LazyOwn

 ██▓    ▄▄▄      ▒███████▒▓██   ██▓ ▒█████   █     █░███▄    █
▓██▒   ▒████▄    ▒ ▒ ▒ ▄▀░ ▒██  ██▒▒██▒  ██▒▓█░ █ ░█░██ ▀█   █
▒██░   ▒██  ▀█▄  ░ ▒ ▄▀▒░   ▒██ ██░▒██░  ██▒▒█░ █ ░█▓██  ▀█ ██▒
▒██░   ░██▄▄▄▄██   ▄▀▒   ░  ░ ▐██▓░▒██   ██░░█░ █ ░█▓██▒  ▐▌██▒
░██████▒▓█   ▓██▒▒███████▒  ░ ██▒▓░░ ████▓▒░░░██▒██▓▒██░   ▓██░
░ ▒░▓  ░▒▒   ▓▒█░░▒▒ ▓░▒░▒   ██▒▒▒ ░ ▒░▒░▒░ ░ ▓░▒ ▒ ░ ▒░   ▒ ▒
░ ░ ▒  ░ ▒   ▒▒ ░░░▒ ▒ ░ ▒ ▓██ ░▒░   ░ ▒ ▒░   ▒ ░ ░ ░ ░░   ░ ▒░
  ░ ░    ░   ▒   ░ ░ ░ ░ ░ ▒ ▒ ░░  ░ ░ ░ ▒    ░   ░    ░   ░ ░
    ░  ░     ░  ░  ░ ░     ░ ░         ░ ░      ░            ░
                 ░         ░ ░

LazyOwn comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License v3. See the LICENSE file for details about using this software.

LazyOwn

LazyOwn is a professional red team framework for penetration testers and security researchers. It provides over 333 attack techniques for Linux, Unix, BSD, macOS, and Windows environments, and integrates the Atomic Red Team attack library.

Core Architecture

LazyOwn is built around a modular, command-driven architecture that provides flexibility and extensibility for security testing workflows.

LazyOwn integrates a command-line interface (CLI) built on cmd2 and a web-based GUI built on Flask. Parameters are scoped to payload.json, enabling consistent configuration across tools. The framework supports adversary simulation, task scheduling via the cron command, and persistent automated threat simulation workflows.

LazyOwn Skills — MCP Integration

Connect Claude Code to the LazyOwn framework via the Model Context Protocol (MCP). The MCP server exposes 67 tools covering the full engagement lifecycle.

Files

| File | Purpose | |------|---------| | skills/lazyown_mcp.py | MCP server — exposes 67 LazyOwn tools to Claude | | skills/lazyown.md | Claude Code skill / slash-command documentation | | skills/autonomous_daemon.py | Autonomous execution daemon (objective-driven, no Claude required between steps) | | skills/hive_mind.py | Multi-agent queen + drone system with ChromaDB memory | | skills/lazyown_policy.py | Reward-based policy engine for the auto_loop | | skills/lazyown_facts.py | Structured fact extraction from nmap XML and tool output | | skills/lazyown_parquet_db.py | Parquet knowledge base: session history, GTFOBins, LOLBas, ATT&CK |

Quick Start

1. Register the MCP server

claude mcp add lazyown python3 /home/grisun0/LazyOwn/skills/lazyown_mcp.py

Or add manually to ~/.claude/claude_desktop_config.json:

{
  "mcpServers": {
    "lazyown": {
      "command": "python3",
      "args": ["/home/grisun0/LazyOwn/skills/lazyown_mcp.py"],
      "env": {
        "LAZYOWN_DIR": "/home/grisun0/LazyOwn"
      }
    }
  }
}

2. Install the slash command (optional)

cp skills/lazyown.md ~/.claude/commands/lazyown.md

3. Use from Claude Code

After restarting Claude Code, all lazyown_* tools are available.

