{"id":14037003,"url":"https://github.com/secretsquirrel/BDFProxy","last_synced_at":"2025-07-27T04:33:33.111Z","repository":{"id":17031426,"uuid":"19795586","full_name":"secretsquirrel/BDFProxy","owner":"secretsquirrel","description":"Patch Binaries via MITM: BackdoorFactory + mitmProxy.  ","archived":false,"fork":false,"pushed_at":"2021-07-31T01:29:09.000Z","size":182,"stargazers_count":992,"open_issues_count":0,"forks_count":203,"subscribers_count":79,"default_branch":"master","last_synced_at":"2024-11-22T01:29:01.104Z","etag":null,"topics":["bdf","bdfproxy","mitm","mitm-attacks","mitmproxy","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secretsquirrel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":["secretsquirrel"]}},"created_at":"2014-05-14T20:44:55.000Z","updated_at":"2024-11-14T05:15:28.000Z","dependencies_parsed_at":"2022-08-31T00:51:25.726Z","dependency_job_id":null,"html_url":"https://github.com/secretsquirrel/BDFProxy","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2FBDFProxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2FBDFProxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2FBDFProxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2FBDFProxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secretsquirrel","download_url":"https://codeload.github.com/secretsquirrel/BDFProxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227762386,"owners_count":17816019,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bdf","bdfproxy","mitm","mitm-attacks","mitmproxy","python"],"created_at":"2024-08-12T03:02:23.964Z","updated_at":"2024-12-02T16:31:28.416Z","avatar_url":"https://github.com/secretsquirrel.png","language":"Python","readme":"\n## New version of BDFProxy is out! Only to sponsors! Get access here: https://github.com/sponsors/secretsquirrel\n\nBLOG: http://secureallthethings.blogspot.com/2017/08/closing-door-end-of-backdoor-factory.html \n\n# The Backdoor Factory Proxy (BDFProxy) v0.3.8\n\nFor security professionals and researchers only.\n\n[![Join the chat at https://gitter.im/secretsquirrel/BDFProxy](https://badges.gitter.im/secretsquirrel/BDFProxy.svg)](https://gitter.im/secretsquirrel/BDFProxy?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)  [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.blackhat.com/us-15/arsenal.html)\n\n\n###NOW ONLY WORKS WITH v.0.17 \u003e= MITMPROXY \u003e= v.0.11 \n\nDocker:\n```\n # sudo echo 1 \u003e /proc/sys/net/ipv4/ip_forward  # linux\n # sudo sysctl -w net.inet.ip.forwarding=1 # macOS\n docker pull secretsquirrel/bdfproxy\n docker run -it -p 8080:8080 secretsquirrel/bdfproxy bash\n # ./bdf_proxy.py\n```\n\nTo install on Kali:\n\n```\napt-get update\napt-get install bdfproxy\n```\n\nBlack Hat USA 2015:\n\n    Video: https://www.youtube.com/watch?v=OuyLzkG16Uk\n    \n    Paper: https://www.blackhat.com/docs/us-15/materials/us-15-Pitts-Repurposing-OnionDuke-A-Single-Case-Study-Around-Reusing-Nation-State-Malware-wp.pdf\n\n\nDerbyCon 2014: \n\n    Video: http://www.youtube.com/watch?v=LjUN9MACaTs\n\n\nAbout 18 minutes in is the BDFProxy portion.\n\nContact the developer on:\n\t\n\tIRC:\n \tirc.freenode.net #BDFactory \n\n \tTwitter:\n \t@midnite_runr\n\nThis script rides on two libraries for usage:\nThe Backdoor Factory (BDF) and the mitmProxy.\n\n###Concept:\nPatch binaries during download ala MITM.\n\n###Why:\nBecause a lot of security tool websites still serve binaries via non-SSL/TLS means.\n\nHere's a short list:\n\n\t\tsysinternals.com\n\t\tMicrosoft - MS Security Essentials\n\t\tAlmost all anti-virus companies\n\t\tMalwarebytes\n\t\tSourceforge\n\t\tgpg4win\n\t\tWireshark\n\t\tetc...\n\nYes, some of those apps are protected by self checking mechanisms.  I've been working on a way to automatically bypass NSIS checks as a proof of concept.  However, that does not stop the initial issue of bit flipping during download and the execution of a malicious payload. Also, BDF by default will patch out the windows PE certificate table pointer during download thereby removing the signature from the binary.\n\n---\n\n##Depends:\n\n\tPefile - most recent\n\tConfigObj  \n\tmitmProxy - Kali Build .10\n\tBDF - most current\n\tCapstone (part of BDF)\n\n---\n##Supported Environment:\nTested on all Kali Linux builds, whether a physical beefy laptop, a Raspberry Pi, or a VM, each can run BDFProxy. \n\n\n##Install:\nBDF is in bdf/ \n\nRun the following to pull down the most recent:\n\n\t./install.sh\n\nOR:\n\n\tgit clone https://github.com/secretsquirrel/the-backdoor-factory bdf/\n\n\nIf you get a certificate error, run the following:\n\n\tmitmproxy\n\nAnd exit [Ctr+C] after mitmProxy loads.