• Stars
    star
    838
  • Rank 54,406 (Top 2 %)
  • Language
    Go
  • License
    GNU General Publi...
  • Created about 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A manager for your secrets.

Arc Logo

Arc

A manager for your secrets.

Release Software License Travis Go Report Card


Arc is a manager for your secrets made of arc, a RESTful API server written in Go which exposes read and write primitives for encrypted records, and arc, the client application implemented in HTML5 and javascript, which runs in every modern browser and it is served by arc itself.

Records are generated, encrypted and decrypted client side by arc (with AES256 in GCM mode, using 10000 iterations for the PBKDF2 key derivation function, everything WebCrypto based ), which offers an intuitive management system equipped with UI widgets including:

  • Simple text inputs.
  • Simple text areas.
  • Custom file attachments.
  • A markdown editor area with preview and full screen mode.
  • A HTML editor with preview and full screen mode.
  • A password field with password strength estimation and a random password generator.
  • Custom lists.
  • Bitcoin wallet address with auto updating balance.
  • Manager for Time-based One-time Password Algorithm (TOTP) codes as per the TOTP RFC Draft. This component produces the same codes as the Google Authenticator app and can be used for 2FA.

Elements can be created (with optional expiration dates), arranged and edited using arc and are stored on arc as AES256 encrypted (and compressed) raw data.

ARC

Hardware?

Ideally arc should run on a dedicated portable hardware like a Raspberry Pi Zero, for instance it is possible to simply access it via Bluetooth and a modern browser once configured btnap, but precompiled versions are available for several operating systems and architectures (including ARM, ARM64 and MIPS) therefore Arc can run on pretty much everything with a CPU, from your smartphone, your router, your Mac or your Windows computer. As a rule of thumb, the more isolated the hardware is, the better.

The idea is to use Arc as a single storage and manager for your passwords, encrypted notes, files and -all the secret things here-.

Encrypt all the things!

Usage

You can find binary releases of Arc here, if instead you want to build it from source, make sure you have Go >= 1.8 installed and configured correctly, then clone this repository, install the dependencies and compile the arc server component:

go get github.com/evilsocket/arc/cmd/arc

Once you either extracted the release archive or compiled it yourself, copy sample_config.json to a new config.json file and customize it. The most important fields to change are the secret ( a key used for token authentication ), the username and the password, which is the bcrypt hash of the authentication password you want to use, you can generate a new one with:

arc password "your-new-password" <optional-cost>

Once everything is ready, youn can finally start the arc server:

arc -config config.json -app arc

Now browse https://localhost:8443/ ( or the address and port you configured ) and login with the configured credentials (make sure to add the generated HTTPS certificate as an exception in your browser).

NOTE

Other than the username and the password, during login you need to specify an additional encryption key. This second key is not used to login to the system itself but to encrypt and decrypt your records client side. You can specify different keys each time you login, as long as you remember which key you used to encrypt which record :)

Configuration

This is the example configuration file you need to customize the first time.

{
    "address": "127.0.0.1",
    "port": 8443,
    "max_req_size": 524288,
    "username": "arc",
    "password": "$2a$10$eyt99XOsVnATorza8PjqkOtJJdw1/Skr6LSps7JT4heYficAOdEhq",
    "secret": "s0m3c0mpl3xs7r1ng",
    "certificate": "/some/certificate.pem",
    "key": "/some/key.pem",
    "database": "~/arcdb",
    "token_duration": 60,
    "compression": true,
    "scheduler": {
        "enabled": true,
        "period": 10,
        "reports": {
            "enabled": false,
            "rate_limit": 60,
            "filter": [ "login_ok", "login_ko", "token_ko", "update", "record_expired" ],
            "to": "[email protected]",
            "smtp":{
                "address": "smtp.gmail.com",
                "port": 587,
                "username": "[email protected]",
                "password": "your smtp password"
            },
            "pgp": {
                "enabled": true,
                "keys":{
                    "private": "~/server.key",
                    "public": "~/my.public.key"
                }
            }
        }
    },
    "backups": {
        "enabled": false,
        "period": 1800,
        "folder": "/some/backup/path/",
        "run": "scp arc-backup.tar user@backup-server:/media/arc_backup/"
    }
}

It is necessary to change only the username and password access parameters of Arc, while the others can be left to their default values.

