https://Hazegard.github.io/Goauld-doc/Recent content in Documentation on GoauldHugoenhttps://Hazegard.github.io/Goauld-doc/04-client/01-authentication/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/01-authentication/<h2 id="user-authentication">User authentication<a class="td-heading-self-link" href="#user-authentication" aria-label="Heading self-link"></a></h2> <p>To interact with the server, users need an access token.</p> <p>The access token can be provided through all means discussed here: <a href="https://Hazegard.github.io/Goauld-doc/01-general/03-variables/">general/variables</a></p> <h3 id="flag">Flag<a class="td-heading-self-link" href="#flag" aria-label="Heading self-link"></a></h3> <ul> <li><code>--access-token</code></li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">access-token</span><span class="p">:</span><span class="w"> </span><span class="l">XXXXX</span><span class="w"> </span></span></span></code></pre></div><h2 id="agent-authentication">Agent authentication<a class="td-heading-self-link" href="#agent-authentication" aria-label="Heading self-link"></a></h2> <p>All interaction with the agents (including SSH, SCP/Rsync, Kill/Reset/Delete commands , Clipboard operations, etc.) requires the agent password. (see <a href="https://Hazegard.github.io/Goauld-doc/02-agent/05-password_management/">agent/password management</a>)</p> <h2 id="admin-authentication">Admin authentication<a class="td-heading-self-link" href="#admin-authentication" aria-label="Heading self-link"></a></h2> <p>See <a href="https://Hazegard.github.io/Goauld-doc/03-server/03-access_control/">server/access control</a></p> <p>The <code>--admin-token</code> restricts access to administrative endpoints (<code>/admin/</code>).</p> <h3 id="flag-1">Flag<a class="td-heading-self-link" href="#flag-1" aria-label="Heading self-link"></a></h3> <ul> <li><code>--admin-token</code></li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">admin-token</span><span class="p">:</span><span class="w"> </span><span class="l">XXXXX</span><span class="w"> </span></span></span></code></pre></div><h2 id="agent-binaries-authentication">Agent binaries authentication<a class="td-heading-self-link" href="#agent-binaries-authentication" aria-label="Heading self-link"></a></h2> <p>See <a href="https://Hazegard.github.io/Goauld-doc/03-server/05-agent_downloading/">server/agent downloading</a></p>https://Hazegard.github.io/Goauld-doc/03-server/01-services/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/01-services/<p>To allow agents to tunnel SSH connection over different transports, the server must expose the corresponding service, then decapsulate the traffic and forward it to the SSHD server.</p> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>For all listeners, the listen address flag has the following format: <code>[IP]:[PORT]</code></p> <p>If no IP address is provided, the service will listen on all interfaces. However, the <code>:</code> is still required before the port</p> </div> </div> <h2 id="ssh">SSH<a class="td-heading-self-link" href="#ssh" aria-label="Heading self-link"></a></h2> <p>No encapsulation, directly exposed.</p>https://Hazegard.github.io/Goauld-doc/01-general/01-quick_start/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/01-general/01-quick_start/<p>This setup involves three components running on separate machines:</p> <ul> <li><strong>Server</strong>: publicly reachable machine</li> <li><strong>Client (tealc)</strong>: operator machine</li> <li><strong>Agent</strong>: target machine</li> </ul> <p>Prebuilt client and server binaries are available at <a href="https://github.com/Hazegard/Goauld/releases">https://github.com/Hazegard/Goauld/releases</a>.</p> <p>See <a href="https://Hazegard.github.io/Goauld-doc/01-general/02-compilation/">general/compilation</a> to compile the components.</p> <h2 id="generate-secrets">Generate secrets<a class="td-heading-self-link" href="#generate-secrets" aria-label="Heading self-link"></a></h2> <p>Install <a href="https://github.com/filosottile/age">age</a>, then run:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ age-keygen </span></span><span class="line"><span class="cl"><span class="c1"># created: 2026-03-27T21:44:18+01:00</span> </span></span><span class="line"><span class="cl"><span class="c1"># public key: age1krjxdnhmf2kqm8rdhyf6sr5nfvlwdcslux3fxt8amcrncwn3ss9sydlvd0</span> </span></span><span class="line"><span class="cl">AGE-SECRET-KEY-1NJ4DRPNKNGEVFK50JHUD6RKZ3NJ3Q9S5KYMTARTLXU0P0KQU8AAQNE4C2F </span></span></code></pre></div><p>The private key (<code>AGE-SECRET-KEY-*</code>) is used by the server, and the public key is embedded in agents.</p> <h2 id="generate-access-token-and-admin-token">Generate access token (and admin token)<a class="td-heading-self-link" href="#generate-access-token-and-admin-token" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl rand -base64 <span class="m">42</span> </span></span></code></pre></div><p>At this point, you should have:</p>https://Hazegard.github.io/Goauld-doc/02-agent/01-tunnels/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/01-tunnels/<p>The Goauld agent supports multiple transport mechanisms to communicate with the server. If a transport fails, the agent automatically falls back to the next available method.</p> <p>The agent attempts to connect to the server using several transports:</p> <ol> <li>Direct SSH connection</li> <li>SSH over QUIC</li> <li>SSH over TLS</li> <li>SSH over WebSocket</li> <li>SSH over HTTP</li> <li>SSH over DNS</li> </ol> <p>For each transport protocol, the agent tries establish a connection to the server, with a 60 seconds timeout (configurable using <code>--ssh-timeout</code> flag). If the connection is established, the agent finalizes the connection.</p>https://Hazegard.github.io/Goauld-doc/01-general/02-compilation/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/01-general/02-compilation/<p>Some components require specific Go build tags:</p> <ul> <li><code>client</code>: <code>-tags client</code></li> <li><code>mini_agent</code>: <code>-tags mini</code></li> </ul> <p>The project can also be built using GoReleaser.