\n\n\n##Usage:\nUpdate everything before each use:\n\n\t./update.sh\n\nREAD THE CONFIG!!!\n\n\t\t--\u003ebdfproxy.cfg\n\nYou will need to configure your C2 host and port settings before running BDFProxy. DO NOT overlap C2 PORT settings between different payloads. You'll be sending linux shells to windows machines and things will be segfaulting all over the place. After running, there will be a metasploit resource script created to help with setting up your C2 communications. Check it carefully. By the way, everything outside the [Overall] section updates on the fly, so you don't have to kill your proxy to change settings to work with your environment.\n\nBut wait!  You will need to configure your mitm machine for mitm-ing!  If you are using a wifiPineapple I modded a script put out by hack5 to help you with configuration. Run ./wpBDF.sh and enter in the correct configs for your environment.  This script configures iptables to push only http (non-ssl) traffic through the proxy.  All other traffic is fowarded normally.\n\nThen:\n\n\t./bdf_proxy.py\n\n\nHere's some sweet ascii art for possible phyiscal settings of the proxy:\n\nLan usage:\n\n\t\t\u003cInternet\u003e----\u003cmitmMachine\u003e----\u003cuserLan\u003e\n\nWifi usage:\n\n\t\t\u003cInternet\u003e----\u003cmitmMachine\u003e----\u003cwifiPineapple\u003e)))\n\n\n##Testing:\n\n\tSuppose you want to use your browser with Firefox and FoxyProxy to connect to test your setup.\n\n\t\tUpdate your config as follows:\n\t\ttransparentProxy = None\n\n\t\tConfigure FoxyProxy to use BDFProxy as a proxy.\n\t\tDefault port in the config is 8080.\n\n\n\n##Logging: \nWe have it.  The proxy window will quickly fill with massive amounts of cat links depending on the client you are testing.  Use `tail -f proxy.log` to see what is getting patched and blocked by your blacklist settings.  However, keep an eye on the main proxy window if you have chosen to patch binaries manually, things move fast and behind the scences there is multi-threading of traffic, but the intial requests and responses are locking for your viewing pleasure.\n\n##Attack Scenarios (all with permission of targets):\n\t-Evil Wifi AP\n\t-Arp Redirection\n\t-Physical plant in a wiring closet\n\t-Logical plant at your favorite ISP\n\n\n##Bug Reporting\n\nBugs happen, but if I can't understand your issue, I can't help you.\n\nSubmit issues here: https://github.com/secretsquirrel/BDFProxy/issues\n\nInclude the following information from the output of the these commands (use pastebin for the longer commands):\n\n```\n# bdfproxy only supports v11 -\u003e v17\n$ mitmproxy --version\n\n$ uname -a\n\n# Use pastebin perhaps\n$ cat bdfproxy.cfg \n$ ./bdf_proxy.py\n\n```\n\n\n###Change Log:\n\n####07/04/2016\n\nSupport for BDF Preprocessor and mitmProxy v17\n\n####12/20/2015\n\nAdded configuration options in bdfproxy.cfg to support PE code signing from BDF =\u003e CODE_SIGN\nSee BDF README for details\n\n\n####11/13/2015\n\nRemove python-magic dependencies because there are two libraries that are named as such.  Which is confusing.\n\n\n####10/19/2015\n\nAdd support for BDF Import Directory Patching into the a code cave vs a new section.  Update IDA_IN_CAVE to True in the bdfproxy.cfg file for this.  EXPERIMENTAL...\n\n\n####8/12/2015\n\nAdded support for the PE replace method, replace downloaded binary with an attacker supplied one. To use change PATCH_METHOD to replace and provide a SUPPLIED_BINARY\n\n\n####8/6/2015\n\nAdded support for onionduke. To use change PATCH_METHOD to onionduke and SUPPLIED_BINARY to the binary that you wish to bind to the target executable.\n\nAdded support to set the check and patching of the requestedExecutionLevel in the PE manifest as highestAvailable for both x86 and x86_64 PE binaries. Set RUNAS_ADMIN as True.\n\nAdded support to set whether to support legacy XP machines via the XP_MODE flag as True.  This can have evasion against AVs as their emulators may fail if this setting is set to FALSE.\n\n\n","funding_links":["https://github.com/sponsors/secretsquirrel"],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsquirrel%2FBDFProxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecretsquirrel%2FBDFProxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsquirrel%2FBDFProxy/lists"}