Post Exploitationc2frameworkreverse-shellhoaxshelltcp

Villain

Villain is a high-level C2 framework that manages multiple TCP socket and HoaxShell-based reverse shells. It enhances their functionality with additional features and shares them among connected sibling servers.

Description

Villain serves as a command and control (C2) framework designed for handling multiple reverse shells simultaneously. It supports both TCP socket-based and HoaxShell-based connections, allowing operators to manage and enhance these shells with extra capabilities. The framework enables sharing of shells across connected sibling servers, facilitating distributed C2 operations.

Use cases include post-exploitation scenarios where maintaining persistent access to compromised systems is critical. Operators can centralize control of multiple implants, apply enhancements like file smuggling or encryption, and scale operations across multiple servers. This makes it suitable for red team engagements requiring robust shell management.

The tool integrates seamlessly into Kali Linux environments, relying on Python libraries for networking, cryptography, and clipboard operations to support its features.

How It Works

Villain operates as a server-based C2 framework listening on configurable TCP ports for reverse shell connections. It handles TCP socket shells on a specified reverse TCP port (default 4443) and HoaxShell connections via HTTP/HTTPS on hoax ports (default 8080 or 443). Additional listeners for file smuggling are supported. Connections are enhanced with features like encryption using certificates, quiet mode operation, and sharing across sibling servers via team server ports (default 6501). Internals leverage Python dependencies for network interfaces, cryptography, clipboard access, and HTTP requests.

Installation

bash

sudo apt install villain

Flags

-h, --helpshow this help message and exit

-p, --port PORTTeam server port (default: 6501).

-x, --hoax-port HOAX_PORTHoaxShell server port (default: 8080 via http, 443 via https).

-n, --reverse-tcp-port REVERSE_TCP_PORTReverse TCP multi-handler port (default: 4443).

-f, --file-smuggler-port FILE_SMUGGLER_PORTFile smuggler port

-iInstall mode (inferred from context)

-c CERTFILECertificate file for HTTPS

-k KEYFILEKey file for HTTPS

-vVerbose mode (inferred from context)

-qQuiet mode

Examples

Display the full help message and usage information for Villain.

villain -h

Start Villain with the default team server port 6501.

villain -p 6501

Run Villain with HoaxShell server on HTTP port 8080.

villain -x 8080

Launch Villain using the default reverse TCP multi-handler port 4443.

villain -n 4443

Start Villain with file smuggler listener on port 1234.

villain -f 1234

Run HoaxShell server on HTTPS port 443 with specified certificate and key files.

villain -x 443 -c cert.pem -k key.pem

Start team server and reverse TCP handler in quiet mode.

villain -p 6501 -n 4443 -q

Updated 2026-04-16kali.org ↗