</p> <h2 id="optional-build-dependencies">Optional build dependencies<a class="td-heading-self-link" href="#optional-build-dependencies" aria-label="Heading self-link"></a></h2> <ul> <li><code>garble</code> for binary obfuscation (<a href="https://github.com/burrowers/garble">https://github.com/burrowers/garble</a>)</li> <li><code>upx</code> for binary compression <a href="https://github.com/upx/upx">https://github.com/upx/upx</a></li> <li><code>goreleaser</code> for automated builds <a href="https://github.com/goreleaser/goreleaser">https://github.com/goreleaser/goreleaser</a></li> </ul> <h2 id="agent">Agent<a class="td-heading-self-link" href="#agent" aria-label="Heading self-link"></a></h2> <h3 id="direct-compilation">Direct compilation<a class="td-heading-self-link" href="#direct-compilation" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go build -o tealc ./agent </span></span></code></pre></div><h3 id="using-the-wrapper-script">Using the wrapper script<a class="td-heading-self-link" href="#using-the-wrapper-script" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go run ./scripts/build/ --id agent --goos windows --goarch amd64 --no-seed --gen-age-key<span class="o">=</span><span class="nb">false</span> --gen-access-token<span class="o">=</span><span class="nb">false</span> </span></span></code></pre></div><h3 id="using-the-client-cli">Using the client CLI<a class="td-heading-self-link" href="#using-the-client-cli" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc compile --id agent --goarch amd64 --goos windows </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>Compiling with the CLI is recommended as it allows passing compile-time variables to the agent (see [How to feed variables])</p>https://Hazegard.github.io/Goauld-doc/03-server/02-deployment/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/02-deployment/<div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>Goauld is currently not designed to run behind a reverse proxy. In particular, the whitelisting feature will not work behind a reverse proxy.</p> </div> </div> <h2 id="docker-compose-example">Docker compose example<a class="td-heading-self-link" href="#docker-compose-example" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">goauld_server</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span><span class="l">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">COMPRESS=1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># platform: linux/amd64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">goauld_server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:53:53/tcp&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:53:53/udp&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:80:80&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:443:443&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:22222:22222&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./certmagic:/root/.local/share/certmagic</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./Goauld.db:/app/Goauld.db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./server_config.yaml:/app/server_config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./binaries:/app/binaries</span><span class="w"> </span></span></span></code></pre></div><h2 id="configuration-file-example">configuration file example<a class="td-heading-self-link" href="#configuration-file-example" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c">#Age private key used by the server.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">age-privkey</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domains used to serve HTTP and WebSocket traffic.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">http-domain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">www.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domains used to serve raw TLS traffic (SSH over TLS).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-domain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">app.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domain used to serve DNS-based traffic (SSH over DNS).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-domain</span><span class="p">:</span><span class="w"> </span><span class="l">t.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domain used to serve DNS-based traffic (SSH over DNS-ALT).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-domain-alt</span><span class="p">:</span><span class="w"> </span><span class="l">s.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for HTTP connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">http-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for HTTPS connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">https-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for SSH connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">ssh-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for DNS connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for QUIC connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quic-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable TLS support.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the TLS private key file.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the TLS certificate file.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-cert</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Email used when generating Let&#39;s Encrypt certificates.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">letsencrypt-mail</span><span class="p">:</span><span class="w"> </span><span class="l">mail@example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable QUIC protocol support.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quic</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable DNS server for SSH-over-DNS connections.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Disable database usage.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">db</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path or filename of the database to use.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">db-file-name</span><span class="p">:</span><span class="w"> </span><span class="l">Goauld.db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># List of IP addresses allowed to access the /manage/ endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">allowed-ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="m">127.0.0.1</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="m">0.0.0.0</span><span class="l">/32</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Access token required for the /manage/ API endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">access-token</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">TODO_TOKEN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Admin token required for the /admin/ API endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">admin-token</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">TODO_TOKEN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># HTTP Basic Auth credentials required to access the binaries endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-basic-auth</span><span class="p">:</span><span class="w"> </span><span class="l">username:password</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Filesystem path where agent binaries are stored.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-path-location</span><span class="p">:</span><span class="w"> </span><span class="l">./binaries</span><span class="w"> </span></span></span></code></pre></div><h2 id="dns-configuration">DNS configuration<a class="td-heading-self-link" href="#dns-configuration" aria-label="Heading self-link"></a></h2> <p>Three DNS records are required:</p>https://Hazegard.github.io/Goauld-doc/02-agent/02-proxies/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/02-proxies/<p>The agent exposes three proxies that allow interaction with the host’s network:</p> <ul> <li>An HTTP proxy</li> <li>An HTTP proxy that performs NTLM/Kerberos application-level authentication</li> <li>A SOCKS proxy</li> </ul> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>Given that performing NTLM/Kerberos application-level authentication requires to intercept the traffic (MITM) to inject appropriate headers, this feature has been implemented in a dedicated proxy.