GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → SySS-Research → Lauschgeraet

SySS-Research / Lauschgeraet

Licence: MIT license
Gets in the way of your victim's traffic and out of yours

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects
HTML
75241 projects
javascript
184084 projects - #8 most used programming language
CSS
56736 projects

Labels

tlsmitmtraffic-analysispentestsecurity-toolssecurity-testing802-1x

Projects that are alternatives of or similar to Lauschgeraet

Oscp Cheat Sheet
This is my OSCP cheat sheet made by combining a lot of different resources online with a little bit of tweaking. I used this cheat sheet during my exam (Fri, 13 Sep 2019) and during the labs. I can proudly say it helped me pass so I hope it can help you as well ! Good Luck and Try Harder
Stars: ✭ 216 (+764%)
Mutual labels:  pentest, security-testing
WireBug
WireBug is a toolset for Voice-over-IP penetration testing
Stars: ✭ 142 (+468%)
Mutual labels:  pentest, security-testing
Habu
Hacking Toolkit
Stars: ✭ 635 (+2440%)
Mutual labels:  pentest, security-testing
Evilgrade
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
Stars: ✭ 1,086 (+4244%)
Mutual labels:  mitm, pentest
Swiddler
TCP/UDP debugging tool.
Stars: ✭ 56 (+124%)
Mutual labels:  tls, mitm
Badssl.com
🔒 Memorable site for testing clients against bad SSL configs.
Stars: ✭ 2,234 (+8836%)
Mutual labels:  tls, mitm
Striptls
proxy poc implementation of STARTTLS stripping attacks
Stars: ✭ 163 (+552%)
Mutual labels:  tls, mitm
Bettercap
DEPRECATED, bettercap developement moved here: https://github.com/bettercap/bettercap
Stars: ✭ 2,518 (+9972%)
Mutual labels:  tls, mitm
mos-tls-tunnel
Archived. Check this out https://github.com/IrineSistiana/simple-tls
Stars: ✭ 21 (-16%)
Mutual labels:  tls
CycleTLS
Spoof TLS/JA3 fingerprints in GO and Javascript
Stars: ✭ 362 (+1348%)
Mutual labels:  tls
docker-bloodhound
BloodHound Docker Ready to Use
Stars: ✭ 48 (+92%)
Mutual labels:  pentest
SSL-TLS-ECDSA-timing-attack
Timing Attack on TLS' ECDSA signature
Stars: ✭ 41 (+64%)
Mutual labels:  tls
tlssocks
secure socks5 over tls / tcp
Stars: ✭ 24 (-4%)
Mutual labels:  tls
AzureAD Autologon Brute
Brute force attack tool for Azure AD Autologon/Seamless SSO - Source: https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
Stars: ✭ 90 (+260%)
Mutual labels:  pentest
Pentest-Cheat-Sheet
Cheat-Sheet of tools for penetration testing
Stars: ✭ 44 (+76%)
Mutual labels:  pentest
utls
Fork of the Go standard library with unsafe extensions, for expert clients with unusual needs.
Stars: ✭ 19 (-24%)
Mutual labels:  tls
safelog4j
Safelog4j is an instrumentation-based security tool to help teams discover, verify, and solve log4shell vulnerabilities without scanning or upgrading
Stars: ✭ 38 (+52%)
Mutual labels:  security-testing
jruby-openssl
JRuby's OpenSSL gem
Stars: ✭ 39 (+56%)
Mutual labels:  tls
skweez
Fast website scraper and wordlist generator
Stars: ✭ 49 (+96%)
Mutual labels:  pentest
Artalk.Xmpp
This repository contains an easy-to-use and well-documented .NET (Framework and Core 3.1, .Net 5 and .Net 6) assembly for communicating with an XMPP server. It supports basic Instant Messaging and Presence funtionality as well as a variety of XMPP extensions.
Stars: ✭ 42 (+68%)
Mutual labels:  tls
View All Similar Projects ➔

Lauschgerät

Analyze and modify traffic without worrying about TLS or 802.1X.

Lauschgerät attempts to do most of the heavy lifting so you can focus on things that cannot be done by a machine. Get an extra ethernet cable, plug your machine between two test machines, and watch and control the traffic flowing through your machine.

Installation

The recommended distribution is either Debian Stretch or newer or Kali Linux (even on ARM). A minimal network install with just an SSH server and standard Linux tools will do.

