/OffensiveGo

Golang weaponization for red teamers.

Primary LanguageGo

OffensiveGo - Golang Weaponization for red teamers.

image

This repo is made by @RistBS, @Enelg & @dreamkinn and contains some examples of offensives tools & utilities rewrote in Golang that can be used in a red team engagement.

Table of Content

️💾 Previous works

These repo inspires us to make OffensiveGo

  • OffensiveRust : this project contains a bunch of examples made in Rust.
  • OffensiveNim : this one contains examples written in Nim.
  • OffensiveCSharp : A Collection of Offensive C# Tooling.
  • OffensiveDLR : Toolbox containing research notes & PoC code for weaponizing .NET's DLR.
  • OffensiveVBA : This repo covers some code execution and AV Evasion methods for Macros in Office documents.
  • OffensiveZig : Some attempts at using Zig in penetration testing.

📝 About Golang

  • Simpler syntax: Go's syntax is simpler and easier to learn.
  • Garbage collection: Go uses garbage collection, which makes memory management easier for developers.
  • Cross-platform support: Go has excellent cross-platform support and can be compiled to run on a wide range of platforms, including Windows, Linux, and macOS. Rust also has good cross-platform support, but its compilation process can be more complex.
  • Goroutine: Goroutines are lightweight threads of execution that enable concurrent programming in Go, making it easy to write efficient, safe, and scalable concurrent programs, allowing for non-blocking concurrent execution and communication via channels.

OPSEC Consideration & Caveat of Golang

Go binaries generally have no installation dependencies, compiler statically links Go runtime and needed packages. Static linking results in larger binaries. 1.9 MB for "Hello World" compared to 54 KB in C.

🏗 Workspace Setup

  • create a go.mod file in your project directory, which will be used to manage dependencies :
> go mod init offensivego 
  • ensure that all your project's dependencies are up to date :
> go mod tidy 

Compilation

  • Use go build file.go for compilation.
  • Omit debug symbols and strip the symbol table. it can also reduce binary size by about 30% :
    go build -ldflags="-s -w" file.go
  • Hide console, to avoid Go program displaying console windows on execution :
    go build -ldflags -H=windowsgui rshell.go

Assembly in Go

The assembly language used with Go is based on Plan9 (P9) and is a high-level architecture-independent language that includes mnemonics like CALL and RET, as well as higher-level constructs like loops and conditionals, which are implemented using lower-level assembly instructions by the assembler.

  • That's how you declare function : image
    • NOSPLIT : Don't insert the preamble to check if the stack must be split. The frame for the routine, plus anything it calls, must fit in the spare space remaining in the current stack segment. Used to protect routines such as the stack splitting code itself, which can improve performance.
    • NOFRAME : skip the generation of a function prologue and epilogue, even if this is not a leaf function, which can also improve performance by reducing the overhead of setting up and tearing down the stack frame for each call.

Note : It can be useful to use Assembly in Go for your loaders if you want to build direct / indirect syscall stub.

Obfuscate Go Builds

you can obfuscate Go builds using garble to replace strings and many other indcators with base64 encoding and removes extra intformations if necessary : https://github.com/burrowers/garble

garble build [build flags] [packages]

Golang Binary

  • The symtab (symbol table) section contains symbol table information to map program addresses to their corresponding function and variable names. The symtab section in a Golang binary is generated by the Go linker. image

  • If your implant use net/http lib with the default http headers, GO will put Go-http-client/1.1 has the user-agent.

image

Examples

File Description
Process Injection - APC Execute a shellcode with NtQueueApcThread
Process Injection - CreateThread Execute a shellcode with NtCreateThreadEx and CreateThread
AMSI Patching bypass AMSI by patching in memory AmsiScanBuffer
ETW Patching bypass ETW, by patching in memory with ret on NtTraceControl
Network TCP, HTTP, and named pipes servers and clients for different communication channels.
WMI Query List the AV/EDR solution with a wmi query
sRDI Convert DLL files to position independent shellcode
Cryptography Encryption algorithms for various usage. Contains AES, RC4, chacha20 and xor.
Self Remove Self remove a executable. Golang implementation of delete-self-poc
Process Dump Dump any process with MiniDumpWriteDump. In this example, it dumps LSASS
Dllmain DllMain() entrypoint in Golang from this. Can be used for dll hijacking.
Token Manipulation Play with windows token. List all the token, ImpersonateLoggedOnUser and CreateProcessWithToken.
Sandbox detection/evasion Sandbox detection and evasion techniques
Callback Injection Callback shellcode injection using GrayStringA, EnumFonts and more...
Instrumentation Callback Disable Instrumentation Callback on your process to reduce any potential direct syscall detection

Note : The misc folder contains some scripts like convert_to_golang_shellcode_format.sh that can be written in other languages but but still relates to the Golang language.

Note : More Examples will be added in the future :D

🔎 Interesting Tools in Golang

  • Geacon : implementation of CobaltStrike's Beacon in Go.
  • Acheron : Indirect syscalls for AV/EDR evasion in Go assembly.
  • Sliver : An Adversary Emulation Framework fully written in Golang with advanced evasion capabilities.
  • Merlin : cross-platform post-exploitation HTTP/2 Command & Control server and agent
  • BananaPhone : An easy to use GO variant of Hells gate with automatic SSN parsing.
  • SourcePoint : C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion by reducing the Indicators of Compromise IoCs.
  • ScareCrow : Payload creation framework designed around EDR bypass such as AMSI & ETW Bypass, Encryption, Stealth Process Injections, ect.
  • Hooka : Implant drop-in with multiple features.
  • RedGuard : a C2 front flow control tool, Can avoid Blue Teams, AVs, EDRs check.
  • Freeze : Payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
  • Mangle : A tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
  • Dent : A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
  • Ivy : Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.

I would also mention the timwhitez's github that contains many re-implementations in Golang.

🎖 Credits