sg1: swiss army knife for data encryption, exfiltration & covert communication
SG1 is a wanna be swiss army knife for data encryption, exfiltration, and covert communication. In its core sg1 aims to be as simple to use as nc while maintaining high modularity internally, being a framework for bizarre exfiltration, data manipulation and transfer methods.
The main sg1 operation logic is:
Keep in mind that modules and channels can be piped one to another, just use sg1 -h to see a list of available channels and modules, try to pipe them and see what happens ^_^
Modules can be combined, for instance, if you want to read from input, decrypt from AES and execute, you would use:
-in:... -modules aes,exec -aes-mode decrypt -aes-key _somekeysomekey_ -out:...
The default mode, will read from an input and write to output.
Will read from input, encode in base64 and write to output.
Will read from input, encrypt or decrypt (depending on –aes-mode parameter, which is encrypt by default) wih –aes-key and write to output.
-modules aes --aes-key y0urp4ssw0rd -modules aes -aes-modules decrypt --aes-key y0urp4ssw0rd
Will read from input, execute as a shell command and pipe to output.
The default channel, stdin or stdout depending on the direction.
A tcp server (if used as input) or client (as output).
-in tcp:0.0.0.0:10000 -out tcp:192.168.1.2:10000
An udp packet listener (if used as input) or client (as output).
-in udp:0.0.0.0:10000 -out udp:192.168.1.2:10000
A tls tcp server (if used as input) or client (as output), it will automatically generate the key pair or load them via –tls-pem and –tls-key optional parameters.
If used as output, data will be chunked and sent as ICMP echo packets, as input an ICMP listener will be started decoding those packets.
If used as output, data will be chunked and sent as DNS requests, as input a DNS server will be started decoding those requests. The accepted syntaxes are:
In which case, DNS requests will be performed (or decoded) for subdomains of domain.tld, sent to the resolver ip address onport.
DNS requests will be performed (or decoded) for subdomains of domain.tld using default system resolver.
DNS requests will be performed (or decode) for subdomains of google.com using default system resolver.
If used as output, data will be chunked and sent to pastebin.com as private pastes, as input a Pastebin listener will be started decoding those pastes.
This is how you can retrieve your user key given your api key.
Simple file exfiltration over DNS:
Quick and dirty AES encrypted chat over TCP:
Encrypting data in AES and exfiltrate it via DNS requests:
Test with different operating systems ( tnx to decoded ):
With bouncing to another host:
Just use sg1 -h to see a list of available channels and modules, try to pipe them and see what happens, you can also transfer files and make requests “bounce” to several machines with random AES keys ^_^
Copyright (C) 2017 evilsocket