</p> </div> </div> <h2 id="http-proxy">HTTP proxy<a class="td-heading-self-link" href="#http-proxy" aria-label="Heading self-link"></a></h2> <p>For each incoming request, the HTTP proxy determines whether an upstream proxy should be used and which one.</p>https://Hazegard.github.io/Goauld-doc/04-client/02-tui/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/02-tui/<p>The client provides a text-based user interface (TUI) to monitor and manage connected agents.</p> <p><img src="https://Hazegard.github.io/Goauld-doc/04-client/02-tui/TUI.png" alt="test"></p> <h2 id="tui-keybinds">TUI keybinds<a class="td-heading-self-link" href="#tui-keybinds" aria-label="Heading self-link"></a></h2> <table> <thead> <tr> <th style="text-align: center">Key</th> <th>Action</th> </tr> </thead> <tbody> <tr> <td style="text-align: center"><code>[ctrl+r]</code></td> <td>Reset the agent</td> </tr> <tr> <td style="text-align: center"><code>[ctrl+k]</code></td> <td>Stop the agent</td> </tr> <tr> <td style="text-align: center"><code>[ctrl+d]</code></td> <td>Stop the agent and attempt to delete the binary</td> </tr> <tr> <td style="text-align: center"><code>[Enter]</code></td> <td>Start an SSH session</td> </tr> <tr> <td style="text-align: center"><code>[ctrl+e]</code></td> <td>Launch VSCode</td> </tr> <tr> <td style="text-align: center"><code>[+]</code></td> <td>Toggle agent details</td> </tr> </tbody> </table> <p>The kill, reset and delete actions are also available as standalone commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc <span class="o">(</span>kill<span class="p">|</span>reset<span class="p">|</span>delete<span class="o">)</span> <span class="o">[</span>AGENT_NAME<span class="o">]</span> </span></span></code></pre></div><h3 id="extended-tui">Extended TUI<a class="td-heading-self-link" href="#extended-tui" aria-label="Heading self-link"></a></h3> <p>Some information is hidden by default. Press <code>+</code> to toggle the details.</p>https://Hazegard.github.io/Goauld-doc/03-server/03-access_control/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/03-access_control/<p>Certain components should be accessible only by authorized users.</p> <ul> <li>Admin endpoints</li> <li>Management endpoints</li> <li>SSH access from the client</li> </ul> <h2 id="ip-allowlisting">IP allowlisting<a class="td-heading-self-link" href="#ip-allowlisting" aria-label="Heading self-link"></a></h2> <p>The server accepts a list of authorized IPs to restrict the access of</p> <ul> <li>The <code>/admin/</code> endpoints</li> <li>The <code>/manage/</code> endpoints</li> <li>SSH access from the client (using password authentication)</li> </ul> <div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>IF the server runs in a docker environment, the deployment should ensure that the remote IP address is correctly forwarded to the server</p>https://Hazegard.github.io/Goauld-doc/02-agent/03-relay/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/03-relay/<p>If an agent <code>A</code> cannot reach the Goauld server, but can reach anothe agent <code>B</code> that can reach the server, then agent <code>B</code> can be configured to run as a relay.</p> <h2 id="configure-an-agent-as-a-relay">Configure an agent as a relay<a class="td-heading-self-link" href="#configure-an-agent-as-a-relay" aria-label="Heading self-link"></a></h2> <ul> <li><code>--relay</code>: Enable relay mode on the agent</li> </ul> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The agent listens on all interfaces using a randomly assigned port. This port is logged in the agent logs:</p> <pre tabindex="0"><code class="language-log" data-lang="log">INF agent/agent.go:468 &gt; Relay listening on port Port=57129 </code></pre><p>Or in the TUI (Press <code>+</code> to view details about the agent)</p>https://Hazegard.github.io/Goauld-doc/04-client/03-ssh/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/03-ssh/<h2 id="connect-to-an-agent">Connect to an agent<a class="td-heading-self-link" href="#connect-to-an-agent" aria-label="Heading self-link"></a></h2> <p>This command is a wrapper around SSH that automatically connects to an agent through the server.</p> <h3 id="example-of-the-underlying-ssh-command">Example of the underlying SSH command<a class="td-heading-self-link" href="#example-of-the-underlying-ssh-command" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">env <span class="nv">SSH_ASKPASS_REQUIRE</span><span class="o">=</span>force <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">SSH_ASKPASS</span><span class="o">=</span>/usr/local/bin/tealc <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">TEALC_TYPE</span><span class="o">=</span>agent <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">TEALC_SERVER</span><span class="o">=</span>http://localhost <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">TEALC_SSH_SERVER</span><span class="o">=</span>localhost:2222 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">TEALC_ACCESS_TOKEN</span><span class="o">=[</span>ACCESS_TOKEN<span class="o">]</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">TEALC_AGENT</span><span class="o">=</span>user@hostname1 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="nv">TEALC_PROMPT_STATIC_PASSWORD</span><span class="o">=</span><span class="nb">true</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">ssh -oStrictHostKeyChecking<span class="o">=</span>no -oUserKnownHostsFile<span class="o">=</span>/dev/null <span class="se">\ </span></span></span><span class="line"><span class="cl">-oPubkeyAuthentication<span class="o">=</span>no -oPreferredAuthentications<span class="o">=</span>password </span></span><span class="line"><span class="cl">-oLogLevel<span class="o">=</span>ERROR -oExitOnForwardFailure<span class="o">=</span>no <span class="se">\ </span></span></span><span class="line"><span class="cl">-oNumberOfPasswordPrompts<span class="o">=</span><span class="m">1</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-oProxyCommand<span class="o">=</span><span class="s1">&#39;env SSH_ASKPASS_REQUIRE=force \ </span></span></span><span class="line"><span class="cl"><span class="s1">SSH_ASKPASS=/usr/local/bin/tealc \ </span></span></span><span class="line"><span class="cl"><span class="s1">TEALC_TYPE=otp \ </span></span></span><span class="line"><span class="cl"><span class="s1">TEALC_SERVER=http://localhost \ </span></span></span><span class="line"><span class="cl"><span class="s1">TEALC_SSH_SERVER=localhost:2222 \ </span></span></span><span class="line"><span class="cl"><span class="s1">TEALC_ACCESS_TOKEN=[ACCESS_TOKEN] \ </span></span></span><span class="line"><span class="cl"><span class="s1">TEALC_AGENT=user@hostname1 \ </span></span></span><span class="line"><span class="cl"><span class="s1">TEALC_PROMPT_STATIC_PASSWORD=true \ </span></span></span><span class="line"><span class="cl"><span class="s1">ssh -oClearAllForwardings=no -oStrictHostKeyChecking=no \ </span></span></span><span class="line"><span class="cl"><span class="s1">-oUserKnownHostsFile=/dev/null -oPubkeyAuthentication=no \ </span></span></span><span class="line"><span class="cl"><span class="s1">-oPreferredAuthentications=password -oLogLevel=ERROR \ </span></span></span><span class="line"><span class="cl"><span class="s1">-oExitOnForwardFailure=no -oNumberOfPasswordPrompts=1 \ </span></span></span><span class="line"><span class="cl"><span class="s1">-p2222 -W127.0.0.1:49521 -L3128:127.0.0.1:54079 \ </span></span></span><span class="line"><span class="cl"><span class="s1">-L1080:127.0.0.1:49524 user@hostname1@localhost&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">user@hostname1@39fce32832f3375a409d99a13a4f0c77 </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc ssh <span class="o">[</span>AGENT_NAME<span class="o">]</span> </span></span></code></pre></div><p>You can also pass flags to the underlying SSH command:</p>https://Hazegard.github.io/Goauld-doc/01-general/03-variables/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/01-general/03-variables/<h2 id="passing-variables-to-components-agent-client--server">Passing variables to components (agent, client &amp; server)<a class="td-heading-self-link" href="#passing-variables-to-components-agent-client--server" aria-label="Heading self-link"></a></h2> <p>Components can retrieve configuration parameters from several sources. The following order defines the precedence (from highest to lowest):</p> <ol> <li>Command-line argument (<code>--var=1</code>)</li> <li>Configuration file passed through command line (<code>--config</code>)</li> <li>Environment variable (e.g. <code>VAR=1</code>)</li> <li>Default configuration file (see <a href="https://Hazegard.github.io/Goauld-doc/01-general/04-configuration_file/">general/configuration file</a>)</li> <li>Compile-time defined value (<code>-ldflags</code>, or compiling with <code>tealc compile --env</code>: <a href="https://Hazegard.github.io/Goauld-doc/01-general/02-compilation/#compile-using-the-client">general/compilation</a>)</li> <li>Hardcoded default value</li> </ol>https://Hazegard.github.io/Goauld-doc/01-general/04-configuration_file/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/01-general/04-configuration_file/<p>The server, agent, and client share the same behavior when loading configuration files.</p> <p>Each component looks for a configuration file in the <code>$HOME/.config</code> directory, then in the current directory.</p> <p>The configuration filenames for each component are:</p> <table> <thead> <tr> <th style="text-align: center">Server</th> <th style="text-align: center">Agent</th> <th style="text-align: center">Client</th> </tr> </thead> <tbody> <tr> <td style="text-align: center"><code>goauld_server.yaml</code></td> <td style="text-align: center"><code>goauld_agent.yaml</code> / <code>goauld.yaml</code></td> <td style="text-align: center"><code>tealc.yaml</code></td> </tr> </tbody> </table>https://Hazegard.github.io/Goauld-doc/03-server/04-healthcheck/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/04-healthcheck/<p>To ensure tunnels are functioning correctly, some healthcheck scripts/tools are provided.</p> <div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>The provided healthchecks only verify that the SSHD server is reachable through the tunnel by checking the SSHD banner.</p> </div> </div> <h2 id="ssh-over-tls">SSH over TLS<a class="td-heading-self-link" href="#ssh-over-tls" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;00000000000000000000000000000000\n&#34;</span> <span class="p">|</span> timeout <span class="m">1</span> openssl s_client -quiet -connect <span class="nv">$TLS_DOMAIN</span>$:<span class="nv">$TLS_PORT</span>$ 2&gt;/dev/null <span class="p">|</span> grep -q <span class="s2">&#34;SSH-2.0-&#34;</span> </span></span></code></pre></div><h2 id="ssh-over-websocket">SSH over WebSocket<a class="td-heading-self-link" href="#ssh-over-websocket" aria-label="Heading self-link"></a></h2> <h3 id="building">Building<a class="td-heading-self-link" href="#building" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go build -o ws-healthcheck ./healthcheck/websocket </span></span></code></pre></div><h3 id="running">Running<a class="td-heading-self-link" href="#running" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">{</span> <span class="nb">echo</span> <span class="s2">&#34;&#34;</span> <span class="p">;</span> sleep 1<span class="p">;</span> <span class="o">}</span> <span class="p">|</span> ws-healthcheck <span class="s2">&#34;wss://</span><span class="nv">$WS_DOMAIN</span><span class="s2">/wssh/00000000000000000000000000000000&#34;</span> 2&gt;/dev/null </span></span></code></pre></div><h2 id="ssh-over-dns">SSH over DNS<a class="td-heading-self-link" href="#ssh-over-dns" aria-label="Heading self-link"></a></h2> <h3 id="building-1">Building<a class="td-heading-self-link" href="#building-1" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go build -o dns-healthcheck ./healthcheck/dns/dnstt-client </span></span></code></pre></div><h3 id="running-1">Running<a class="td-heading-self-link" href="#running-1" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">{</span> <span class="nb">echo</span> <span class="s2">&#34;00000000000000000000000000000000S&#34;</span> <span class="p">;</span> sleep 1<span class="p">;</span> <span class="o">}</span> <span class="p">|</span> dns-healthcheck -udp <span class="s2">&#34;</span><span class="nv">$DNS_SERVER</span><span class="s2">:</span><span class="nv">$DNS_SERVER_PORT</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$DNS_DOMAIN</span><span class="s2">&#34;</span> 2&gt;/dev/null <span class="p">|</span> grep -q <span class="s2">&#34;SSH-2.0-&#34;</span> </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The &ldquo;S&rdquo; is required at the end of the echo</p>https://Hazegard.github.io/Goauld-doc/04-client/04-proxies/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/04-proxies/<p>The client exposes the agent’s proxies locally on the host machine.</p> <h2 id="proxy-socks">Proxy SOCKS<a class="td-heading-self-link" href="#proxy-socks" aria-label="Heading self-link"></a></h2> <p>Exposed by default on the port <code>1080</code>.</p> <p>See <a href="https://Hazegard.github.io/Goauld-doc/02-agent/02-proxies/#socks-proxy">agent/proxies#socks-proxy</a> for details about the SOCKS proxy.</p> <h2 id="proxy-http">Proxy HTTP<a class="td-heading-self-link" href="#proxy-http" aria-label="Heading self-link"></a></h2> <p>Exposed by default on the port <code>3128</code>.</p> <p>See <a href="https://Hazegard.github.io/Goauld-doc/02-agent/02-proxies/#http-proxy">agent/proxies#socks-proxy</a> for details about the HTTP proxy.