Variant 1 (namespaces)

Install the requirements:

cat requirements-system.txt | xargs sudo apt-get -y install
pip3 install --user -r requirements.txt

Variant 2 (virtual machine)

  • Create a virtual machine with a network interface you can reach from your host machine (host-only if using KVM) and set up an SSH service
  • Boot the device before plugging in any extra network interfaces
  • Log in and make sure you can reach the internet
  • Write down the name of the wireless interface, if there is any
  • Now plug in the switch interface and write down the name of the new device that shows up in the output of ip link
  • Now plug in the client interface and write down the name of the new device
  • Run: install.sh -u=root -p=<PORT> <HOST> <ATIF> <CLIF> <SWIF> The arguments correspond to the attacker interface, the client interface and the switch interface.
  • If something goes wrong, log in and try to fix it, then run the command again

Variant 3 (hardware)

Download a suitable ISO, install it on a Raspberry Pi, Banana Pi or some other compatible device. This has been tested with 2018-04-18-raspbian-stretch-lite.img (SHA1 sum a85ca45b0830bfa3196786061c524d93325596c0).

To make sure you got root access via SSH and that the device has internet access, I recommend mounting the iso first with guestfish to enable SSH:

$ guestfish -a 2018-04-18-raspbian-stretch-lite.img

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: ‘help’ for help on commands
      ‘man’ to read the manual
      ‘quit’ to quit the shell

><fs> run
><fs> mount /dev/sda2 /

Then create a symlink to enable the SSH service at boot:

ln-s /lib/systemd/system/ssh.service /etc/systemd/system/sshd.service

Then umount /, sync and exit. Copy it to an SD card, boot the Raspberry Pi and proceed as in variant 2.

This is a good moment to get coffee, because this step may take a while.

It should then look like this:

Lauschgerät on a RasPi

Usage

Quickstart

  • Attach the victim client and the victim switch to the Lauschgerät
  • If using variant 1 (network namespaces), run lauschgeraet.py <client-interface> <switch-interface>
  • Navigate a browser to the attacker machine on port 1337
  • Set the status of the Lauschgerät to passive by clicking the On/Off switch
  • Watch the traffic with ip netns exec lg tcpdump -i br0, or remotely with Wireshark: ssh root@lauschgeraet ip netns exec lg tcpdump -s 0 -U -n -w - -i br0 | wireshark -k -i -
  • To redirect traffic to another service, set the status of the Lauschgerät to active
  • Run a service on the target port using the "Services" page
  • Define an iptables rule on the "Man in the Middle" page that redirects traffic to that target port

Services

You can run arbitray services on the Lauschgerät to interact with your victim's traffic. Currently, you need to supply a JSON file with some basic info in order to conviently run these services from the web interface. A proper API is planned for the next release. You're always free to start any service manually via SSH, of course.

A few examples are listed in the following section.

By default, Lauschgerät comes with JSON files for Moxie Marlinspike's SSLstrip, a self-developed TCP proxy called TLS Eraser and, as an example for how an adversary could maliciously modify traffic, Flipper, a service that turns images transferred via HTTP upside-down.

The Lauschgerät has the IP address 203.0.113.1 in lg network namespace and 203.0.113.2 in the default network namespace.

Examples

TLS Eraser

By default, TLS Eraser runs on TCP port 1234. It terminates the TLS encryption and redirects the traffic to another network namespace before transmitting it to its original destination. The original destination is determined automatically. The detour to another namespace is made so you can observe the unencrypted traffic via Wireshark or tcpdump.

The certificate which is presented to the victim is obtained via clone-cert.sh.

Flipper

Run the Flipper service (analogous to TLS Eraser) to flip images:

Flipper

Shout out to byt3bl33d3r!

Hidden Services

In case you want to run a service that is accessible to other members of the network, define a MitM rule such as this:

old destination                       new destination
<IP of the victim client>:80    ->    203.0.113.1:80

Wifi Mode

When running the Lauschgerät as variant 3 with dedicated hardware such as a Raspberry Pi, you can use the built-in wifi card either as a management interface or as another client interface. Simply turn on the Lauschgerät's wifi mode in the web interface. Then all traffic originating from wireless devices which joined the wifi network will be intercepted.

Testing

If you want to contribute, it's useful to have a good test setup. Since it's a pain to work with another physical device, let alone two more devices, let's just use the same machine we're already working on (variant 1). The trick is to use yet another network namespace.

The script testsetup.sh creates a network namespace with the name ext as well as four virtual devices:

  • lg-eth0 - replaces the the interface on the attacker machine connected to the client
  • lg-eth1 - replaces the the interface on the attacker machine connected to the switch
  • lg-eth0-l - replaces the interface of the victim client
  • lg-eth1-l - replaces the interface of the victim switch

lg-eth0-l is assigned to the network namespace ext by the script. There needs to be a DHCP service listening on lg-eth1-l. It can be in the default network namespace.

To run a test, execute ./testsetup.sh ; ./lauschgeraet.py -ci lg-eth0 -si lg-eth1. Now switch into the ext namespace with something like sudo ip netns exec ext bash. Pretend to be the victim by placing requests from this shell, preferably with curl or wget, but you can also launch a browser.

Close all shells living in this new network namespace before you delete it.

References

Large parts of the 802.1x bypass have been taken from Alva Duckwall's excellent talk.

Similar Projects

Author

Adrian Vollmer, SySS GmbH 2018-2019

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].