Learn how modern C2 infrastructures are engineered β safely, ethically, and from the inside out.
Overview β’ Features β’ Installation β’ Usage β’ Documentation β’ Roadmap
π Encrypted Communications β’ π¦ Payload Builder β’ π§© Modular Post-Exploitation β’ β‘ Runtime Module Loading β’ π Educational Research
Important
ShadowLab is an educational Command & Control (C2) framework designed exclusively for cybersecurity research, authorized security assessments, and isolated laboratory environments.
Rather than serving as an offensive toolkit, the project demonstrates how modern C2 infrastructures are engineered through transparent implementations of encrypted communications, payload generation, Windows internals, and modular post-exploitation workflows.
ShadowLab must never be used against systems without explicit authorization.
ShadowLab is a modular Command & Control (C2) framework written entirely in Python for studying the engineering principles behind modern remote administration infrastructures.
The project provides a transparent implementation of encrypted communications, staged and unstaged payload generation, Windows integration, and runtime post-exploitation modules, allowing students, researchers, and security professionals to explore how contemporary C2 frameworks are designed inside controlled laboratory environments.
Every component is built with education in mind, emphasizing software architecture, defensive understanding, ethical research, and practical cybersecurity learning instead of real-world offensive deployment.
- π AES-128 Fernet encrypted communication
- π¦ Staged & unstaged payload generation
- π§© Dynamic post-exploitation module system
- π» Interactive encrypted remote shell
- π₯ Windows reconnaissance through WMI
- π Built specifically for cybersecurity education
Interested in the engineering decisions behind ShadowLab?
β‘οΈ Read the full technical analysis (Medium)
ShadowLab provides a modular set of capabilities that demonstrate the core building blocks of a modern Command & Control framework while maintaining a strong focus on education, transparency, and software engineering.
| Category | Features |
|---|---|
| π Communication | AES-128 Fernet encrypted communication, secure authentication, length-prefixed TCP transport |
| π¦ Payload Builder | Staged & unstaged payload generation, executable binding, automated configuration embedding |
| π» Remote Interaction | Interactive remote shell, file upload, desktop notifications |
| π· Intelligence Collection | System information, screenshots, webcam capture, microphone recording, geolocation |
| π₯οΈ Windows Integration | WMI enumeration, Registry persistence, security product detection |
| π§© Post-Exploitation | Dynamic module discovery, runtime template injection, encrypted module registration, controller-backed modules |
| ποΈ Architecture | Modular codebase, configurable components, educational implementation, extensible framework |
The repository is organized into modular components, separating the framework core, payload generation, configuration management, and post-exploitation modules.
ShadowLab/
β
βββ assets/ # README assets
βββ confs/ # Framework configuration
βββ mainclass/ # Core framework components
βββ modules/ # Post-exploitation modules
βββ payloads/ # Payload templates
βββ build/ # Generated payloads
βββ photos/ # Screenshots
βββ records/ # Audio recordings
β
βββ Shadow.py # Main C2 Server
βββ requirements.txt
βββ README.md
βββ ROADMAP.md
βββ SECURITY.md
βββ FAQS.md
βββ CONTRIBUTING.md
ShadowLab targets Python 3.13.x.
Clone the repository and install the required dependencies.
git clone https://github.com/msalihberk/ShadowLab.git
cd ShadowLabpip install -r requirements.txtOr create a virtual environment first:
python -m venv venv
# Windows
venv\Scripts\activate
# Linux / macOS
source venv/bin/activate
pip install -r requirements.txtpython Shadow.pyIf the application starts successfully, the installation is complete.
After completing the installation, the typical ShadowLab workflow is:
Generate Configuration
β
βΌ
Configure Listener
β
βΌ
Build Payload
β
βΌ
Start Listener
β
βΌ
Agent Connection
β
βΌ
Manage Session
β
βΌ
Deploy Post-Exploitation Modules
Generate a unique encryption key and authentication token before building any payload.
Option 5 β Generate Configuration
This creates the required configuration inside:
confs/conf.json
Specify the IP address and listening port that will be embedded into generated payloads.
Option 3 β Set IP Address
Option 4 β Set Listening Port
Generate either a staged or unstaged payload.
Option 1 β Build Payload
The builder supports:
- Python payloads
- Standalone executables
- Executable binding
- Staged deployment
- Unstaged deployment
Begin accepting incoming encrypted connections.
Option 2 β Start Listener
Once an agent connects, ShadowLab provides an interactive management interface.
| Command | Function |
|---|---|
1 |
Interactive Shell |
2 |
Create Persistence |
3 |
Record Microphone |
4 |
Upload File |
5 |
Webcam Capture |
6 |
Geolocation |
7 |
Remove Persistence |
8 |
System Information |
9 |
Desktop Notification |
10 |
Screenshot |
11 |
Security Software Audit |
12 |
Post-Exploitation Manager |
q |
Close Session |
ShadowLab includes a modular post-exploitation framework capable of dynamically discovering and deploying runtime modules.
Typical workflow:
Session
β
βΌ
Post-Exploitation Manager
β
βΌ
Select Module
β
βΌ
Configure Template Values
β
βΌ
Deploy
β
βΌ
Interactive Controller
The framework currently ships with a sample KEYLOGGER module, while additional modules can be added without modifying the core framework thanks to the dynamic module architecture.
Additional documentation is available for users who want to explore the project in greater depth.
| Document | Description |
|---|---|
ROADMAP.md |
Project roadmap and future milestones |
SECURITY.md |
Responsible disclosure and security policy |
FAQS.md |
Frequently asked questions |
CONTRIBUTING.md |
Contribution guidelines |
ShadowLab is released under the MIT License.
See the LICENSE file for the complete license text.
Warning
ShadowLab is intended exclusively for cybersecurity education, authorized security assessments, and isolated laboratory environments.
Unauthorized use against systems you do not own or have explicit permission to assess is illegal and outside the intended purpose of this project.
