SharpSocks update & cleanup

.github/workflows/sharpsocks-implant.yml

@@ -0,0 +1,46 @@
+name: SharpSocks Implant
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+
+  build:
+
+    strategy:
+      matrix:
+        configuration: [Release Win]
+
+    runs-on: windows-latest
+
+    env:
+      Solution_Name: SharpSocks                         # Replace with your solution name, i.e. MyWpfApp.sln.
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
+    # Install the .NET Core workload
+    - name: Install .NET Core
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: 5.0.x
+
+    - name: Setup Nuget
+      uses: Nuget/setup-nuget@v1.0.5
+
+    - name: Restore nuget packages
+      run: nuget restore SharpSocks.sln
+
+    - name: Setup MSBuild.exe
+      uses: microsoft/setup-msbuild@v1.0.2
+
+    - name: Build the application
+      run: msbuild SharpSocksImplant/SharpSocksImplant.csproj /p:Configuration=$env:Configuration
+      env:
+        Configuration: ${{ matrix.configuration }}

.github/workflows/sharpsocks-server.yml

@@ -0,0 +1,23 @@
+name: SharpSocks Server
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: 5.0.x
+    - name: Restore dependencies
+      run: dotnet restore SharpSocksServer/SharpSocksServer.csproj
+    - name: Build
+      run: dotnet build --no-restore --configuration "Release Linux" SharpSocksServer/SharpSocksServer.csproj

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2017, Nettitude
+Copyright (c) 2021, Nettitude
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

README.md

@@ -1,23 +1,72 @@
-# SharpSocks 2017 Nettitude
-Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
+# SharpSocks
 
-Written by Rob Maslen @rbmaslen
+![SharpSocksServer](https://github.com/nettitude/SharpSocks/actions/workflows/sharpsocks-server.yml/badge.svg)
+![SharpSocksImplant](https://github.com/nettitude/SharpSocks/actions/workflows/sharpsocks-implant.yml/badge.svg)
 
+Tunnellable HTTP/HTTPS socks4a proxy written in C#.
 
-# Usage Server 
-SharpSocks -Server -IPAddress 192.168.1.10 -Uri https://www.c2url.com:443 -SocksPort 43334 
+## Usage
 
+### Server
 
-# Usage Client (Implant side)
-SharpSocks -Client -Uri https://www.c2url.com:443 -Key PTDWISSNRCThqmpWEzXFZ1nSusz10u0qZ0n0UjH66rs= -Channel 7f404221-9f30-470b-b05d-e1a922be3ff6 -URLs "site/review/access","upload/data/images" -Beacon 2000
+.NET Core Project with builds for Windows, Linux, and Docker support.
+Once the implant side connects and establishes the tunnel, the SOCKS server open on the socks port (43334 by default.)
 
+```
+Usage:  [options]
 
-# Apache ReWrite Rule (c2 proxy)
-Define SharpSocks 10.0.0.1
+Options:
+  -?|-h|--help         Show help information.
+  -s|--socksserveruri  IP:Port for SOCKS to listen on, default is *:43334
+  -c|--cmdid           Command Channel Identifier, needs to be shared with the server
+  -l|--httpserveruri   Uri to listen on, default is http://127.0.0.1:8081
+  -k|--encryptionkey   The encryption key used to secure comms
+  -sc|--sessioncookie  The name of the cookie to pass the session identifier
+  -pc|--payloadcookie  The name of the cookie to pass smaller requests through
+  -st|--socketTimeout  How long should SOCKS sockets be held open for, default is 30s
+  -v|--verbose         Verbose error logging
+```
 
-RewriteRule ^/site/review/access(.*) https://${SharpSocks}:443/site/review/access$1 [NC,P]
+### Client (Implant side)
 
-RewriteRule ^/upload/data/images(.*) https://${SharpSocks}:443/upload/data/images$1 [NC,P]
+.NET 4.0 project for running on the target (such as in memory in a PoshC2 implant) which tunnels the traffic to the server.
 
