Skip to content
/ skyhook Public

A round-trip obfuscated HTTP file transfer setup built to bypass IDS detections.

License

MIT license
252 stars 26 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

blackhillsinfosec/skyhook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
.github/workflows
.github/workflows
 
 
api_structs
api_structs
 
 
cmd
cmd
 
 
config
config
 
 
docker
docker
 
 
log
log
 
 
server
server
 
 
util
util
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Skyhook

Skyhook is a REST-driven utility used to smuggle files into and out of networks defended by IDS implementations. It comes with a pre-packaged web client that uses a blend of React, vanilla JS, and web assembly to manage file transfers.

Key Links

Features

  • Round trip file content obfuscation
  • User-configurable obfuscation chaining
  • Self-signed and Lets Encrypt certificate procurement methods
  • Embedded web applications for both configuration and file transfers.
  • Server fingerprinting resiliency techniques:
    • Encrypted loaders capable of dynamically encrypting interface files as the file transfer interface is rendered
    • API and web resource path randomization

Brief Description

Note: See the user documentation for more thorough discussion of Skyhook and how it functions.

Skyhook's file transfer server seamlessly obfuscates file content with a user-configured series of obfuscation algorithms prior to writing the content to response bodies. Clients, which are configred with the same obfuscation algorithms, deobfuscate the file content prior to saving the file to disk. A file streaming technique is used to manage the HTTP transactions in a chunked manner, thus facilitating large file transfers.

flowchart

subgraph sg-cloudfront[Cloudfront CDN]
    cf-listener(443/tls)
end

subgraph sg-vps[VPS]
    subgraph sg-skyhook[Skyhook Servers]
        admin-listener(Admin Server<br>45000/tls)
        transfer-listener(Transfer Server<br>45001/tls)
    end
    
    config-file(Config File<br>/var/skyroot/config.yml)

    admin-listener -..->|Reads &<br>Manages| config-file
    
    webroot(Webroot<br>/var/skyhook/webroot)
    transfer-listener -..->|Serves From &<br>Writes Cleartext<br>Files To| webroot
end


    op-browser(Operator<br>Web Browser) -->|Administration<br>Traffic| admin-listener
    op-browser <-->|Obfuscated<br>Data| transfer-listener

subgraph sg-corp[Corporate Environment]
    subgraph sg-compromised[Beachhead Host]
        comp-browser(Web Browser) -->|Reads &<br>Writes| cleartext-file(Cleartext Files)
    end
end

comp-browser <-->|Obfuscated<br>Data| cf-listener <-->|Obfuscated<br>Data| transfer-listener
Loading

A Brief Example

For example, here is a working obfuscation configuration:

image

And here is the file transfer interface. Clicking "Download" results in the file being retrieved in chunks that are encrypted with the chain of obfuscation methods configured above.

JavaScript deobfuscates the file before prompting the user to save it to disk.

image

Below is a request stemming from a download being inspected with Burp. Key elements of the transaction are encrypted to evade detection.

image

About

A round-trip obfuscated HTTP file transfer setup built to bypass IDS detections.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

252 stars

Watchers

6 watching

Forks

26 forks
Report repository

Releases 4

v0.0.3-release Latest
May 28, 2023
+ 3 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages