Red Team Module

Autonomous WiFi hunting, credential attacks, ESP-NOW mesh relay, and stealth operation for resilient C2 connectivity.

Authorization Required

This module performs active WiFi scanning, credential testing, and network penetration. Only use on networks you own or have explicit written authorization to test.

Configuration

Enable in idf.py menuconfig → Espilon Bot Configuration → Modules → Red Team Module

Config flag: CONFIG_MODULE_REDTEAM

---

Overview

The Red Team module provides autonomous network hunting capabilities. When the agent loses its primary C2 connection, it can automatically scan for alternative WiFi networks, attempt connections using known credentials, and relay traffic through an ESP-NOW mesh.

┌─────────────────────────────────────────────────┐
│              Red Team Module                     │
│                                                  │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐      │
│  │ rt_hunt  │→ │ rt_scan  │→ │ Connect  │      │
│  │ (auto)   │  │ (passive)│  │ (WiFi)   │      │
│  └──────────┘  └──────────┘  └──────────┘      │
│       │              │             │             │
│       ↓              ↓             ↓             │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐      │
│  │ Stealth  │  │ Known    │  │ ESP-NOW  │      │
│  │ (MAC/TX) │  │ Networks │  │ Mesh     │      │
│  └──────────┘  └──────────┘  └──────────┘      │
│                                                  │
│  NVS: "rt_cfg" (network DB, config)             │
└─────────────────────────────────────────────────┘

Key Features

• Autonomous hunting: Triggered automatically on TCP/WiFi failure
• Passive WiFi scanning: Stealth mode with no probe requests
• Known network database: Stored in NVS, survives reboots
• MAC randomization: Spoofed MAC during scanning and connection attempts
• TX power management: Reduced power for stealth, full power for connectivity
• ESP-NOW mesh relay: Multi-hop relay for out-of-range C2

---

Files

File	Description
cmd_redteam.c	Command handlers and registration
cmd_redteam.h	Public API (mod_redteam_register_commands())
rt_hunt.c / rt_hunt.h	Autonomous hunt state machine
rt_stealth.c / rt_stealth.h	MAC spoofing, TX power, passive scan
rt_mesh.c / rt_mesh.h	ESP-NOW mesh relay
rt_config.c / rt_config.h	NVS persistence (namespace rt_cfg)
rt_captive.c / rt_captive.h	Captive portal bypass

---

Commands

rt_hunt

Start the autonomous network hunting cycle. The agent scans for WiFi networks, attempts to connect using known credentials, and re-establishes C2 connectivity.

Syntax:

c2:> send <device_id> rt_hunt [profile]

Parameters:

Parameter	Type	Required	Description
profile	string	No	Hunt profile (reserved for future use)

Behavior:

1. Save current WiFi state and MAC address
2. Enable stealth mode (MAC randomization, reduced TX power)
3. Passive WiFi scan (no probe requests)
4. For each discovered network, check against known network DB
5. Attempt connection to matching networks
6. On success, re-establish C2 TCP connection
7. Report results to C2

This command is async — it runs in the background and reports progress.

---

rt_stop

Stop hunting and restore the original WiFi configuration, MAC address, and TX power.

Syntax:

c2:> send <device_id> rt_stop

Response:

Hunt stopped, WiFi/MAC/TX restored

---

rt_status

Display the current hunt state, including MAC address, connection method, and configuration.

Syntax:

c2:> send <device_id> rt_status

Response:

state=hunting mac=AA:BB:CC:DD:EE:FF method=passive networks_known=3 mesh=off

Field	Description
state	Current state: idle, hunting, connected
mac	Current MAC address (may be spoofed)
method	Scan method: passive, active
networks_known	Number of known networks in DB
mesh	ESP-NOW mesh status: on, off

---

rt_scan

Perform a one-shot passive WiFi scan and report discovered networks to C2.

Syntax:

c2:> send <device_id> rt_scan

Response:

Reports each discovered network with SSID, BSSID, channel, RSSI, and encryption type.

This command is async.

---

rt_net_add

Add a network to the known networks database (stored in NVS).

Syntax:

c2:> send <device_id> rt_net_add <ssid> [password]

Parameters:

Parameter	Type	Required	Description
ssid	string	Yes	WiFi network SSID
password	string	No	WiFi password (omit for open networks)

Response:

Network added: MyNetwork (secured)

---

rt_net_list

List all known networks stored in the database.

Syntax:

c2:> send <device_id> rt_net_list

Response:

[0] MyNetwork (secured)
[1] OpenCafe (open)
[2] LabWiFi (secured)

---

rt_mesh

Start or stop the ESP-NOW mesh relay. When active, the agent relays C2 traffic through nearby Espilon agents using ESP-NOW (no WiFi AP required).

Syntax:

c2:> send <device_id> rt_mesh <start|stop>

Parameters:

Parameter	Type	Required	Description
action	string	Yes	start or stop

---

Usage Examples

Autonomous Hunt Setup

# Pre-configure known networks
c2:> send esp001 rt_net_add LabWiFi secret123
c2:> send esp001 rt_net_add CafePublic

# Start hunting (will trigger automatically on C2 loss)
c2:> send esp001 rt_hunt

# Check status
c2:> send esp001 rt_status

Passive Reconnaissance

# Scan nearby WiFi networks
c2:> send esp001 rt_scan

# Results streamed to C2:
# SSID=TargetCorp BSSID=AA:BB:CC:DD:EE:FF CH=6 RSSI=-45 AUTH=WPA2
# SSID=GuestWifi  BSSID=11:22:33:44:55:66 CH=1 RSSI=-72 AUTH=OPEN

Multi-Hop Relay

# Agent A is within WiFi range of C2
# Agent B is out of range but within ESP-NOW range of Agent A

# On Agent A: enable mesh relay
c2:> send espA rt_mesh start

# Agent B can now reach C2 through Agent A

---

NVS Storage

Namespace: rt_cfg

Key	Type	Description
orig_mac	blob	Original MAC address (saved at boot)
networks	blob	Known network database (SSID + password pairs)
hunt_cfg	blob	Hunt configuration (profiles, timing)

---

Previous: Recon MLAT | Next: Honeypot