PayloadForge
Obfuscated payload generator for authorized penetration testing
v1.2.1Authorisation required. payloadforge is for authorized penetration testing only. Every generate / reverse-shell / chain invocation enforces a strictly-formatted --auth-id AAA-YYYY-N (or $PAYLOADFORGE_AUTH_ID) engagement reference and writes a JSONL audit row. Use against systems you own or have explicit written authorisation to test.
Quick Start
Install via jcli
jcli install payloadforgeGenerate
# Obfuscate a literal command (bash, advanced)
payloadforge --auth-id PENTEST-2026-001 --language bash \
--obfuscation-level advanced generate 'id'
# Reverse shell — Perl template (NEW), json output
payloadforge --auth-id PENTEST-2026-001 --language perl \
--output json reverse-shell 10.0.0.1 4444
# Stack a custom transform chain
payloadforge --auth-id PENTEST-2026-001 --language python \
chain base64_encode,hex_encode 'print("hi")'
# Defensive: score arbitrary input against the vendored signature set
payloadforge --language powershell detect '... Invoke-Expression ...'What it does
payloadforge is a port of the original Python tool, redone in Rust with nine language targets, JSONL audit logging, and a detect subcommand for blue-team use. It does not ship C2 infrastructure, persistence, or AV-bypass primitives — only template + obfuscation + encoding + detection-scoring.
- Nine reverse-shell templates. bash / powershell / python (with full obfuscator pipelines) + perl + ruby + NEW netcat (mkfifo back-channel) + socat (pty back-channel) + php (fsockopen / proc_open) + nodejs (net.Socket / child_process). Each accepts
LHOST(validated as IP or hostname) andLPORT. - Three obfuscation levels. basic = base64 wrap, intermediate = hex + var-randomisation, advanced = stacked transforms (IFS manipulation / SecureString round-trip / XOR-chain lambda decoder).
- Built-in detection scoring. ~19 vendored YARA-lite regex signatures run against every generated payload; worst-axis risk surfaces so a single HIGH match isn't diluted by clean rules.
detectsubcommand. Same signature set, applied to arbitrary input. Blue teams use it to rapidly check what their AV would catch.- Strict engagement-ID gate.
--auth-idmust matchAAA-YYYY-N(2–8 uppercase letters, year, sequence). Tool refuses to run without it. - JSONL audit log. Every invocation appends a structured row (timestamp, auth_id, operator_id, action, language, sha256, detection_risk) under
$PAYLOADFORGE_HOME/audit.jsonl. - Three outputs. text (TTY) / json (pipelines) / markdown (engagement deliverables).
--seedfor reproducibility. Deterministic obfuscation for CI tests and audit verification.
Subcommands
| Command | What it does |
|---|---|
generate <CMD> | Obfuscate a literal command for the chosen language |
reverse-shell <LHOST> <LPORT> | Render a language template, then obfuscate & optionally encode |
chain <TRANSFORMS> <CMD> | Apply a comma-separated list of named transforms in sequence |
list-templates | Print the available reverse-shell templates |
detect <PAYLOAD> | Score arbitrary input against the vendored signature set (defensive use) |
version / docs | Version line / docs URL |
Improvements over the Python 1.0.x
detectsubcommand. Blue-team-friendly counterpart togenerate: score arbitrary input.- Strict engagement-ID format check. Old
--auth-referenceaccepted any string;--auth-idnow enforcesAAA-YYYY-N. - JSONL audit log. Replaces the free-text
payloadforge_auth.log; jq-parseable. - Markdown output. Engagement-deliverable shape (Python had text + JSON only).
- Perl + Ruby + Netcat + Socat + PHP + Node.js reverse-shell templates. Common pivot languages where bash/powershell/python aren't available. Netcat uses the
mkfifoback-channel so it works on busybox-style builds that stripnc -e; socat gives a full pty. - Worst-axis detection scoring. One HIGH-severity match → high risk, regardless of the ratio of total matched rules.
- SHA-256 + MITRE pivots emitted on every report (T1027, T1059, ATT&CK Navigator, YARA repo link).
--seedfor deterministic obfuscation. Reproducible output for CI and audit reconciliation.- Zero runtime deps — single Rust binary, no Python toolchain.
The Python advanced Python obfuscator used marshal.dumps(compile(code)) which requires the Python toolchain at generation time. The Rust port substitutes an equivalent-opacity XOR + hex + chained-lambda technique that generates without Python and runs on plain Python at runtime.