</p> <h2 id="proxy-http-with-ntlmkerberos-application-level-authentication">Proxy HTTP with NTLM/Kerberos application-level authentication<a class="td-heading-self-link" href="#proxy-http-with-ntlmkerberos-application-level-authentication" aria-label="Heading self-link"></a></h2> <p>Exposed by default on the port <code>3129</code>.</p> <p>See <a href="https://Hazegard.github.io/Goauld-doc/02-agent/02-proxies/#http-proxy-with-ntlmkerberos-authentication">agent/proxies#http-proxy-with-ntlmkerberos-authentication</a> for details about the HTTP MITM proxy.</p>https://Hazegard.github.io/Goauld-doc/02-agent/04-wireguard/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/04-wireguard/<p>The agent exposes a virtual WireGuard interface, allowing TCP, UDP, and ICMP (ping) traffic without relying on a SOCKS proxy.</p> <p>The virtual WireGuard interface uses the gVisor network stack (<a href="https://github.com/google/gvisor/tree/go">https://github.com/google/gvisor/tree/go</a>).</p> <p>The implementation works as follows:</p> <ol> <li>The agent exposes a WireGuard server port on the host.</li> <li>The agent forwards the WireGuard port to the server using UDP-over-TCP encapsulation to traverse the existing agent tunnel.</li> <li>The client forwards the WireGuard port exposed on the server to the local machine.</li> <li>The client decapsulates the UDP-over-TCP traffic to expose the WireGuard port.</li> <li>The WireGuard client on the operator machine connects to the agent&rsquo;s virtual WireGuard interface.</li> </ol> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>This implementation uses TCP-over-TCP encapsulation, which reduces performance. However, this architecture was chosen because the server does not expose a WireGuard server common to all connected agents, which could result in unauthorized access between agents.</p>https://Hazegard.github.io/Goauld-doc/03-server/05-agent_downloading/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/05-agent_downloading/<p>In order to drop precompiled agents, a basicauth protected dirlisting is available through https://[SERVER]/binaries/.</p> <p>To access this dirlisting, a custom password should be configured.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># HTTP Basic Auth credentials required to access the binaries endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-basic-auth</span><span class="p">:</span><span class="w"> </span><span class="l">user:password</span><span class="w"> </span></span></span></code></pre></div>https://Hazegard.github.io/Goauld-doc/01-general/05-architecture/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/01-general/05-architecture/<p><a href="https://Hazegard.github.io/Goauld-doc/01-general/05-architecture//Goauld.png"><img src="https://Hazegard.github.io/Goauld-doc/01-general/05-architecture/Goauld.png" alt="Goauld.svg"></a></p>https://Hazegard.github.io/Goauld-doc/02-agent/05-password_management/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/05-password_management/<p>For historical reasons, the agent password consists of two parts:</p> <ul> <li><strong>Part 1</strong>: Generated by the agent at each start and sent to the server through the control socket.</li> <li><strong>Part 2</strong>: It is stored only locally on the agent.</li> </ul> <p>The second part can be generated through different methods:</p> <h3 id="1-at-compile-time">1. At compile-time<a class="td-heading-self-link" href="#1-at-compile-time" aria-label="Heading self-link"></a></h3> <p>When compiling an agent through the client (see <a href="https://Hazegard.github.io/Goauld-doc/04-client/12-compilation/">client/compilation</a>), the generated password is displayed either in the standard output during compilation or in the <code>.env</code> file that contains all the variables set for the agent.</p>https://Hazegard.github.io/Goauld-doc/04-client/05-scp/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/05-scp/<div class="td-alert td-alert--md alert alert-important" role="alert"><div class="td-alert-heading alert-heading" role="heading">Important</div> <div class="td-alert-body"> <p>For windows paths, <code>/</code> must be used instead of <code>\</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc scp <span class="o">[</span>AGENT_NAME<span class="o">]</span>:C:/PATH/TO/FOLDER . </span></span></code></pre></div> </div> </div> <h2 id="scp">SCP<a class="td-heading-self-link" href="#scp" aria-label="Heading self-link"></a></h2> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The <code>-r</code> flag is included by default.</p> </div> </div> <h3 id="transfer-files-from-the-client-to-the-agent">Transfer files from the client to the agent<a class="td-heading-self-link" href="#transfer-files-from-the-client-to-the-agent" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc scp /PATH/TO/SOURCE/FILE <span class="o">[</span>AGENT_NAME<span class="o">]</span>:/PATH/TO/TARGET/FILE </span></span></code></pre></div><h3 id="transfer-files-from-the-agent-to-the-client">Transfer files from the agent to the client<a class="td-heading-self-link" href="#transfer-files-from-the-agent-to-the-client" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc scp <span class="o">[</span>AGENT_NAME<span class="o">]</span>:/PATH/TO/TARGET/FILE /PATH/TO/SOURCE/FILE </span></span></code></pre></div><h2 id="rsync">RSYNC<a class="td-heading-self-link" href="#rsync" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc rsync -arvP <span class="o">[</span>AGENT_NAME<span class="o">]</span>:C:/Path1 <span class="o">[</span>AGENT_NAME<span class="o">]</span>:C:/Windows/PATH2 . </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>On Windows agents, you can only copy from or to one drive per command. you can copy multiple directories from the same drive, but cannot copy from C: and D: in the same command.</p>https://Hazegard.github.io/Goauld-doc/03-server/06-database/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/06-database/<p>The server uses an SQLite database to store information regarding previously connected agents.</p> <p>Given that agents perform a full connection flow at each start, the data stored in the database isn&rsquo;t required.</p> <h2 id="flag">Flag:<a class="td-heading-self-link" href="#flag" aria-label="Heading self-link"></a></h2> <ul> <li><code>--no-db</code> Disable the database on disk.</li> <li><code>--db-file-name</code> Path or filename of the SQLite file .</li> </ul>https://Hazegard.github.io/Goauld-doc/04-client/06-jump/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/06-jump/<p>In some assessments, the agent is deployed on a bounce (jump) machine, from which we can access another machine, from which the assessment is performed.