Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Cisco-Talos/Decept

Decept Network Protocol Proxy
https://github.com/Cisco-Talos/Decept

filter network-proxy traffic

Last synced: about 2 months ago
JSON representation

Decept Network Protocol Proxy

Awesome Lists containing this project

README

        

# Decept Proxy

Yay, another network proxy. What makes this any different from any others?

* Created with portability in mind, it only uses as standard python libraries,
so you can drop it on a box and not worry, as long as python 2 is there.

* Supports SSL endpoirnts, IPV6, Unix Sockets, Abstract Namespace sockets,
L3 protocols/captures and also L2 bridging and passive modes.

* Any traffic that passes through Decept.py can be dumped into a .fuzzer file
format that is suitable for fuzzing with the Mutiny Fuzzing Framework.

* SSH proxying/sniffing/filtering with lil_sshniffer.py and lil_netkit.py

* HTTP/HTTPS multiplexing. Examine hosts.conf for more information.

* Based off of the tcp proxy.py from Black Hat Python by Justin Seitz

```
[<_<] Decept proxy/sniffer [>_>]

usage: decept.py [OPTIONS]

optional arguments:
-h, --help show this help message and exit
--quiet Don't show hexdumps
--recv_first Receive stuff first?
--timeout TIMEOUT Timeout for outbound socket
--loglast LOGLAST Log the last packet (unimplimented)
--fuzzer FUZZFILE *.fuzzer output for mutiny (extensions required)
--dumpraw DUMPDIR Directory to dump raw packet files into
(fmt = %d-%s % (pkt_num,[inbound|outbound]))
--max-packet-len LEN Max amount of data per packet when sending data
--dont_kill For when you don't want the connection to die if
neither side sends packets for TIMEOUT seconds.
Use with --expect if you still need the session
to end though.
--expect RESPCOUNT Useful with --dont_kill. Wait for RESPCOUNT
responses from the remote server, and then kill
the connection. Good for fuzzing campaigns.

-l, {ssl,udp,tcp}|[L3 Proto] Local endpoint type
-r, {ssl,udp,tcp}|[L3 Proto] Remote endpoint type

--rbind_addr IPADDR IP address to use for remote side. Make sure that
you have the IP somewhere on an interface though.
--rbind_port PORT PORT to bind to for remote side.

SSL Options:
--lcert SSL_PEM_CERT Cert to use for accepting local SSL
(Optionally cert and key in one file)
--lkey SSL_PEM_KEY Private key for local cert
--rcert SSL_PEM_CERT Cert to use for connecting to remote SSL
(Optionally cert and key in one file)
--rkey SSL_PEM_KEY Private key for remote cert
--rverify HOSTNAME Verify remote side as host HOSTNAME before
connecting.

Hook Files:
Optional function definitions for processing data between inbound
and outbound endpoints. Can pass data between the hooks/proxy with
the userdata parameters. Look at `hooks` folder for some examples/
prebuilt useful things.

--hookfile | Functions imported from file:
string outbound_hook(outbound,userdata=[]):
string inbound_hook(outbound,userdata=[]):

Tap Mode (--tap):
Decept will replicate any inbound/outbound traffic over localhost now
also, such that you can view traffic that has been decrypted or processed
by the inbound/outbound hooks in something more legit than the hexdump
function. (e.g. tcpdump/wireshark/tshark/etc)

Host Config File:
Optionally, instead of specifying a remote host, if you specify a valid
filename, you can multiplex HTTP/HTTPS connections to different URLs.
Please examine the example "hosts.conf" for more information.

------------------------------------------------------------------------

L2 usage: decept.py

L2 options:
--l2_filter MACADDR Ignore inbound traffic except from MACADDR
--l2_MTU MTU Set Maximum Transmision Unit for socket
--l2_forward Bridge the local interface and remote interface

--pcap PCAPDIR Directory to store pcaps
--pps Create a new pcap for each session
--snaplen SNAPLEN Length of packet truncation
--pcap_interface IFACE Specify which interface the packets will be
coming in on. "eth0" by default.

L4 Usage: decept.py 127.0.0.1 9999 10.0.0.1 8080
L3 Usage: decept.py 127.0.0.1 0 10.0.0.1 0 -l icmp -r icmp
L2 Usage: decept.py lo 00:00:00:00:00:00 eth0 ff:aa:cc:ee:dd:00
Unix: decept.py localsocketname 0 remotesocketname 0
Abstract: decept.py \\x00localsocketname 0 \\x00remotesocketname 0

Arp Poisoning options:
--poison Contains "mac1|mac2|ip1|ip2" to poison.
--poison_int Interface on which to poison (eth0 default)

```

# lil_sshniffer.py

Main lil_sshniffer uses:

1. SSH MITM: With the '--sniff' flag, lil_sshniffer will accept an SSH connection
on the Localhost/local port specified and then try to connect to the given RHOST/RPORT with the
credentials provided. All traffic is logged and can be filtered/acted upon before traversing all
the way through with the '--filter' flag (lil_netkit.py for more info).

2. Fuzzing an SSH wrapped service: Without the '-s' flag, lil_sshniffer will take a connection
and wrap in in whatever type of SSH connection you want. (--subsystem/--pty/--interactive/
--pty)

```
[^.^] lil_sshniffer.py [^.^] ~For all your sshniffing needs~

usage: lil_sshniffer.py rhost
[-h] [--lhost LHOST] [--lport LPORT] [--rport RPORT]
[-d] [-l] [-P] [-s] [-k SPOOF_KEY] [-r] [-a AUTH_KEY]
[-u USERNAME] [-p PASSWORD] [-t TIMEOUT]
[--subsystem SUBSYSTEM | --execute EXECUTE | --interactive]
[-f] [-?] [-j]

positional arguments:
rhost Remote address to connect to

optional arguments:
-h, --help show this help message and exit
--lhost LHOST Local address to bind to
--lport LPORT Local port to bind to
--rport RPORT Remote port to connect to
-d, --debug Extra output
-l, --logging Enable/disable logging
-P, --pty Allocate a pty also
-s, --sniff Create an inbound and outbound SSH Server
-k SPOOF_KEY, --spoof_key SPOOF_KEY
RSA key to use for spoofing
-r, --retry Do the retry hack >_<
-a AUTH_KEY, --auth_key AUTH_KEY
Key for authenticating outbound
-u USERNAME, --username USERNAME
Username for outbound connection (leave blank for
prompt)
-p PASSWORD, --password PASSWORD
Password for outbound connection (leave blank for
prompt)
-t TIMEOUT, --timeout TIMEOUT
Timeout for sockets
--subsystem SUBSYSTEM, -S SUBSYSTEM
Execute the given subsystem (scp/sftp/ssh/netconf/etc)
--execute EXECUTE, -e EXECUTE
Execute a single command
--interactive, -i Requests a shell w/pty (default)
-f, --filtering Filter input and output w/lil_netkit
-?, --cisco For when you're filtering on a connection with a Cisco
CLI device
-j, --hijack Hijack ssh session after target quits
```