Documentation
¶
Index ¶
- func OpenDB(path string) (*sql.DB, error)
- type CallbackConfig
- type DNSServer
- type FTPServer
- type HTTPServer
- type Interaction
- type LDAPServer
- type SMTPServer
- type Store
- func (s *Store) ClearInteractions(tokenID string) error
- func (s *Store) CreateToken(id, note, hex string) (*Token, error)
- func (s *Store) DeleteToken(id string) error
- func (s *Store) FindTokenByHex(hex string) (*Token, error)
- func (s *Store) GetConfig() (*CallbackConfig, error)
- func (s *Store) GetConfigValue(key string) (string, error)
- func (s *Store) ListInteractions(tokenID string, offset, limit int) ([]Interaction, int, error)
- func (s *Store) ListTokens() ([]Token, error)
- func (s *Store) RecordInteraction(i *Interaction) error
- func (s *Store) SetConfig(cfg *CallbackConfig) error
- func (s *Store) SetConfigValue(key, value string) error
- type Token
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CallbackConfig ¶
CallbackConfig holds callback server configuration.
type DNSServer ¶
type DNSServer struct {
// contains filtered or unexported fields
}
DNSServer listens for DNS queries and records interactions for matching tokens.
func NewDNSServer ¶
NewDNSServer creates a DNS callback server.
type FTPServer ¶
type FTPServer struct {
// contains filtered or unexported fields
}
FTPServer listens for FTP connections and records them as callback interactions. It is a capture-only server — it never opens a data channel, completes a transfer, or authenticates a user. The correlation token is expected in the USER argument or a path argument (e.g. CWD/RETR), which are captured before any data transfer would occur.
func NewFTPServer ¶
func NewFTPServer(store *Store, broadcast chan<- any, bindAddr string, plainPort, tlsPort int, tlsCfg *tls.Config) *FTPServer
NewFTPServer creates an FTP capture server. plainPort=0 disables the plain listener; tlsPort=0 disables the implicit-TLS (FTPS) listener. tlsCfg must be non-nil if tlsPort>0.
type HTTPServer ¶
type HTTPServer struct {
// contains filtered or unexported fields
}
HTTPServer listens for HTTP requests and records interactions for matching tokens.
func NewHTTPServer ¶
func NewHTTPServer(store *Store, xssStore *xsshunter.Store, broadcast chan<- any, bindAddr string, port int) *HTTPServer
NewHTTPServer creates an HTTP callback server.
type Interaction ¶
type Interaction struct {
ID string `json:"id"`
TokenID string `json:"tokenId"`
Token string `json:"token"`
Type string `json:"type"`
SourceIP string `json:"sourceIp"`
Timestamp time.Time `json:"timestamp"`
QueryName string `json:"queryName,omitempty"`
QueryType string `json:"queryType,omitempty"`
Method string `json:"method,omitempty"`
Path string `json:"path,omitempty"`
Headers string `json:"headers,omitempty"`
Body string `json:"body,omitempty"`
RawRequest string `json:"rawRequest,omitempty"`
Source string `json:"source,omitempty"`
}
Interaction represents a recorded callback interaction (DNS or HTTP).
type LDAPServer ¶
type LDAPServer struct {
// contains filtered or unexported fields
}
LDAPServer listens for LDAP connections and records them as callback interactions. It is a capture-only server that parses just enough BER to extract the bind DN / search baseObject (where JNDI/Log4Shell payloads place data) and replies with canned success responses so the client completes.
func NewLDAPServer ¶
func NewLDAPServer(store *Store, broadcast chan<- any, bindAddr string, plainPort, tlsPort int, tlsCfg *tls.Config) *LDAPServer
NewLDAPServer creates an LDAP capture server. plainPort=0 disables the plain listener; tlsPort=0 disables the implicit-TLS (LDAPS) listener. tlsCfg must be non-nil if tlsPort>0.
type SMTPServer ¶
type SMTPServer struct {
// contains filtered or unexported fields
}
SMTPServer listens for SMTP connections and records inbound mail as callback interactions. It is a capture-only server — no relay, no AUTH.
func NewSMTPServer ¶
func NewSMTPServer(store *Store, broadcast chan<- any, bindAddr string, plainPort, tlsPort int, tlsCfg *tls.Config) *SMTPServer
NewSMTPServer creates an SMTP capture server. plainPort=0 disables the plain listener; tlsPort=0 disables the implicit-TLS (SMTPS) listener. tlsCfg=nil disables STARTTLS on the plain listener.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store provides CRUD operations for tokens and interactions.
func (*Store) ClearInteractions ¶
ClearInteractions deletes interactions, optionally filtered by token ID.
func (*Store) CreateToken ¶
CreateToken inserts a new token.
func (*Store) DeleteToken ¶
DeleteToken deletes a token and cascades to interactions.
func (*Store) FindTokenByHex ¶
FindTokenByHex looks up a token by its hex string.
func (*Store) GetConfig ¶
func (s *Store) GetConfig() (*CallbackConfig, error)
GetConfig returns the callback configuration.
func (*Store) GetConfigValue ¶
GetConfigValue returns a single config value by key.
func (*Store) ListInteractions ¶
ListInteractions returns interactions, optionally filtered by token ID.
func (*Store) ListTokens ¶
ListTokens returns all tokens with their hit counts.
func (*Store) RecordInteraction ¶
func (s *Store) RecordInteraction(i *Interaction) error
RecordInteraction inserts a new interaction.
func (*Store) SetConfig ¶
func (s *Store) SetConfig(cfg *CallbackConfig) error
SetConfig saves the callback configuration.
func (*Store) SetConfigValue ¶
SetConfigValue sets a single config value by key.
type Token ¶
type Token struct {
ID string `json:"id"`
Note string `json:"note"`
Token string `json:"token"`
CreatedAt time.Time `json:"createdAt"`
HitCount int `json:"hitCount"`
}
Token represents a callback token.
func Correlate ¶
Correlate extracts the token hex from a subdomain and looks it up. For example, given "abc123def456.cb.example.com" with domain "cb.example.com", it extracts "abc123def456" and looks up the token.
func CorrelateAny ¶
CorrelateAny scans arbitrary captured strings for hex runs that may be a callback token. For each [0-9a-fA-F]{16,} run it takes the first 16 chars and tries FindTokenByHex; the first match wins. Candidates are scanned in the order given (and left-to-right within each), so callers should pass the most specific fields (a DN, a username, a path) first and fall back to a full transcript or hex dump last.
This correlates protocols whose payload embeds the token (e.g. an LDAP base DN, an FTP path or username). It cannot correlate a connection whose token appears only in the hostname used to reach this listener — but that hostname was resolved via DNS, so the existing DNS listener records that interaction under the "dns" type. This matches interactsh's behavior.
func CorrelateSMTP ¶
CorrelateSMTP extracts a token from an SMTP recipient address. It first tries the local-part (token@anything), then falls back to subdomain-style correlation on the domain part (anything@token.callback-domain).