-# License
-FreeBSD 3
+```
+SharpSocks Proxy Client
+=======================
+
+      --use-proxy            Use proxy server (for system proxy set this and
+                               leave -m blank)
+  -m, --proxy=VALUE          Proxy Url in format http://<server>:<port> (use-
+                               proxy is implied)
+  -u, --username=VALUE       Web proxy username
+  -d, --domain=VALUE         Web proxy domain
+  -p, --password=VALUE       Web proxy password
+  -k, --encryption-key=VALUE The encryption key, leave blank to be asked
+  -c, --cmd-id=VALUE         Command Channel Id (required)
+  -b, --beacon=VALUE         Beacon time in (ms)
+  -s, --server-uri=VALUE     Uri of the server, default is http://127.0.-
+                               0.1:8081
+      --url1=VALUE           pages/2019/stats.php
+      --url2=VALUE           web/v10/2/admin.asp
+      --session-cookie=VALUE The name of the cookie to pass the session
+                               identifier
+      --payload-cookie=VALUE The name of the cookie to pass smaller requests
+                               through
+      --user-agent=VALUE     The User Agent to be sent in any web request
+      --df=VALUE             The actual Host header to be sent if using
+                               domain fronting
+  -h, -?, --help
+  -v, --verbose
+  -r, --read-time=VALUE      The time between SOCKS proxy reads, default 500ms
+  -a, --standalone           Standalone mode, do not return on the main thread
+```
+
+### Apache Rewrite Rule (C2 proxy)
+
+If using a C2 proxy you can achieve TLS termination and route the traffic for the SOCKS URLs to the server running locally.
+```
+Define SharpSocks 127.0.0.1:49031
+RewriteRule ^/sharpsocks1/(.*) http://${SharpSocks} [NC,L,P]
+RewriteRule ^/sharpsocks2/(.*) http://${SharpSocks} [NC,L,P]
+```

SharpSocks.sln

@@ -0,0 +1,59 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31729.503
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSocksImplant", "SharpSocksImplant\SharpSocksImplant.csproj", "{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SharpSocksServer", "SharpSocksServer\SharpSocksServer.csproj", "{86D10A34-C374-4DE4-8E12-490E5E65DDFF}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Implant", "Implant", "{7609AA60-9A82-47F8-81B3-6F8A27C7BD45}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Server", "Server", "{9BD7DAD8-4485-4CFD-B17F-7F1DF9C598F2}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSocksCommon", "SharpSocksCommon\SharpSocksCommon.csproj", "{5D93EC58-DE1F-4471-971E-EFEC458025D6}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug Linux|Any CPU = Debug Linux|Any CPU
+		Debug Win|Any CPU = Debug Win|Any CPU
+		Release Linux|Any CPU = Release Linux|Any CPU
+		Release Win|Any CPU = Release Win|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Debug Linux|Any CPU.ActiveCfg = Debug Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Debug Linux|Any CPU.Build.0 = Debug Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Debug Win|Any CPU.ActiveCfg = Debug Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Debug Win|Any CPU.Build.0 = Debug Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Release Linux|Any CPU.ActiveCfg = Release Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Release Linux|Any CPU.Build.0 = Release Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Release Win|Any CPU.ActiveCfg = Release Win|Any CPU
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8}.Release Win|Any CPU.Build.0 = Release Win|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Debug Linux|Any CPU.ActiveCfg = Debug Linux|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Debug Linux|Any CPU.Build.0 = Debug Linux|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Debug Win|Any CPU.ActiveCfg = Debug Win|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Debug Win|Any CPU.Build.0 = Debug Win|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Release Linux|Any CPU.ActiveCfg = Release Linux|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Release Linux|Any CPU.Build.0 = Release Linux|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Release Win|Any CPU.ActiveCfg = Release Win|Any CPU
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF}.Release Win|Any CPU.Build.0 = Release Win|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Debug Linux|Any CPU.ActiveCfg = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Debug Linux|Any CPU.Build.0 = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Debug Win|Any CPU.ActiveCfg = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Debug Win|Any CPU.Build.0 = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Release Linux|Any CPU.ActiveCfg = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Release Linux|Any CPU.Build.0 = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Release Win|Any CPU.ActiveCfg = Debug|Any CPU
+		{5D93EC58-DE1F-4471-971E-EFEC458025D6}.Release Win|Any CPU.Build.0 = Debug|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{3D33DC4C-4318-4ACA-9CDC-7D361D10B7C8} = {7609AA60-9A82-47F8-81B3-6F8A27C7BD45}
+		{86D10A34-C374-4DE4-8E12-490E5E65DDFF} = {9BD7DAD8-4485-4CFD-B17F-7F1DF9C598F2}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {8F3D6D65-58A6-4ADC-81AF-B2A4FB403FDF}
+	EndGlobalSection
+EndGlobal

