Decept Proxy
Yay, another network proxy. What makes this any different from any others?
-
Created with portability in mind, it only uses as standard python libraries, so you can drop it on a box and not worry, as long as python 2 is there.
-
Supports SSL endpoirnts, IPV6, Unix Sockets, Abstract Namespace sockets, L3 protocols/captures and also L2 bridging and passive modes.
-
Any traffic that passes through Decept.py can be dumped into a .fuzzer file format that is suitable for fuzzing with the Mutiny Fuzzing Framework.
-
SSH proxying/sniffing/filtering with lil_sshniffer.py and lil_netkit.py
-
HTTP/HTTPS multiplexing. Examine hosts.conf for more information.
-
Based off of the tcp proxy.py from Black Hat Python by Justin Seitz
[<_<] Decept proxy/sniffer [>_>]
usage: decept.py <local_host> <local_port> <remote_host> <remote_port> [OPTIONS]
optional arguments:
-h, --help show this help message and exit
--quiet Don't show hexdumps
--recv_first Receive stuff first?
--timeout TIMEOUT Timeout for outbound socket
--loglast LOGLAST Log the last packet (unimplimented)
--fuzzer FUZZFILE *.fuzzer output for mutiny (extensions required)
--dumpraw DUMPDIR Directory to dump raw packet files into
(fmt = %d-%s % (pkt_num,[inbound|outbound]))
--max-packet-len LEN Max amount of data per packet when sending data
--dont_kill For when you don't want the connection to die if
neither side sends packets for TIMEOUT seconds.
Use with --expect if you still need the session
to end though.
--expect RESPCOUNT Useful with --dont_kill. Wait for RESPCOUNT
responses from the remote server, and then kill
the connection. Good for fuzzing campaigns.
-l, {ssl,udp,tcp}|[L3 Proto] Local endpoint type
-r, {ssl,udp,tcp}|[L3 Proto] Remote endpoint type
--rbind_addr IPADDR IP address to use for remote side. Make sure that
you have the IP somewhere on an interface though.
--rbind_port PORT PORT to bind to for remote side.
SSL Options:
--lcert SSL_PEM_CERT Cert to use for accepting local SSL
(Optionally cert and key in one file)
--lkey SSL_PEM_KEY Private key for local cert
--rcert SSL_PEM_CERT Cert to use for connecting to remote SSL
(Optionally cert and key in one file)
--rkey SSL_PEM_KEY Private key for remote cert
--rverify HOSTNAME Verify remote side as host HOSTNAME before
connecting.
Hook Files:
Optional function definitions for processing data between inbound
and outbound endpoints. Can pass data between the hooks/proxy with
the userdata parameters. Look at `hooks` folder for some examples/
prebuilt useful things.
--hookfile <file> | Functions imported from file:
string outbound_hook(outbound,userdata=[]):
string inbound_hook(outbound,userdata=[]):
Tap Mode (--tap):
Decept will replicate any inbound/outbound traffic over localhost now
also, such that you can view traffic that has been decrypted or processed
by the inbound/outbound hooks in something more legit than the hexdump
function. (e.g. tcpdump/wireshark/tshark/etc)
Host Config File:
Optionally, instead of specifying a remote host, if you specify a valid
filename, you can multiplex HTTP/HTTPS connections to different URLs.
Please examine the example "hosts.conf" for more information.
------------------------------------------------------------------------
L2 usage: decept.py <local_int> <local_mac> <remote_int> <remote_mac>
L2 options:
--l2_filter MACADDR Ignore inbound traffic except from MACADDR
--l2_MTU MTU Set Maximum Transmision Unit for socket
--l2_forward Bridge the local interface and remote interface
--pcap PCAPDIR Directory to store pcaps
--pps Create a new pcap for each session
--snaplen SNAPLEN Length of packet truncation
--pcap_interface IFACE Specify which interface the packets will be
coming in on. "eth0" by default.
L4 Usage: decept.py 127.0.0.1 9999 10.0.0.1 8080
L3 Usage: decept.py 127.0.0.1 0 10.0.0.1 0 -l icmp -r icmp
L2 Usage: decept.py lo 00:00:00:00:00:00 eth0 ff:aa:cc:ee:dd:00
Unix: decept.py localsocketname 0 remotesocketname 0
Abstract: decept.py \\x00localsocketname 0 \\x00remotesocketname 0
Arp Poisoning options:
--poison <config-file> Contains "mac1|mac2|ip1|ip2" to poison.
--poison_int <interface> Interface on which to poison (eth0 default)
lil_sshniffer.py
Main lil_sshniffer uses:
-
SSH MITM: With the '--sniff' flag, lil_sshniffer will accept an SSH connection on the Localhost/local port specified and then try to connect to the given RHOST/RPORT with the credentials provided. All traffic is logged and can be filtered/acted upon before traversing all the way through with the '--filter' flag (lil_netkit.py for more info).
-
Fuzzing an SSH wrapped service: Without the '-s' flag, lil_sshniffer will take a connection and wrap in in whatever type of SSH connection you want. (--subsystem/--pty/--interactive/ --pty)
[^.^] lil_sshniffer.py [^.^] ~For all your sshniffing needs~
usage: lil_sshniffer.py rhost
[-h] [--lhost LHOST] [--lport LPORT] [--rport RPORT]
[-d] [-l] [-P] [-s] [-k SPOOF_KEY] [-r] [-a AUTH_KEY]
[-u USERNAME] [-p PASSWORD] [-t TIMEOUT]
[--subsystem SUBSYSTEM | --execute EXECUTE | --interactive]
[-f] [-?] [-j]
positional arguments:
rhost Remote address to connect to
optional arguments:
-h, --help show this help message and exit
--lhost LHOST Local address to bind to
--lport LPORT Local port to bind to
--rport RPORT Remote port to connect to
-d, --debug Extra output
-l, --logging Enable/disable logging
-P, --pty Allocate a pty also
-s, --sniff Create an inbound and outbound SSH Server
-k SPOOF_KEY, --spoof_key SPOOF_KEY
RSA key to use for spoofing
-r, --retry Do the retry hack >_<
-a AUTH_KEY, --auth_key AUTH_KEY
Key for authenticating outbound
-u USERNAME, --username USERNAME
Username for outbound connection (leave blank for
prompt)
-p PASSWORD, --password PASSWORD
Password for outbound connection (leave blank for
prompt)
-t TIMEOUT, --timeout TIMEOUT
Timeout for sockets
--subsystem SUBSYSTEM, -S SUBSYSTEM
Execute the given subsystem (scp/sftp/ssh/netconf/etc)
--execute EXECUTE, -e EXECUTE
Execute a single command
--interactive, -i Requests a shell w/pty (default)
-f, --filtering Filter input and output w/lil_netkit
-?, --cisco For when you're filtering on a connection with a Cisco
CLI device
-j, --hijack Hijack ssh session after target quits