Configuration Description
address IP address to bind the arc server to.
port TCP to bind the arc server to.
max_req_size Maximum size in bytes to accept as a JSON request, it does not include record data.
username API access username.
password API access password bcrypt hash.
secret Secret key to use for authentication token signing and verification.
certificate HTTPS certificate PEM file (if it does not exist, it will be automatically generated).
key HTTPS private key PEM file (if it does not exist, it will be automatically generated).
database Database root directory.
token_duration Validity in minutes of a JWT API token after it's being generated.
compression If true, records bigger than 1024 bytes will be asynchronously gzipped and served as compressed streams to the client.
scheduler.enabled Enable or disable the server events scheduler (if you disable this, bye bye notifications and records expiration).
scheduler.period Time in seconds between every scheduler loop.
scheduler.reports.enabled If true, events will be reported by email.
scheduler.reports.rate_limit If two events of the same type are triggered in less than this number of seconds between one each other, the newest will not be notified by email.
scheduler.reports.filter Which type of events to report by email.
scheduler.reports.to Destination email address.
scheduler.reports.smtp SMTP server information, if not provided the local sendmail binary will be used.
scheduler.reports.pgp.enabled If true, email notifications will be encrypted with PGP.
scheduler.reports.pgp.keys.private Path of the private key file to use to encrypt emails, if not found or empty it will be automatically generated by arc.
scheduler.reports.pgp.keys.public Path of the PGP public key of the email notifications recipient.
backups.enabled Enable automatic backups.
backups.period Number of seconds between one backup and the next one.
backups.folder Destination folder for the backup file.
backups.run If filled, this command will be executed after the backup archive is created.

Realtime Notifications

Different type of events can happen during Arc lifecycle:

  • login_ok someone succesfully authenticated to the system.
  • login_ko someone tried to authenticate to the system with the wrong credentials.
  • token_ko an invalid JWT token has been used to access Arc API.
  • update a new version of Arc is available.
  • record_expired a record reached its expiration date.

If configured to do so, the server will create brief reports of such events and it will send to the user and client using three different channels:

  • A notification inside the Arc web UI itself.
  • A desktop notification.
  • An email report to the configured address.

PGP Encryption

Email reports can be optionally encrypted by the server using PGP, in this case the user has to provide his PGP public key. A private key can also be provided, if not the server will generate a new one (4096 bits RSA) during the first boot. Since email reports might include parts of valid credentials (ie. you mistyped one character of the valid password) it is highly suggested to enable this option.

Keyboard Shortcuts

  • n Create a new item ( store or record ).
  • d Delete the current item ( store or record ).
  • r Rename the current item ( store or record ).
  • a Add a new field to the current record.
  • p Pin / unpin the curret record.
  • s Save the current record.
  • e Set the expiration date for the current record.
  • ESC Close the current window.

Import / Export

You can export stores and their encrypted records to a TAR file:

./arc -config config.json -output ~/backup.tar -export

Exported archives can be later imported with:

./arc -config config.json -import ~/backup.tar

Useful Commands

Generate self signed certificate in order to use Arc on HTTPS:

openssl req -new -x509 -sha256 -key key.pem -out certificate-pem -days 365  

Allow the arc binary to bind to privileged ports without having root privileges (bind to port 443 for HTTPS without root):

sudo setcap 'cap_net_bind_service=+ep' arc

Lines to add to /etc/rc.local in order to make arc start at boot (running as pi user, configuration, logs and and ui are in the home folder):

export ARC=/home/pi/
sudo -H -u pi bash -c "$ARC/arc -config $ARC/config.json -log-file $ARC/arc.log &"

Bugs

Before opening an issue, please make sure it is not already part of a known bug.

License

Arc was made with โ™ฅ by Simone Margaritelli and it is released under the GPL 3 license.

More Repositories

1

opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
Python
10,819
star
2

pwnagotchi

(โŒโ– _โ– ) - Deep Reinforcement Learning instrumenting bettercap for WiFi pwning.
JavaScript
5,830
star
3

bettercap

DEPRECATED, bettercap developement moved here: https://github.com/bettercap/bettercap
2,507
star
4

xray

XRay is a tool for recon, mapping and OSINT gathering from public networks.
Go
1,966
star
5

bleah

This repository is DEPRECATED, please use bettercap as this tool has been ported to its BLE modules.
1,094
star
6

dnssearch

A subdomain enumeration tool.
Go
879
star
7

ditto

A tool for IDN homograph attacks and detection.
Go
694
star
8

uroboros

A GNU/Linux monitoring and profiling tool focused on single processes.
Go
670
star
9

shellz

shellz is a small utility to manage your ssh, telnet, kubernetes, winrm, web or any custom shell in a single place.
Go
537
star
10

sg1

A wanna be swiss army knife for data encryption, exfiltration and covert communication.
Go
528
star
11

smali_emulator

This software will emulate a smali source file generated by apktool.
Python
458
star
12

arminject

An application to dynamically inject a shared object into a running process on ARM architectures.
C++
432
star
13

jscythe

Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
Rust
310
star
14

spycast

A crossplatform mDNS enumeration tool.
HTML
304
star
15

medusa

A fast and secure multi protocol honeypot.
Rust
285
star
16

ergo

๐Ÿง  A tool that makes AI easier.
Python
285
star
17

bettercap-proxy-modules

This repository contains some bettercap transparent proxy example modules.
285
star
18

dirsearch

A Go implementation of dirsearch.
Go
253
star
19

kitsune

๐Ÿง  ๐Ÿ”Ž ๐Ÿค– Kitsune is an artificial neural network designed to detect and correlate Twitter profiles with similar behaviours.
Python
228
star
20

librestd

A low dependencies and self contained library to create C++ RESTful API services.
C++
199
star
21

shieldwall

zero-trust remote firewall instrumentation
Go
195
star
22

pwnagotchi-plugins-contrib

User contributed Pwnagotchi plugins.
Python
170
star
23

ergo-pe-av

๐Ÿง  ๐Ÿฆ  An artificial neural network and API to detect Windows malware, based on Ergo and LIEF.
Python
166
star
24

sauron

A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.
Rust
162
star
25

islazy

A Go library containing a set of opinionated packages, objects, helpers and functions implemented with the KISS principle in mind.
Go
153
star
26

gitstats

Git Repository Analyzer.
Go
145
star
27

gibson

A high performance tree-based cache server.
C
136
star
28

androswat

tool to inspect, dump, modify, search and inject libraries into Android processes.
C++
121
star
29

pdusms

PoC app for raw pdu manipulation on Android.
Java
119
star
30

veryfied

Mark pre-Musk era Twitter actually verified accounts.
JavaScript
113
star
31

ebpf-process-anomaly-detection

Process behaviour anomaly detection using eBPF and unsupervised-learning Autoencoders
Python
108
star
32

pwngrid

(โŒโ– _โ– ) - API server for pwnagotchi.ai
Go
100
star
33

coffee

Smarter Coffee terminal client.
Python
97
star
34

joe

The Swiss Army knife for backend engineers.
Go
90
star
35

sum

A specialized database server for linear algebra and machine learning.
Go
87
star
36

www.pwnagotchi.ai

(โŒโ– _โ– ) - pwnagotchi.ai
CSS
84
star
37

nikeplus-fuelband-se-reversed

A a proof of concept application that uses BLE api and the Nike+ FuelBand SE protocol to communicate with Nike BLE devices.
Java
82
star
38

takuan

Takuan is a system service that parses logs and detects noisy attackers in order to build a blacklist database of known cyber offenders.
Go
82
star
39

ftrace

Go library to trace Linux syscalls using the FTRACE kernel framework.
Go
76
star
40

openbank

OpenBank - Your BTC realtime tracker.
PHP
68
star
41

fang

A multi service threaded MD5 cracker
Python
66
star
42

dotfiles

My zsh, bash and vim dot files
Shell
66
star
43

libpe

A C/C++ library to parse Windows portable executables written with speed and stability in mind.
C
64
star
44

brutemachine

A Go library which main purpose is giving an interface to loop over a dictionary and use those words/lines as input for some custom logic such as HTTP file bruteforcing, DNS bruteforcing, etc.
Go
53
star
45

fido

Fido is a minimalistic, IDE and language agnostic project generator supporting various toolchains and build systems.
Python
52
star
46

mpcfw

Reverse engineering of Apple MultipeerConnectivity Framework
Python
51
star
47

quijote

Quijote is an highly configurable HTTP middleware for API security.
Go
48
star
48

altair

A Modular Web Vulnerability Scanner
Python
47
star
49

mcaptcha_bypass

PoC to bypass mCaptcha and its rate limiting capabilities from a fully automated bot.
Rust
47
star
50

ergo-planes-detector

๐Ÿง โœˆ๏ธ An ergo based project that relies on a convolutional neural network to detect airplanes from satellite imagery.
Python
44
star
51

stork

A small utility that aims to automate and simplify some tasks related to software release cycles.
Go
43
star
52