</p> <p>In order to simplify the access to the assessment machine, a wrapper has been implemented in the client:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc jump --print <span class="o">[</span>AGENT_NAME<span class="o">]</span> <span class="o">[</span>REMOTE_SERVER<span class="o">]</span> <span class="o">(</span>-i ./id_ed25519<span class="o">)</span> </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>Although this command is simply :</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh -oProxyCommand<span class="o">=</span><span class="s2">&#34;tealc ssh [AGENT_NAME] -W %h:%p [REMOTE_SERVER]&#34;</span> <span class="o">(</span>-i ./id_ed25519<span class="o">)</span> </span></span></code></pre></div> </div> </div> <p>Although it simply wraps the underlying SSH ProxyCommand, it provides convenience for repeated jump connections.</p>https://Hazegard.github.io/Goauld-doc/02-agent/06-killswitch/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/06-killswitch/<p>To ensure that no agent runs indefinitely, a killswitch has been implemented. After a specified number of days, the agent automatically shuts down.</p> <h2 id="flag">Flag<a class="td-heading-self-link" href="#flag" aria-label="Heading self-link"></a></h2> <ul> <li><code>--kill-switch</code>: Set the number of days before exiting</li> </ul> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The timer counts from the agent&rsquo;s execution time. Consequently, if an external system (scheduled task, cron job, etc.) restarts the agent, the killswitch timer resets.</p> </div> </div>https://Hazegard.github.io/Goauld-doc/04-client/07-clipboard/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/07-clipboard/<p>Access to the agent clipboard has been implemented to quickly share small text between the client and the agent.</p> <h2 id="retrieve-the-agent-clipboard">Retrieve the agent clipboard<a class="td-heading-self-link" href="#retrieve-the-agent-clipboard" aria-label="Heading self-link"></a></h2> <p>The content will be printed to STDOUT</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc clip get <span class="o">[</span>AGENT<span class="o">]</span> </span></span></code></pre></div><h2 id="set-the-agent-clipboard">Set the agent clipboard<a class="td-heading-self-link" href="#set-the-agent-clipboard" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc clip <span class="nb">set</span> <span class="o">[</span>AGENT<span class="o">]</span> <span class="o">[</span>CONTENT<span class="o">]</span> </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>This feature is recommended for small content only. For larger content, use SCP or Rsync instead. (see <a href="https://Hazegard.github.io/Goauld-doc/04-client/05-scp/">client/scp</a>)</p> </div> </div>https://Hazegard.github.io/Goauld-doc/02-agent/07-connection_flow/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/07-connection_flow/<p>The agent separates orchestration (control) from operational traffic (data):</p> <ul> <li><strong>Control socket</strong>: A Socket.IO component, which is used to transmit agent metadata and receive control instructions from the server (reset/kill, etc.)</li> <li><strong>Data socket</strong>: An SSH channel, which may be encapsulated depending on egress filtering restrictions, which is used to tunnel operational traffic (proxies, SSH access, pivoting services, etc.)</li> </ul> <p>If a connection is lost, the agent automatically attempts to reconnect to both channels using an exponential backoff strategy.</p>https://Hazegard.github.io/Goauld-doc/04-client/08-shell-logging/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/08-shell-logging/<p>The client allows logging of SSH sessions to keep a record of commands executed and their outputs.</p> <p>Log files are saved in the current directory with the following format: <code>[AGENT_NAME]-[CURRENT_DATE]</code>.</p> <p>[TODO]: exemple du log</p> <h2 id="flag">Flag<a class="td-heading-self-link" href="#flag" aria-label="Heading self-link"></a></h2> <ul> <li><code>--log</code></li> </ul>https://Hazegard.github.io/Goauld-doc/02-agent/08-working_days/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/02-agent/08-working_days/<p>During assessments, it may be necessary to keep an agent running for several days (it can be difficult to execute).</p> <p>To reduce the agent&rsquo;s network footprint, a mechanism allows it to pause all network activity at a specified time and automatically resume later at a specified hour.</p> <p>If the agent starts outside the working period, it will wait until the next start hour.</p> <h2 id="flags">Flags<a class="td-heading-self-link" href="#flags" aria-label="Heading self-link"></a></h2> <ul> <li><code>--only-working-days</code>: to enable the working days feature</li> <li><code>--working-day-start</code> : the given hour when the agent resumes network connection (format: <code>[HOURS]:[MINUTES]</code>, 24-hour format)</li> <li><code>--working-day-end</code>: the given hour when the agent stops all network connection (format: <code>[HOURS]:[MINUTES]</code>, 24-hour format)</li> <li><code>--working-day-timezone</code>: the timezone to use</li> </ul>https://Hazegard.github.io/Goauld-doc/04-client/09-audit-mode/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/09-audit-mode/<h2 id="audit-mode">Audit Mode<a class="td-heading-self-link" href="#audit-mode" aria-label="Heading self-link"></a></h2> <p>This option enable redaction of sensitive information displayed on the TUI, providing privacy during demonstrations or shared sessions.</p> <p><img src="https://Hazegard.github.io/Goauld-doc/04-client/09-audit-mode/audit-mode.png" alt="alt text"></p> <h3 id="flag">Flag<a class="td-heading-self-link" href="#flag" aria-label="Heading self-link"></a></h3> <ul> <li><code>--audit-mode</code></li> </ul>https://Hazegard.github.io/Goauld-doc/04-client/10-controlmaster/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/10-controlmaster/<h2 id="ssh-controlmaster">SSH ControlMaster<a class="td-heading-self-link" href="#ssh-controlmaster" aria-label="Heading self-link"></a></h2> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>This feature is not supported on Windows.</p> </div> </div> <p>The client can leverage SSH ControlMaster mode to share multiple SSH sessions over a single network connection.</p> <p>This improves connection speed and avoids repeating the authentication process for each session.</p>https://Hazegard.github.io/Goauld-doc/04-client/11-wireguard/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/11-wireguard/<p>See <a href="https://Hazegard.github.io/Goauld-doc/02-agent/04-wireguard/">agent/wireguard</a> A TUN interface is available to the client.</p> <p>The TUN interface is a WireGuard VPN that allows TCP, UDP, and ICMP (ping only) traffic from the agent without relying on a SOCKS proxy.</p> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The special range <code>240.0.0.0/8</code> is translated into <code>127.0.0.0/8</code> on the agent, enabling access to the loopback range.</p> </div> </div> <h2 id="how-to-use">How to use<a class="td-heading-self-link" href="#how-to-use" aria-label="Heading self-link"></a></h2> <ol> <li>Generate the WireGuard configuration and add it to the configuration file:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc wireguard generate </span></span></code></pre></div><p>The content looks like:</p>https://Hazegard.github.io/Goauld-doc/04-client/12-compilation/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/12-compilation/<p>The client can recompile agents for different platforms and architectures.