SharpSocksCommon/CommandChannelStatus.cs

@@ -0,0 +1,15 @@
+namespace SharpSocksCommon
+{
+    public enum CommandChannelStatus
+    {
+        OPENING,
+        OPEN,
+        CONNECTED,
+        CLOSING,
+        CLOSED,
+        NO_CHANGE,
+        TIMEOUT,
+        FAILED,
+        ASYNC_UPLOAD
+    }
+}

SharpSocksCommon/Encryption/DebugSimpleEncryptor.cs

@@ -0,0 +1,55 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security;
+using System.Security.Cryptography;
+
+namespace SharpSocksCommon.Encryption
+{
+    public class DebugSimpleEncryptor : IEncryptionHelper
+    {
+        private readonly List<byte> _key = new List<byte>();
+
+        public DebugSimpleEncryptor(string base64Key)
+        {
+            _key.AddRange(Convert.FromBase64String(base64Key));
+        }
+
+        public List<byte> Decrypt(string encodedEncPayload)
+        {
+            var list = Convert.FromBase64String(encodedEncPayload).ToList();
+            using (var rijndaelManaged = new RijndaelManaged())
+            {
+                rijndaelManaged.Mode = CipherMode.CBC;
+                rijndaelManaged.Padding = PaddingMode.PKCS7;
+                rijndaelManaged.IV = list.Take(16).ToArray();
+                rijndaelManaged.Key = _key.ToArray();
+                var decryptor = rijndaelManaged.CreateDecryptor();
+                var array = list.Skip(16).ToArray();
+                var length = array.Length;
+                return decryptor.TransformFinalBlock(array, 0, length).ToList();
+            }
+        }
+
+        public string Encrypt(List<byte> payload)
+        {
+            using (var rijndaelManaged = new RijndaelManaged())
+            {
+                var byteList = new List<byte>();
+                rijndaelManaged.Mode = CipherMode.CBC;
+                rijndaelManaged.Padding = PaddingMode.PKCS7;
+                rijndaelManaged.GenerateIV();
+                rijndaelManaged.Key = _key.ToArray();
+                var encryptor = rijndaelManaged.CreateEncryptor();
+                byteList.AddRange(rijndaelManaged.IV);
+                byteList.AddRange(encryptor.TransformFinalBlock(payload.ToArray(), 0, payload.Count));
+                return Convert.ToBase64String(byteList.ToArray());
+            }
+        }
+
+        public string Initialize()
+        {
+            return "USING DEBUG SIMPLE ENCRYPTOR";
+        }
+    }
+}

SharpSocksImplant/ImplantSide/Classes/Common/Encryption/IEncryptionHelper.cs → SharpSocksCommon/Encryption/IEncryptionHelper.cs

@@ -1,11 +1,13 @@
 using System.Collections.Generic;
 
-namespace Common.Classes.Encryption
+namespace SharpSocksCommon.Encryption
 {
     public interface IEncryptionHelper
     {
         List<byte> Decrypt(string encodedEncPayload);
+
         string Encrypt(List<byte> payload);
+
         string Initialize();
     }
 }

SharpSocksCommon/SharpSocksCommon.csproj

@@ -0,0 +1,7 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFrameworks>net40;net5.0</TargetFrameworks>
+    </PropertyGroup>
+
+</Project>

SharpSocksCommon/Utils/TcpUtils.cs

@@ -0,0 +1,27 @@
+using System.Linq;
+using System.Net.NetworkInformation;
+using System.Net.Sockets;
+
+namespace SharpSocksCommon.Utils
+{
+    public static class TcpUtils
+    {
+        public static bool CheckTcpConnectionState(TcpClient tcpClient)
+        {
+            var ipProperties = IPGlobalProperties.GetIPGlobalProperties();
+            var tcpConnections = ipProperties.GetActiveTcpConnections()
+                .Where(x => x.LocalEndPoint.Equals(tcpClient.Client.LocalEndPoint) && x.RemoteEndPoint.Equals(tcpClient.Client.RemoteEndPoint)).ToArray();
+
+            if (tcpConnections.Length > 0)
+            {
+                var stateOfConnection = tcpConnections.First().State;
+                if (stateOfConnection == TcpState.Established)
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+    }
+}