SafeInCloud

This repository contains a class to decrypt SafeInCloud (https://www.safe-in-cloud.com/) database files and a couple of command line utilities.
Python
41
star
53

pycryptocat

pyCryptoCat - A CryptoCat standalone python client.
JavaScript
36
star
54

unisbom

UniSBOM is a tool to build a software bill of materials on any platform with a unified data format.
Rust
34
star
55

dunmer

An ELF parasite command injector.
C
31
star
56

evilsocket.github.io

evilsocket.github.io files
HTML
28
star
57

dsploit-arpspoof

The dSploit arpspoof module.
C
27
star
58

octoghost

A python script to process Octopress markdown files and write a JSON file ready to import into Ghost.
Python
27
star
59

backup

Backup scripts I use on my drives.
Shell
26
star
60

SoftWire

SoftWire is a class library written in object-oriented C++ for compiling assembly code. It can be used in projects to generate x86 machine code at run-time as an alternative to self-modifying code. Scripting languages might also benefit by using SoftWire as a JIT-compiler back-end. It also allows to eliminate jumps for variables which are temporarily constant during run-time, like for efficient graphics processing by constructing an optimised pipeline. Because of its possibility for 'instruction rewiring' by run-time conditional compilation, I named it "SoftWire". It is targeted only at developers with a good knowledge of C++ and x86 assembly. Project originally by Nicolas Capens, new implementation by Simone Margaritelli aka evilsocket
C++
25
star
61

SWG

Static Website Generator
Python
23
star
62

hybris

Hybris scripting language interpreter engine and standard library modules.
C++
23
star
63

rubertooth

A complete Ruby porting of the ubertooth libraries and utilities.
Ruby
23
star
64

BioIdentify

BioIdentify is a command line tool for fingerprints feature extraction, 1on1 match and 1onN match .
C++
21
star
65

emoticode

This is the code repository for v2.0 of http://www.emoticode.net/
Ruby
21
star
66

gobench

A simple bash script that does its best to automate and visualize differential benchmarking for Go projects.
Shell
21
star
67

eve

(โ—โ€ข๏นโ€ข) - Hi, I'm Eve
Python
21
star
68

clang-ebpf-builder

A Rust crate that simplifies the integration of Rust and eBPF programs written in C.
C
20
star
69

hackrfpp

HackRF C++ playground plus basic demodulation.
C++
20
star
70

wax

Wax is a mediocre fuzzer I'm prototyping to test some ideas and get rid of others.
Go
19
star
71

pineproxy

A ruby self contained, low resource consuming HTTP transparent proxy designed for the WiFi Pineapple MKV.
Ruby
16
star
72

pwngrid-queries-joe

PwnGRID queries for Joe
Go
15
star
73

octofairy

A machine learning based GitHub bot for Issues.
Python
15
star
74

webmon

A webpage monitor bot, currently used to monitor Twitter ToS.
Python
13
star
75

arc-android-wrapper

An Android wrapper for Arc
Java
13
star
76

twitter-num-followers-bot

A bot that'll monitor the number of followers of its followers and tweet when the counter gets to interesting values.
Go
13
star
77

update.dsploit.net

The code repository for the dSploit project update server.
Ruby
13
star
78

Eigetron

Face recognition program that uses Eigen faces with a fast Jacobi eigen decomposition
C++
13
star
79

Pynject

Pynject - An automatic MySQL injector and data dumper tool.
Python
13
star
80

keras-goodreads

book rating system using LSTM and Goodreads
Python
12
star
81

MSP

Multidimensional Space Processing Library
C++
11
star
82

phpgibson

The phpgibson extension provides an API for communicating with the Gibson cache server.
C
10
star
83

llama3-cake

Distributed LLama3 inference.
Rust
10
star
84

mmdb2json

A script to dump a MMDB ( MaxMind ) binary database to JSON.
Python
9
star
85

backupbox

Sup biatch?
Python
9
star
86

Kerby_Surveillance

Kerby - Light weight video surveillance system.
C++
9
star
87

charon

A Ruby library to query the Zen service on SpamHaus.org
Ruby
6
star
88

evilsocket

about me
6
star
89

42

.
5
star
90

sumphp

PHP client interface to the Sum linear algebra database.
PHP
5
star
91

gauntlet-nginx

Gauntlet IPS nginx module
C
5
star
92

libgibsonclient

Gibson cache server native client library.
C
5
star
93

dsploit-thomson

Assembly
5
star
94

rpi-l298n-motor-driver

Those are experimental scripts to be used with a Raspberry Pi, a L298N chip and two motors.
Python
5
star
95

codeforces

Solutions for the codeforces.com problemset section exercises.
C
5
star
96

caspermod

A modified version of the Casper theme for Ghost blog platform.
CSS
4
star
97

takuan-reports

4
star
98

TED

TED (acronym for neTwork Event Daemon) is a GNU/Linux daemon that will inform you upon new inbound connections, when an host on your network is alive or not, and so on .
C++
4
star
99

sumpy

Python client interface to the Sum linear algebra database.
Python
4
star
100

tman

A small utility to inspect and validate safetensors and ONNX files.
Rust
4
star