{"id":13508456,"url":"https://github.com/nccgroup/phantap","last_synced_at":"2025-04-04T11:16:34.674Z","repository":{"id":47549319,"uuid":"196080613","full_name":"nccgroup/phantap","owner":"nccgroup","description":"Phantom Tap (PhanTap) - an ‘invisible’ network tap aimed at red teams","archived":false,"fork":false,"pushed_at":"2024-06-02T12:03:23.000Z","size":103,"stargazers_count":598,"open_issues_count":6,"forks_count":81,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-03-28T10:10:05.661Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-09T20:40:33.000Z","updated_at":"2025-03-17T08:01:37.000Z","dependencies_parsed_at":"2024-11-01T08:30:38.176Z","dependency_job_id":"c01bcdb6-cdb0-48ac-ba9b-5bd27be17c2b","html_url":"https://github.com/nccgroup/phantap","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fphantap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fphantap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fphantap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fphantap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/phantap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247166169,"owners_count":20894654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T02:00:53.275Z","updated_at":"2025-04-04T11:16:34.641Z","avatar_url":"https://github.com/nccgroup.png","language":"C","readme":"# PhanTap (Phantom Tap)\n\n![PhanTap Logo](/img/phantap.png)\n\nPhanTap is an ‘invisible’ network tap aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X - 2004).\nPhanTap will analyze traffic on the network and mask its traffic as the victim device.\nIt can mount a tunnel back to a remote server, giving the user a foothold in the network for further analysis and pivoting.\nPhanTap is an OpenWrt package and should be compatible with any device. The physical device used for our testing is currently a small, inexpensive router, the [GL.iNet GL-AR150](https://www.gl-inet.com/products/gl-ar150/).\nYou can find a detailed blogpost describing PhanTap [here](https://research.nccgroup.com/2019/09/30/phantap-phantom-tap-making-networks-spookier-one-packet-at-a-time/)\n\n## Features:\n\n* Transparent network bridge.\n* Silent : no arp, multicast, broadcast.\n* 802.1x passthrough.\n* Automatic configuration:\n    * capture traffic entering the network (the source is non RFC1918 and the destination is RFC1918), destination IP and MAC is our victim, source MAC is our gateway,\n    * SNAT bridge traffic to the victim MAC and IP address,\n    * set the router default gateway to the MAC of the gateway detected just before.\n* Introspects ARP, multicast and broadcast traffic and adds a route to the machine IP address and adds the machine MAC address to the neighbour list, hence giving the possibility of talking to all the machines in the local network.\n* Learns the DNS server from traffic and modifies the one on the router so that it's the same.\n* Introspects DHCP packets for dynamic reconfiguration.\n* Can run commands (ex: /etc/init.d/openvpn restart) when a new IP or DNS is configured.\n* Lets you choose any VPN software, for example OpenVPN tcp port 443 so it goes through most firewalls.\n* You can talk to the victim machine (using the gateway IP).\n\n## Setup\n\nPhanTap has been tested with the GL.iNet GL-AR150. This device has two separate network interfaces in OpenWrt (eth0, eth1).\nIf your device is using an internal switch(swconfig based) with interfaces like eth0.1, eth0.2, some special traffic might be blocked, e.g. 802.1Q(tagged vlan), but PhanTap should work.\n\n* Install a snapshot build, for the [GL.iNet GL-AR150](https://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-glinet_gl-ar150-squashfs-sysupgrade.bin)\n* Update the OpenWrt package list\n```\nopkg update\n```\n* Install PhanTap package:\n```\nopkg install phantap\n```\n* Configure the Wifi and start administering the router through it.\n* Either reboot the device, or run `/etc/init.d/phantap setup`.\n* Get the interface names from that device:\n```\n# uci show network | grep -E 'device=|ports='\nnetwork.loopback.device='lo'\nnetwork.@device[0].ports='eth0'\nnetwork.lan.device='br-lan'\nnetwork.wan.device='eth1'\nnetwork.wan6.device='eth1'\nnetwork.phantap.device='br-phantap'\n```\nIn this example we are using a GL-AR150, which only has 2 interfaces.\n\n* Remove the interfaces from any network interface they might be used by, if that's the case, via the following commands in the cli\n(assuming we are using a GL-AR150):\n```\nuci delete network.@device[0].ports\nuci delete network.wan.device\nuci delete network.wan6.device\n```\n* Add the interfaces to the phantap bridge and restart the network service via the following commands in the cli\n(assuming we are using a GL-AR150):\n```\nuci add_list network.br_phantap.ports='eth0'\nuci add_list network.br_phantap.ports='eth1'\nuci commit network\n/etc/init.d/network reload\n```\n* Phantap is now configured, as soon as you plug it between a victim and their switch, it will automatically configure the router and give it Internet access.\n\n* You can add your favorite VPN to have a remote connection back. We've tested PhanTap with [OpenVpn](https://openvpn.net/community-resources/how-to/), port TCP 443, to avoid some detection methods.\n* You can also add a command to be ran when a new IP or DNS is configured, in /etc/config/phantap, e.g. /etc/init.d/openvpn restart (restart OpenVpn service).\n* You can also look at disabling the wifi by default and using hardware buttons to start it (https://openwrt.org/docs/guide-user/hardware/hardware.button).\n\n## Limitations or how it can be detected :\n\n* The GL.iNet GL-AR150 and most inexpensive devices only support 100Mbps, meanwhile modern network traffic will be 1Gbps.\n* The network port  will stay up, switch side, when the victim device is disconnected/shutdown.\n* Some traffic is blocked by the Linux bridge (STP/Pause frames/LACP).\n* OpenWrt failsafe mode sends IPv4 and IPv6 packets as described in the documentation: https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset. This happens during early boot and can get the device detected. There is no easy solution to disable it at runtime, as this configuration is in U-Boot. The U-Boot partition is mounted as read-only and it's configuration can only be accessed and modified from the U-Boot shell (via UART on the GL-AR150 for example). The easier solution is to compile OpenWrt with the TARGET_PREINIT_DISABLE_FAILSAFE option enabled.\n\n## Roadmap :\n\n* Add logic to restart the detection when the links go up/down.\n* Add IPv6 support.\n* Test limitations of devices that have switches(swconfig) instead of separate interfaces.\n","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具","others","C","Pentesting"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"8afafc25f4fb0805556003864cce90e2\"\u003e\u003c/a\u003eRedTeam","Red Team"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fphantap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fphantap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fphantap/lists"}