GitHub - Cisco-Talos/Decept: Decept Network Protocol Proxy
source link: https://github.com/Cisco-Talos/Decept
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Decept Proxy
Yay, another network proxy. What makes this any different from any others?
-
Created with portability in mind, it only uses as standard python libraries, so you can drop it on a box and not worry, as long as python 2 is there.
-
Supports SSL endpoirnts, IPV6, Unix Sockets, Abstract Namespace sockets, L3 protocols/captures and also L2 bridging and passive modes.
-
Any traffic that passes through Decept.py can be dumped into a .fuzzer file format that is suitable for fuzzing with the Mutiny Fuzzing Framework.
-
SSH proxying/sniffing/filtering with lil_sshniffer.py and lil_netkit.py
-
HTTP/HTTPS multiplexing. Examine hosts.conf for more information.
-
Based off of the tcp proxy.py from Black Hat Python by Justin Seitz
[<_<] Decept proxy/sniffer [>_>]
usage: decept.py <local_host> <local_port> <remote_host> <remote_port> [OPTIONS]
optional arguments:
-h, --help show this help message and exit
--quiet Don't show hexdumps
--recv_first Receive stuff first?
--timeout TIMEOUT Timeout for outbound socket
--loglast LOGLAST Log the last packet (unimplimented)
--fuzzer FUZZFILE *.fuzzer output for mutiny (extensions required)
--dumpraw DUMPDIR Directory to dump raw packet files into
(fmt = %d-%s % (pkt_num,[inbound|outbound]))
--max-packet-len LEN Max amount of data per packet when sending data
--dont_kill For when you don't want the connection to die if
neither side sends packets for TIMEOUT seconds.
Use with --expect if you still need the session
to end though.
--expect RESPCOUNT Useful with --dont_kill. Wait for RESPCOUNT
responses from the remote server, and then kill
the connection. Good for fuzzing campaigns.
-l, {ssl,udp,tcp}|[L3 Proto] Local endpoint type
-r, {ssl,udp,tcp}|[L3 Proto] Remote endpoint type
--rbind_addr IPADDR IP address to use for remote side. Make sure that
you have the IP somewhere on an interface though.
--rbind_port PORT PORT to bind to for remote side.
SSL Options:
--lcert SSL_PEM_CERT Cert to use for accepting local SSL
(Optionally cert and key in one file)
--lkey SSL_PEM_KEY Private key for local cert
--rcert SSL_PEM_CERT Cert to use for connecting to remote SSL
(Optionally cert and key in one file)
--rkey SSL_PEM_KEY Private key for remote cert
--rverify HOSTNAME Verify remote side as host HOSTNAME before
connecting.
Hook Files:
Optional function definitions for processing data between inbound
and outbound endpoints. Can pass data between the hooks/proxy with
the userdata parameters. Look at `hooks` folder for some examples/
prebuilt useful things.
--hookfile <file> | Functions imported from file:
string outbound_hook(outbound,userdata=[]):
string inbound_hook(outbound,userdata=[]):
Tap Mode (--tap):
Decept will replicate any inbound/outbound traffic over localhost now
also, such that you can view traffic that has been decrypted or processed
by the inbound/outbound hooks in something more legit than the hexdump
function. (e.g. tcpdump/wireshark/tshark/etc)
Host Config File:
Optionally, instead of specifying a remote host, if you specify a valid
filename, you can multiplex HTTP/HTTPS connections to different URLs.
Please examine the example "hosts.conf" for more information.
------------------------------------------------------------------------
L2 usage: decept.py <local_int> <local_mac> <remote_int> <remote_mac>
L2 options:
--l2_filter MACADDR Ignore inbound traffic except from MACADDR
--l2_MTU MTU Set Maximum Transmision Unit for socket
--l2_forward Bridge the local interface and remote interface
--pcap PCAPDIR Directory to store pcaps
--pps Create a new pcap for each session
--snaplen SNAPLEN Length of packet truncation
--pcap_interface IFACE Specify which interface the packets will be
coming in on. "eth0" by default.
L4 Usage: decept.py 127.0.0.1 9999 10.0.0.1 8080
L3 Usage: decept.py 127.0.0.1 0 10.0.0.1 0 -l icmp -r icmp
L2 Usage: decept.py lo 00:00:00:00:00:00 eth0 ff:aa:cc:ee:dd:00
Unix: decept.py localsocketname 0 remotesocketname 0
Abstract: decept.py \\x00localsocketname 0 \\x00remotesocketname 0
Arp Poisoning options:
--poison <config-file> Contains "mac1|mac2|ip1|ip2" to poison.
--poison_int <interface> Interface on which to poison (eth0 default)
lil_sshniffer.py
Main lil_sshniffer uses:
-
SSH MITM: With the '--sniff' flag, lil_sshniffer will accept an SSH connection on the Localhost/local port specified and then try to connect to the given RHOST/RPORT with the credentials provided. All traffic is logged and can be filtered/acted upon before traversing all the way through with the '--filter' flag (lil_netkit.py for more info).
-
Fuzzing an SSH wrapped service: Without the '-s' flag, lil_sshniffer will take a connection and wrap in in whatever type of SSH connection you want. (--subsystem/--pty/--interactive/ --pty)
[^.^] lil_sshniffer.py [^.^] ~For all your sshniffing needs~
usage: lil_sshniffer.py rhost
[-h] [--lhost LHOST] [--lport LPORT] [--rport RPORT]
[-d] [-l] [-P] [-s] [-k SPOOF_KEY] [-r] [-a AUTH_KEY]
[-u USERNAME] [-p PASSWORD] [-t TIMEOUT]
[--subsystem SUBSYSTEM | --execute EXECUTE | --interactive]
[-f] [-?] [-j]
positional arguments:
rhost Remote address to connect to
optional arguments:
-h, --help show this help message and exit
--lhost LHOST Local address to bind to
--lport LPORT Local port to bind to
--rport RPORT Remote port to connect to
-d, --debug Extra output
-l, --logging Enable/disable logging
-P, --pty Allocate a pty also
-s, --sniff Create an inbound and outbound SSH Server
-k SPOOF_KEY, --spoof_key SPOOF_KEY
RSA key to use for spoofing
-r, --retry Do the retry hack >_<
-a AUTH_KEY, --auth_key AUTH_KEY
Key for authenticating outbound
-u USERNAME, --username USERNAME
Username for outbound connection (leave blank for
prompt)
-p PASSWORD, --password PASSWORD
Password for outbound connection (leave blank for
prompt)
-t TIMEOUT, --timeout TIMEOUT
Timeout for sockets
--subsystem SUBSYSTEM, -S SUBSYSTEM
Execute the given subsystem (scp/sftp/ssh/netconf/etc)
--execute EXECUTE, -e EXECUTE
Execute a single command
--interactive, -i Requests a shell w/pty (default)
-f, --filtering Filter input and output w/lil_netkit
-?, --cisco For when you're filtering on a connection with a Cisco
CLI device
-j, --hijack Hijack ssh session after target quits
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK