Decept

by Cisco-Talos

Cisco-Talos / Decept

Decept Network Protocol Proxy

218 Stars 49 Forks Last release: Not found Other 71 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Decept Proxy

Yay, another network proxy. What makes this any different from any others?

  • Created with portability in mind, it only uses as standard python libraries, so you can drop it on a box and not worry, as long as python 2 is there.

  • Supports SSL endpoirnts, IPV6, Unix Sockets, Abstract Namespace sockets, L3 protocols/captures and also L2 bridging and passive modes.

  • Any traffic that passes through Decept.py can be dumped into a .fuzzer file format that is suitable for fuzzing with the Mutiny Fuzzing Framework.

  • SSH proxying/sniffing/filtering with lilsshniffer.py and lilnetkit.py

  • HTTP/HTTPS multiplexing. Examine hosts.conf for more information.

  • Based off of the tcp proxy.py from Black Hat Python by Justin Seitz

[<_ decept proxy>_>]


usage: decept.py [OPTIONS]

optional arguments: -h, --help show this help message and exit --quiet Don't show hexdumps --recv_first Receive stuff first? --timeout TIMEOUT Timeout for outbound socket --loglast LOGLAST Log the last packet (unimplimented) --fuzzer FUZZFILE *.fuzzer output for mutiny (extensions required) --dumpraw DUMPDIR Directory to dump raw packet files into (fmt = %d-%s % (pkt_num,[inbound|outbound])) --max-packet-len LEN Max amount of data per packet when sending data --dont_kill For when you don't want the connection to die if neither side sends packets for TIMEOUT seconds. Use with --expect if you still need the session to end though. --expect RESPCOUNT Useful with --dont_kill. Wait for RESPCOUNT responses from the remote server, and then kill the connection. Good for fuzzing campaigns.

-l, {ssl,udp,tcp}|[L3 Proto] Local endpoint type -r, {ssl,udp,tcp}|[L3 Proto] Remote endpoint type

--rbind_addr IPADDR IP address to use for remote side. Make sure that you have the IP somewhere on an interface though. --rbind_port PORT PORT to bind to for remote side.

SSL Options: --lcert SSL_PEM_CERT Cert to use for accepting local SSL (Optionally cert and key in one file) --lkey SSL_PEM_KEY Private key for local cert --rcert SSL_PEM_CERT Cert to use for connecting to remote SSL (Optionally cert and key in one file) --rkey SSL_PEM_KEY Private key for remote cert --rverify HOSTNAME Verify remote side as host HOSTNAME before connecting.

Hook Files: Optional function definitions for processing data between inbound and outbound endpoints. Can pass data between the hooks/proxy with the userdata parameters. Look at hooks folder for some examples/ prebuilt useful things.

--hookfile | Functions imported from file: string outbound_hook(outbound,userdata=[]): string inbound_hook(outbound,userdata=[]):

Tap Mode (--tap): Decept will replicate any inbound/outbound traffic over localhost now also, such that you can view traffic that has been decrypted or processed by the inbound/outbound hooks in something more legit than the hexdump function. (e.g. tcpdump/wireshark/tshark/etc)

Host Config File: Optionally, instead of specifying a remote host, if you specify a valid filename, you can multiplex HTTP/HTTPS connections to different URLs. Please examine the example "hosts.conf" for more information.


L2 usage: decept.py

L2 options: --l2_filter MACADDR Ignore inbound traffic except from MACADDR --l2_MTU MTU Set Maximum Transmision Unit for socket --l2_forward Bridge the local interface and remote interface

--pcap PCAPDIR Directory to store pcaps --pps Create a new pcap for each session --snaplen SNAPLEN Length of packet truncation --pcap_interface IFACE Specify which interface the packets will be coming in on. "eth0" by default.

L4 Usage: decept.py 127.0.0.1 9999 10.0.0.1 8080 L3 Usage: decept.py 127.0.0.1 0 10.0.0.1 0 -l icmp -r icmp L2 Usage: decept.py lo 00:00:00:00:00:00 eth0 ff:aa:cc:ee:dd:00 Unix: decept.py localsocketname 0 remotesocketname 0 Abstract: decept.py \x00localsocketname 0 \x00remotesocketname 0

Arp Poisoning options: --poison Contains "mac1|mac2|ip1|ip2" to poison. --poison_int Interface on which to poison (eth0 default)

</_>

lil_sshniffer.py

Main lil_sshniffer uses:

  1. SSH MITM: With the '--sniff' flag, lilsshniffer will accept an SSH connection on the Localhost/local port specified and then try to connect to the given RHOST/RPORT with the credentials provided. All traffic is logged and can be filtered/acted upon before traversing all the way through with the '--filter' flag (lilnetkit.py for more info).

  2. Fuzzing an SSH wrapped service: Without the '-s' flag, lil_sshniffer will take a connection and wrap in in whatever type of SSH connection you want. (--subsystem/--pty/--interactive/ --pty)

[^.^] lil_sshniffer.py [^.^] ~For all your sshniffing needs~

usage: lil_sshniffer.py rhost [-h] [--lhost LHOST] [--lport LPORT] [--rport RPORT] [-d] [-l] [-P] [-s] [-k SPOOF_KEY] [-r] [-a AUTH_KEY] [-u USERNAME] [-p PASSWORD] [-t TIMEOUT] [--subsystem SUBSYSTEM | --execute EXECUTE | --interactive] [-f] [-?] [-j]

positional arguments: rhost Remote address to connect to

optional arguments: -h, --help show this help message and exit --lhost LHOST Local address to bind to --lport LPORT Local port to bind to --rport RPORT Remote port to connect to -d, --debug Extra output -l, --logging Enable/disable logging -P, --pty Allocate a pty also -s, --sniff Create an inbound and outbound SSH Server -k SPOOF_KEY, --spoof_key SPOOF_KEY RSA key to use for spoofing -r, --retry Do the retry hack >_< -a AUTH_KEY, --auth_key AUTH_KEY Key for authenticating outbound -u USERNAME, --username USERNAME Username for outbound connection (leave blank for prompt) -p PASSWORD, --password PASSWORD Password for outbound connection (leave blank for prompt) -t TIMEOUT, --timeout TIMEOUT Timeout for sockets --subsystem SUBSYSTEM, -S SUBSYSTEM Execute the given subsystem (scp/sftp/ssh/netconf/etc) --execute EXECUTE, -e EXECUTE Execute a single command --interactive, -i Requests a shell w/pty (default) -f, --filtering Filter input and output w/lil_netkit -?, --cisco For when you're filtering on a connection with a Cisco CLI device -j, --hijack Hijack ssh session after target quits

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.