Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Cisco-Talos/Decept
Decept Network Protocol Proxy
https://github.com/Cisco-Talos/Decept
filter network-proxy traffic
Last synced: 10 days ago
JSON representation
Decept Network Protocol Proxy
- Host: GitHub
- URL: https://github.com/Cisco-Talos/Decept
- Owner: Cisco-Talos
- License: other
- Created: 2017-02-23T17:30:12.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2023-01-20T19:51:10.000Z (almost 2 years ago)
- Last Synced: 2024-08-03T17:12:13.839Z (3 months ago)
- Topics: filter, network-proxy, traffic
- Language: Python
- Size: 188 KB
- Stars: 274
- Watchers: 22
- Forks: 56
- Open Issues: 2
-
Metadata Files:
- Readme: Readme.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - Cisco-Talos/Decept - Decept Network Protocol Proxy (Python)
README
# Decept Proxy
Yay, another network proxy. What makes this any different from any others?
* Created with portability in mind, it only uses as standard python libraries,
so you can drop it on a box and not worry, as long as python 2 is there.
* Supports SSL endpoirnts, IPV6, Unix Sockets, Abstract Namespace sockets,
L3 protocols/captures and also L2 bridging and passive modes.
* Any traffic that passes through Decept.py can be dumped into a .fuzzer file
format that is suitable for fuzzing with the Mutiny Fuzzing Framework.
* SSH proxying/sniffing/filtering with lil_sshniffer.py and lil_netkit.py
* HTTP/HTTPS multiplexing. Examine hosts.conf for more information.
* Based off of the tcp proxy.py from Black Hat Python by Justin Seitz
```
[<_<] Decept proxy/sniffer [>_>]
usage: decept.py [OPTIONS]
optional arguments:
-h, --help show this help message and exit
--quiet Don't show hexdumps
--recv_first Receive stuff first?
--timeout TIMEOUT Timeout for outbound socket
--loglast LOGLAST Log the last packet (unimplimented)
--fuzzer FUZZFILE *.fuzzer output for mutiny (extensions required)
--dumpraw DUMPDIR Directory to dump raw packet files into
(fmt = %d-%s % (pkt_num,[inbound|outbound]))
--max-packet-len LEN Max amount of data per packet when sending data
--dont_kill For when you don't want the connection to die if
neither side sends packets for TIMEOUT seconds.
Use with --expect if you still need the session
to end though.
--expect RESPCOUNT Useful with --dont_kill. Wait for RESPCOUNT
responses from the remote server, and then kill
the connection. Good for fuzzing campaigns.
-l, {ssl,udp,tcp}|[L3 Proto] Local endpoint type
-r, {ssl,udp,tcp}|[L3 Proto] Remote endpoint type
--rbind_addr IPADDR IP address to use for remote side. Make sure that
you have the IP somewhere on an interface though.
--rbind_port PORT PORT to bind to for remote side.
SSL Options:
--lcert SSL_PEM_CERT Cert to use for accepting local SSL
(Optionally cert and key in one file)
--lkey SSL_PEM_KEY Private key for local cert
--rcert SSL_PEM_CERT Cert to use for connecting to remote SSL
(Optionally cert and key in one file)
--rkey SSL_PEM_KEY Private key for remote cert
--rverify HOSTNAME Verify remote side as host HOSTNAME before
connecting.
Hook Files:
Optional function definitions for processing data between inbound
and outbound endpoints. Can pass data between the hooks/proxy with
the userdata parameters. Look at `hooks` folder for some examples/
prebuilt useful things.
--hookfile | Functions imported from file:
string outbound_hook(outbound,userdata=[]):
string inbound_hook(outbound,userdata=[]):
Tap Mode (--tap):
Decept will replicate any inbound/outbound traffic over localhost now
also, such that you can view traffic that has been decrypted or processed
by the inbound/outbound hooks in something more legit than the hexdump
function. (e.g. tcpdump/wireshark/tshark/etc)
Host Config File:
Optionally, instead of specifying a remote host, if you specify a valid
filename, you can multiplex HTTP/HTTPS connections to different URLs.
Please examine the example "hosts.conf" for more information.
------------------------------------------------------------------------
L2 usage: decept.py
L2 options:
--l2_filter MACADDR Ignore inbound traffic except from MACADDR
--l2_MTU MTU Set Maximum Transmision Unit for socket
--l2_forward Bridge the local interface and remote interface
--pcap PCAPDIR Directory to store pcaps
--pps Create a new pcap for each session
--snaplen SNAPLEN Length of packet truncation
--pcap_interface IFACE Specify which interface the packets will be
coming in on. "eth0" by default.
L4 Usage: decept.py 127.0.0.1 9999 10.0.0.1 8080
L3 Usage: decept.py 127.0.0.1 0 10.0.0.1 0 -l icmp -r icmp
L2 Usage: decept.py lo 00:00:00:00:00:00 eth0 ff:aa:cc:ee:dd:00
Unix: decept.py localsocketname 0 remotesocketname 0
Abstract: decept.py \\x00localsocketname 0 \\x00remotesocketname 0
Arp Poisoning options:
--poison Contains "mac1|mac2|ip1|ip2" to poison.
--poison_int Interface on which to poison (eth0 default)
```
# lil_sshniffer.py
Main lil_sshniffer uses:
1. SSH MITM: With the '--sniff' flag, lil_sshniffer will accept an SSH connection
on the Localhost/local port specified and then try to connect to the given RHOST/RPORT with the
credentials provided. All traffic is logged and can be filtered/acted upon before traversing all
the way through with the '--filter' flag (lil_netkit.py for more info).
2. Fuzzing an SSH wrapped service: Without the '-s' flag, lil_sshniffer will take a connection
and wrap in in whatever type of SSH connection you want. (--subsystem/--pty/--interactive/
--pty)
```
[^.^] lil_sshniffer.py [^.^] ~For all your sshniffing needs~
usage: lil_sshniffer.py rhost
[-h] [--lhost LHOST] [--lport LPORT] [--rport RPORT]
[-d] [-l] [-P] [-s] [-k SPOOF_KEY] [-r] [-a AUTH_KEY]
[-u USERNAME] [-p PASSWORD] [-t TIMEOUT]
[--subsystem SUBSYSTEM | --execute EXECUTE | --interactive]
[-f] [-?] [-j]
positional arguments:
rhost Remote address to connect to
optional arguments:
-h, --help show this help message and exit
--lhost LHOST Local address to bind to
--lport LPORT Local port to bind to
--rport RPORT Remote port to connect to
-d, --debug Extra output
-l, --logging Enable/disable logging
-P, --pty Allocate a pty also
-s, --sniff Create an inbound and outbound SSH Server
-k SPOOF_KEY, --spoof_key SPOOF_KEY
RSA key to use for spoofing
-r, --retry Do the retry hack >_<
-a AUTH_KEY, --auth_key AUTH_KEY
Key for authenticating outbound
-u USERNAME, --username USERNAME
Username for outbound connection (leave blank for
prompt)
-p PASSWORD, --password PASSWORD
Password for outbound connection (leave blank for
prompt)
-t TIMEOUT, --timeout TIMEOUT
Timeout for sockets
--subsystem SUBSYSTEM, -S SUBSYSTEM
Execute the given subsystem (scp/sftp/ssh/netconf/etc)
--execute EXECUTE, -e EXECUTE
Execute a single command
--interactive, -i Requests a shell w/pty (default)
-f, --filtering Filter input and output w/lil_netkit
-?, --cisco For when you're filtering on a connection with a Cisco
CLI device
-j, --hijack Hijack ssh session after target quits
```