You: set target to 10.10.11.78 and start the autonomous loop
Claude: [calls lazyown_set_config -> lazyown_auto_loop]

Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | LAZYOWN_DIR | parent of skills/ | LazyOwn root directory | | LAZYOWN_C2_HOST | payload.json lhost | C2 server address | | LAZYOWN_C2_PORT | payload.json c2_port | C2 server port | | LAZYOWN_C2_USER | payload.json c2_user | C2 username | | LAZYOWN_C2_PASS | payload.json c2_pass | C2 password |

MCP Tool Groups (67 tools)

| Group | Tools | Description | |-------|-------|-------------| | Core Execution | 6 | run_command, get/set_config, list_modules, discover_commands, command_help | | Target Management | 3 | add_target, list_targets, set_active_target | | C2 / Implant Control | 10 | c2_command, c2_status, get_beacons, run_api, c2_profile, c2_vuln_analysis, c2_redop, c2_search_agent, c2_script, c2_adversary | | Session Awareness | 4 | session_status, session_state, list_sessions, read_session_file | | Autonomous Loop | 3 | auto_loop, policy_status, recommend_next | | Reactive Intelligence | 2 | reactive_suggest, bridge_suggest | | Objectives & Planning | 4 | inject_objective, next_objective, soul, read_prompt | | Knowledge Bases | 9 | parquet_query/annotate, facts_show, cve_search, searchsploit, rag_index/query, threat_model | | Memory & Learning | 3 | memory_recall/store, eval_quality | | Campaign & Reporting | 7 | campaign, campaign_tasks, generate_report, misp_export, collab_publish, timeline | | Playbooks | 2 | playbook_generate, playbook_run | | Addons, Tools & Plugins | 3 | list_addons/plugins, create_addon/tool | | Scheduling | 2 | cron_schedule, daemon | | AI Agents | 5 | run_agent, agent_status/result, list_agents, llm_ask | | Event Engine | 4 | poll_events, ack_event, add_rule, heartbeat_status |

Full documentation: skills/README.md and skills/lazyown.md.

Key Features

1. Comprehensive Attack Library: Over 500 attack techniques for Linux, Unix, BSD, macOS, and Windows environments, augmented by the Atomic Red Team Framework library.
2. Interactive CLI: Based on cmd2, offering an intuitive and efficient command-line experience.

3. Decoy: if the ip addres not match with 127.0.0.1 or lhost flask will show a decoy website this decoy site will record a video with audio and take pictures from the intruder (sessions/captured_images) like a small versión of storm breaker to know who is the blueteam operator

4. Adversary Simulation: Advanced capabilities for generating red team operation sessions, ensuring meticulous and effective simulations.

5. Task Scheduling: Utilize the cron command to schedule and automate tasks, enabling persistent threat simulations.
6. Real-Time Results: Obtain immediate feedback and results from security assessments, ensuring timely and accurate insights.
7. RAT and Botnet Capabilities: Includes features for remote access and control, allowing for the management of botnets and persistent threats.
8. C2 Framework IA Powered: Acts as a command and control (C2) framework, enabling covert communication and control over compromised systems. and many IA bots to improve your opsec, Developed in Flask, providing a user-friendly interface for seamless interaction. Now with network discovery capabilities, allowing us to see the attack surface on our client map clearly and intuitively with filters and a search panel. New functionalities are coming soon.

9. Undetectable, Obfuscated, and Malleable GO Implants: The command with the payload comes obfuscated by default. Instead of directly downloading the beacon, it downloads a stub created in C to download the beacon, which is XOR-encoded with a key. It is then decoded in memory and executed in a temporary path with a unique name to evade detection, using svchost in Windows and lazyservice in Linux. This performs a two-stage implant, which has been tested on Kernel 6.12 and Windows [Version 10.0.20348.3807]. Additionally, an alternative Windows stub using LOLBAS PS1 and Csharp has been added, along with a version of ebird3 in LOLBAS that uses the same technologies. The Go beacon is a multi-platform, undetectable, and highly obfuscated implant tailored for advanced red teaming operations. It features polymorphism, operates in a configurable stealth mode, and secures communications with AES-256 encrypted channels. The beacon blends into environments by simulating legitimate network traffic and evades detection by identifying virtual machines, sandboxes, containers, and debuggers, dynamically adjusting its behavior. With a minimal footprint, it supports robust network discovery through ping-based host enumeration and port scanning of configured targets. The implant excels at exfiltrating sensitive data, including private keys, AWS credentials, b