Ender and Eshu
Common language platforms for multiple command and control frameworks. Eshu enables agnostic post-exploitation across C2s, while Ender provides a unified exploit engine. Both platforms support Metasploit and Sliver frameworks.
Project Overview
Ender and Eshu are common language platforms designed for red-team operators who utilize multiple command and control (C2) frameworks during engagements. These platforms enable operators to perform exploitation and post-exploitation tasks in a framework-agnostic manner, simplifying multi-C2 management and improving operational efficiency.
The project addresses the growing complexity of managing multiple C2 frameworks simultaneously. While different C2s perform varying tasks in varying manners, the end goal remains consistent: execute operations on target machines. Eshu handles post-exploitation operations, while Ender provides a unified exploit engine for active exploitation across multiple frameworks.
Eshu: Post-Exploitation Platform
Eshu is a common language platform for post-exploitation across multiple C2 frameworks. It enables operators to query and manage already established implants regardless of which C2 framework was used to create them, standardizing commands for retrieving host information and executing remote commands.
Core Functionality
- Framework Agnostic Session Management: Eshu registers C2 instances and maintains session storage that maps which framework each exploit session is engaged with
- Get-Hosts Command: Identifies and retrieves all active exploits or sessions capable of being managed by Eshu across all registered frameworks
- Run-Command Function: Executes commands against active sessions using unique session IDs that specify both the C2 and session count, while remaining agnostic to the operator
Supported Frameworks
Metasploit
Uses Metasploit's RPC client via Pymetasploit3 library. Supports querying active sessions and executing commands against Meterpreter shells.
Sliver
Uses SliverPy library which communicates via gRPC protocol. Currently supports Sliver beacons with session support planned for future development.
Ender: Exploit Engine
Ender is a common language exploit engine that provides a unified interface for active exploitation across multiple C2 frameworks. Built with a client-server architecture, Ender enables operators to search for exploits, configure modules, and execute them through a single command-line interface.
Architecture
Ender uses a lightweight client-server model where:
- Ender Client: Provides the operator interface, handling user input and displaying feedback
- Ender Server: Performs all remote procedure calls to each independent C2 framework on the backend
Key Capabilities
- Search and list available Metasploit exploit and auxiliary modules
- Configure module parameters programmatically with interactive prompts
- Execute exploits and catch Meterpreter shells through automated listener setup
- Create and manage Sliver beacons, profiles, and HTTP listeners
- Support for multiplayer mode and general command queries across frameworks
Metasploit Integration
Ender's Metasploit implementation allows operators to:
- Search for exploit and auxiliary modules by keyword
- Run modules with interactive parameter configuration
- Automatically set up listeners and upgrade shells to Meterpreter sessions
- Manage active Meterpreter sessions
Sliver Integration
Ender's Sliver implementation provides:
- Beacon generation with configurable profiles
- HTTP listener setup and management
- Multiplayer mode support for team collaboration
- General command querying capabilities
Team Members
Alexander Aviles
Yousif Alsabah
Alan Ingersoll
Xun-Yang Leong
Prateek Ravindran