BobTheSmuggler: Open-source tool for undetectable payload delivery
BobTheSmuggler is an open-source tool designed to easily compress, encrypt, and securely transport your payload. It basically enables you to hide a payload in plain sight.
BobTheSmuggler is helpful in phishing campaign assessments, data exfiltration exercises, and assumed breach scenarios.
Features
- Hiding the payload inside images and calling it separately from a JavaScript code.
- Using dynamic XOR encryption to hide the payloads. This helps bypass network firewalls and monitoring tools (including DLPs).
- Keeping the HTML size to ~1KB. Easy for payload attachment. It can also be uploaded to CDN or another target server for quick transfer.
- Using custom HTML templates to embed the payload inside.
“In many of my red team engagements, I encountered scenarios where I had to deliver a payload to the target, and due to a DLP or firewall rule, the payload delivery was blocked. I quickly opted for the HTML smuggling technique for payload delivery, but none of the publicly available tools had the feature to hide the payload inside PNG/GIF. Most tools would just base64 encode the binary and embed it inside the HTML file. Due to this reason, the HTML file size would increase to a few MBs. This file wouldn’t be ideal for sending as an email attachment due to size constraints, Harpreet Singh, the creator of BobTheSmuggler, told Help Net Security.
“With BobTheSmuggler, I was able to solve the problems I faced by hiding the payload inside image polyglots, calling the PNG/GIF files from remote (hence keeping the size minimal), and then evading DLPs & firewalls by adding dynamic XOR encryption to the payloads hidden inside the image. Simple Javascript code would download the PNG/GIF file from the server, save it in the cache, and then do its magic with HTML smuggling,” Singh added.
The tool currently support the following payload Delivery Chains:
- .EXE/.DLL –> .7z/.Zip (Password Protected) –> .JS –> .HTML
- .EXE/.DLL –> .7z/.Zip (Password Protected) –> .JS –> .SVG –> .HTML
- .EXE/.DLL –> .7z/.Zip (Password Protected) –> .PNG/.GIF –> .JS –> .HTML
- .EXE/.DLL –> .7z/.Zip (Password Protected) –> .PNG/.GIF –> JS –> .SVG –> .HTML
Future plans
“I want to add more features to make it more useful, and I welcome all the suggestions and feedback I can get to make this tool successful,” Singh added.
Some of the things he would like to add are:
- Adding more image polyglots. (maybe ICO, JPG file formats).
- Adding different file extensions such as PDFs, DOCs, etc.
- Adding EML file support to make a more stealthy approach for payload delivery via attachment.
BobTheSmuggler is available for free on GitHub.
Must read:
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time