file transfers, it is not recommended to place the task output in a header or query parameter, as this will exceed the header size`
			`# Placing this type of data in the body is highly recommended`
Refactored utility functions to make them more readable and removed separate register endpoint. 2025-08-14 12:25:06 +02:00			`[http-post.agent.output]`
			`placement = { type = "body" }`
Implemented hex encoding for data transformation. 2025-11-08 16:16:15 +01:00			`encoding = { type = "hex" }`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`# prefix = "<START>"`
			`# suffix = "<END>"`
Refactored utility functions to make them more readable and removed separate register endpoint. 2025-08-14 12:25:06 +02:00
Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00			`# Defines arbitrary response headers added by the server`
Started implementing profile system. 2025-08-13 19:32:51 +02:00			`[http-post.server.headers]`
Updated profile system, including dynamic parsing of hidden heartbeats and setting of response headers. 2025-08-14 15:53:58 +02:00			`Server = "nginx"`
Refine profile structure. 2025-08-13 21:42:58 +02:00
Implemented data transformation and placement via profile for agent POST requests (task results/registration). 2025-11-08 15:59:36 +01:00			`# Defines data that is returned in the body of the server's response`
Refine profile structure. 2025-08-13 21:42:58 +02:00			`[http-post.server.output]`
Heartbeat can be placed in request body again. 2025-11-18 09:43:56 +01:00			`body = "Ok"`