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc compile <span class="o">(</span>--id <span class="o">[</span>ID<span class="o">])</span> <span class="o">(</span>-O <span class="o">[</span>OS<span class="o">])</span> <span class="o">(</span>-A <span class="o">[</span>ARCH<span class="o">])</span> </span></span></code></pre></div><p>The <code>ARCH</code> flag can be:</p> <ul> <li><code>amd64</code></li> <li><code>arm64</code></li> <li><code>arm</code></li> <li><code>386</code></li> </ul> <p>The <code>OS</code> flag can be:</p> <ul> <li><code>darwin</code></li> <li><code>linux</code></li> <li><code>windows</code></li> </ul> <h2 id="compile-the-agent-with-custom-default-values">Compile the agent with custom default values<a class="td-heading-self-link" href="#compile-the-agent-with-custom-default-values" aria-label="Heading self-link"></a></h2> <ol> <li>Generate the configuration file:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc compile --drop-env &gt; ./env.txt </span></span></code></pre></div><p>This configuration file can then be modified to set custom defaults before recompilation.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc compile --env <span class="o">[</span>/PATH/TO/ENV<span class="o">]</span> </span></span></code></pre></div>https://Hazegard.github.io/Goauld-doc/04-client/13-admin/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/13-admin/<h2 id="dump-the-current-configuration">Dump the current configuration<a class="td-heading-self-link" href="#dump-the-current-configuration" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ tealc admin config </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c">#Age private key used by the server.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">age-privkey</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[REDACTED]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domains used to serve HTTP and WebSocket traffic.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">http-domain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="m">0.0.0.0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domains used to serve raw TLS traffic (SSH over TLS).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-domain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">localhost</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domain used to serve DNS-based traffic (SSH over DNS).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-domain</span><span class="p">:</span><span class="w"> </span><span class="l">t.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domain used to serve DNS-based traffic (SSH over DNS-ALT).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-domain-alt</span><span class="p">:</span><span class="w"> </span><span class="l">s.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for HTTP connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">http-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for HTTPS connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">https-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for SSH connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">ssh-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for DNS connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for QUIC connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quic-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable TLS support.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the TLS private key file.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-key</span><span class="p">:</span><span class="w"> </span><span class="l">./local_config/cert/local.key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the TLS certificate file.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-cert</span><span class="p">:</span><span class="w"> </span><span class="l">./local_config/cert/local.pem</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Email used when generating Let&#39;s Encrypt certificates.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">letsencrypt-mail</span><span class="p">:</span><span class="w"> </span><span class="l">mail@example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable QUIC protocol support.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quic</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable DNS server for SSH-over-DNS connections.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Disable database usage.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">db</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path or filename of the database to use.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">db-file-name</span><span class="p">:</span><span class="w"> </span><span class="l">Goauld.db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># List of IP addresses allowed to access the /manage/ endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">allowed-ips</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Access token required for the /manage/ API endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">access-token</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="s2">&#34;[REDACTED]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Admin token required for the /admin/ API endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">admin-token</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="s2">&#34;[REDACTED]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># HTTP Basic Auth credentials required to access the binaries endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-basic-auth</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[REDACTED]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Filesystem path where agent binaries are stored.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-path-location</span><span class="p">:</span><span class="w"> </span><span class="l">./binaries</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Increase log verbosity. Repeat for more detail.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">verbose</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Suppress all log output.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quiet</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Show version information and exit.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Generate a configuration file from the current settings.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">generate-config</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the configuration file to use.