Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rainbowpigeon/einstein

PoC Go C2 server that mimics Mattermost HTTP traffic
https://github.com/rainbowpigeon/einstein

c2 command-and-control command-control go golang http http-server malware mattermost rat remote-access-tool remote-access-trojan remote-admin-tool server

Last synced: 3 months ago
JSON representation

PoC Go C2 server that mimics Mattermost HTTP traffic

Host: GitHub
URL: https://github.com/rainbowpigeon/einstein
Owner: rainbowpigeon
License: gpl-3.0
Created: 2022-08-31T09:45:25.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-09-04T06:12:50.000Z (over 2 years ago)
Last Synced: 2023-03-06T13:37:58.503Z (almost 2 years ago)
Topics: c2, command-and-control, command-control, go, golang, http, http-server, malware, mattermost, rat, remote-access-tool, remote-access-trojan, remote-admin-tool, server
Language: Go
Homepage:
Size: 34.2 KB
Stars: 5
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Einstein

PoC Go C2 server that mimics [Mattermost](https://mattermost.com/) HTTP traffic

## Important Things To Note

- Untested and unpolished code

- No help menu

- No exception handling

- No corresponding client provided

- No functionality to customize Einstein's configuration

- Filenames don't really mean anything

- Intentionally free of external packages/dependencies

## Running

Clone the repository and `go run Einstein.go`.

## Details

### Commands

| Command       | Purpose                          |

|---------------|----------------------------------|

| `list`        | List registered clients          |

| `select`      | Select client                    |

| `unselect`    | Unselect client                  |

| `current`     | Print currently-selected client  |

| `up`          | Upload file to client            |

| `ex`          | Execute system command on client |

| `persist`     | Install persistence on client    |

| `down`        | Download file from client        |

| `snap`        | Take screenshot of client        |

| `exit`/`quit` | Shutdown server                  |

### Endpoints

| Method | Path                                                        | Purpose                                                                     |

|--------|-------------------------------------------------------------|-----------------------------------------------------------------------------|

| GET    | `/api/v<>/plugins/webapp`                                   | Initial beacon to register client & commence checking for pulses/heartbeats |

| POST   | `/api/v<>/users/status/ids`                                 | Poll for and retrieve jobs for client + register pulse                      |

| POST   | `/api/v<>/users/ids?since=` | Retrieve job results from client                                            |

| GET    | `/static/<>.js`                                             | File transfer to client                                                     |

### Misc

- Coded against Mattermost Server 6.6.1

- Client's unique ID and name is transmitted through a combination of the `MMAUTHTOKEN`, `MMUSERID`, and `MMCSRF` HTTP Cookie values

- Data transmitted is usually AES-128-GCM-encrypted and then ZBase32-encoded except in the case of file transfers where it is Base64-encoded after encryption instead

    - For file transfers, the final encoded data is smuggled via a minified JavaScript file used by Mattermost

    - For job retrieval for client, the final encoded data is split into chunks across multiple Mattermost `status` structures where the data resides in the `UserId` field and the `Status` field will discreetly indicate the type of job to the client