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">config-file</span><span class="p">:</span><span class="w"> </span><span class="l">./local_config/server.yaml</span><span class="w"> </span></span></span></code></pre></div><h2 id="dump-the-connected-agent-information">Dump the connected agent information<a class="td-heading-self-link" href="#dump-the-connected-agent-information" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ tealc admin dump </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">- <span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">user@Archamd2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SSHMode</span><span class="p">:</span><span class="w"> </span><span class="l">WS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">usedPorts</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lastUpdated</span><span class="p">:</span><span class="w"> </span><span class="ld">2026-03-09T17:31:43.426417</span><span class="m">+01</span><span class="p">:</span><span class="m">00</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lastPing</span><span class="p">:</span><span class="w"> </span><span class="ld">2026-03-09T17:32:22.788485</span><span class="m">+01</span><span class="p">:</span><span class="m">00</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">platform</span><span class="p">:</span><span class="w"> </span><span class="l">darwin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">architecture</span><span class="p">:</span><span class="w"> </span><span class="l">arm64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">Archamd2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">IPs</span><span class="p">:</span><span class="w"> </span><span class="m">172.16.22.101</span><span class="l">/24,192.168.29.1/24,172.16.40.1/24,192.168.139.3/23,fd07:b51a:cc66:0:a617:db5e:ab7:e9f1/64,10.10.20.19/24</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/Users/user/Library/Caches/go-build/c0/c0ece0fea100ea19cf4edec893a6caafb9f6b1f91c6f47ef3a1bab62d0455bbe-d/agent</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">TLSSH</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">QUIC</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WSSH</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sshConn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56748</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wsConn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56747</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SSHTTP</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">socketIO</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">socketId</span><span class="p">:</span><span class="w"> </span><span class="l">ltHwpaxDrVu0beeBAAAB</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">connected</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ssh</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SSHConnection</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sshConn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56748</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">clientVersion</span><span class="p">:</span><span class="w"> </span><span class="l">SSH-2.0-Goauld-dev</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sessionID</span><span class="p">:</span><span class="w"> </span><span class="l">d7421e2ee9f35a1a6bf4e6908b0e7d19426565f85efc76d8458f5d2d39b55f33</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverVersion</span><span class="p">:</span><span class="w"> </span><span class="l">SSH-2.0-OpenSSH_8.7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sshConn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56748</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">clientVersion</span><span class="p">:</span><span class="w"> </span><span class="l">SSH-2.0-Goauld-dev</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sessionID</span><span class="p">:</span><span class="w"> </span><span class="l">d7421e2ee9f35a1a6bf4e6908b0e7d19426565f85efc76d8458f5d2d39b55f33</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverVersion</span><span class="p">:</span><span class="w"> </span><span class="l">SSH-2.0-OpenSSH_8.7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sshConn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteAddr</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56748</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">clientVersion</span><span class="p">:</span><span class="w"> </span><span class="l">SSH-2.0-Goauld-dev</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sessionID</span><span class="p">:</span><span class="w"> </span><span class="l">d7421e2ee9f35a1a6bf4e6908b0e7d19426565f85efc76d8458f5d2d39b55f33</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverVersion</span><span class="p">:</span><span class="w"> </span><span class="l">SSH-2.0-OpenSSH_8.7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SSHListeners</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56749</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56751</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">127.0.0.1</span><span class="p">:</span><span class="m">56752</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agentId</span><span class="p">:</span><span class="w"> </span><span class="l">1ec1bd83de498e7da8852efe6d8c16c5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cdn</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://Hazegard.github.io/Goauld-doc/04-client/14-password/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/14-password/<div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>This command is mostly an internal one. But it is still documented in case on manual connection to the agents through the server</p> </div> </div>https://Hazegard.github.io/Goauld-doc/04-client/15-embed_server/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/15-embed_server/<p>The client can enter in server mode allowing to reproduce the <code>nc -lvp</code> command.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tealc embed-server </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The deployed agent must embed or be passed an appropriate Age public key</p> </div> </div> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The agent automatically kills itself after the shell session ends</p> </div> </div> <h2 id="demo">Demo<a class="td-heading-self-link" href="#demo" aria-label="Heading self-link"></a></h2> <video width=90% controls autoplay> <source src="embed-server.webm" type="video/webm"> Your browser does not support the video tag. </video>https://Hazegard.github.io/Goauld-doc/04-client/16-agent_binding/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/04-client/16-agent_binding/<p>When the agent is in bind mode, it exposes a port on which the client connects to. (see <a href="https://Hazegard.github.io/Goauld-doc/02-agent/01-tunnels/#agent-binding">agent/tunnels</a>)</p> <h2 id="flags">Flags<a class="td-heading-self-link" href="#flags" aria-label="Heading self-link"></a></h2> <ul> <li><code>--kill</code> whether to kill the agent on disconnection</li> <li><code>[AGENT_ADDR]</code>: the agent to bind to, format: <code>[IP]:[PORT]</code></li> </ul>