BlackHat Asia 2019 Release 1.4

README.md

@@ -2,88 +2,127 @@
 
 ## Cisco Implant Raspberry Controlled Operations
 
-Designed under Raspberry Pi Zero and aimed for cover red-team Ops, we take advantage of SecNetDevOps tools to capture network credentials in a stealth mode.
-Using a low profile hardware/electronics and different methods for credentials exfiltration 
-The tools use a combination of honeypots and information gather to lure Automation Systems into reveling network credentials (ssh/telnet/snmp) to our implant.
+Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode.<br>
+Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk.<br>
+CIRCO include different techniques for network data exfiltration to avoid detection.<br>
+This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!
+
+----
+
+## Hardware
+
+The specific hardware will depend on size and features you want, as an example,
+you can run CIRCO on a Raspberry Pi Zero without Wireless Extraction feature or
+you could be using a Raspberry Pi 3B with a wireless dongle.
+
+The main constrain is physical space to fit CIRCO.
+
+You will also need some Cat 5 twisted cable, pliers, RJ45, soldering/desoldering tools,
+wires, glue-gun, zip-ties, etc
+
+Be creative!
+
+---
+
+## Software
+
+There are 3 main elements that make CIRCO:
+
+- The implant main program called `circo.py` which also run `sshd-fake.py` and `telnetd-fake.py` daemons (honeypots)<br>
+To emulate a Cisco Switch SNMP Agent, we are using forked version of [snmposter](https://github.com/ekiojp/snmposter)
+- To receive extracted credentials via different techniques, we use `carpa.py`
+  on an Internet Server, as long is has a public IP and no firewalls in
+front preventing traffic to reach it. We also need a domain pointing NS
+records to our public IP
+- Specific for wireless exfiltration we have `jaula.py`, been tested on a
+  Raspberry Pi Zero with a wireless dongle but should run different hardware
+without issues
+
+Most of the packet manipulation and crafting is been done with
+[Scapy](https://github.com/secdev/scapy) as it has enought flexibility with some
+exceptions (did I say I hate DHCP handshake?)
+
+Has been developed and tested under Python 2.x,
+will start soon to test Python 3.x. and confirm Python 3.x has no dependecies issues
+
+----
 
 ## Installation
 
-Follow INSTAL.txt file on each directory:
+The [Wiki](https://github.com/ekiojp/circo/wiki) has step-by-step instruction to install
+each element
 
+Inside each directory also is the `Install` file
 ```
-/circo_v1/INSTALL.txt
-/carap_v1/INSTALL.txt
-/jaula_v1/INSTALL.txt
+/circo/Install-CIRCO.md
+/carpa/Install-CARPA.md
+/jaula/Install-JAULA.md
 ```
 
 ----
 
+## Usage
+
+Examples/Screenshots/Videos added to [Wiki](https://github.com/ekiojp/circo/wiki)
+
+---
+
 # Credentials Exfiltration Format
 
+We use `t` (*telnet*), `s` (*ssh*) and `p` (*snmp*) to idenfiy the protocol used for the credentials obtained.
+
+For Telnet/SSH `enable` passwords we `e` as 2nd key identifier
+
+Included from version 1.4, we add Source IP address where the connection to our
+honeypots came from, to save bits the Dotted IP format has been converted to Hex
+The exfiltration programs `carpa.py` or `jaula.py` will convert back to Dotted
+IP format before display/writing output file
+
 ### Telnet
 ```
-t,<user>,<password>
-t,e,<enable>
+t,<user>,<password>,<src_ip>
+t,e,<enable>,<src_ip>
 ```
 
 ### SSH
 ```
-s,<user>,<password>
-s,e,<enable>
+s,<user>,<password>,<src_ip>
+s,e,<enable>,<src_ip>
 ```
 
 ### SNMP
 ```
-p,<community>
+p,<community>,<src_ip>
 ```
 
-----
-
-# DEMO
-
-[Demo Video](https://vimeo.com/299122405)
-
-Hostname `jaula` is a Raspberry Pi Zero with Adafruit 2.8" TFT and Buffalo WLI-UC-GNM
-dongle (also connect an USB LAN adaptor for mgmt), will be running `jaula_v1.py`
-
-Hostname `carpa` is a Raspberry Pi 3 running DHCP, eth0 connected to Cisco 2960-8TC and
-console to the switch, we also run `carpa_v1.py` (this can be on Internet)
-From here we can connecto our fake Cisco 3845 switch (circo_v1.py) like an automation system
-The onboard wlan0 is used for mgmt
-
-Hostname `circo` is **the** Raspberry Pi Zero W running `circo_v1.py`
-We use a Buffalo WLI-UC-GNM dongle for Wireless exfiltration (wlan1) and onboard for 
-mgt (wlan0). USB LAN adapter (eth0) connected to the Cisco switch.
-The PoE & DC-DC are used to provide power (5V) to the Raspberry
-
-**Demo Enclosure Only**
-
-![box](circo-box.jpg)
-
-
 ----
 
 # Presentations
 
-[HIVE AV Tokyo 2018](https://speakerdeck.com/ekio_jp/circo-hive-av-tokyo-2018)
+[BlackHat Asia Arsenal (Mar-2019)](https://speakerdeck.com/ekio_jp/circo-blackhat-asia-2019-arsenal)
 
-[YOROZU SECCON 2018](https://speakerdeck.com/ekio_jp/circo-yorozu-seccon-2018)
+[濱せっく / HamaSec (Feb-2019)](https://speakerdeck.com/ekio_jp/circo-hamasec-feb-2019)
 
-[Hamasec - Feb 2019](https://speakerdeck.com/ekio_jp/circo-hamasec-feb-2019)
+[YOROZU SECCON (Dec-2018)](https://speakerdeck.com/ekio_jp/circo-yorozu-seccon-2018)
 
+[HIVE AV Tokyo (Nov-2018)](https://speakerdeck.com/ekio_jp/circo-hive-av-tokyo-2018)
 
 ----
 
 # ToDo
 
-- [ ] Make the code nicer
-- [ ] Improve performace for snmposter and support *any* community
-- [ ] Work on WPAD discovery module 
-- [ ] Work on No-DHCP module
-- [ ] Wifi Pineapple Module (jaula_v1.py)
-- [ ] Include Automation SRC IP in the exfiltration
-- [ ] Port code into NodeMCU/Arduino for jaula_v1.py
 - [x] Add LLDP Support
+- [x] Include Automation SRC IP in the exfiltration
+- [x] Work on WPAD discovery module
+- [ ] [Faraday](https://github.com/infobyte/faraday) API Integration
+- [ ] Python 3.x Support
+- [ ] Include Implant ID on exfiltration
+- [ ] Destroy Switch
+- [ ] LTE Support
+- [ ] Work on No-DHCP module
+- [ ] Wifi Pineapple Module for `jaula.py`
+- [ ] Improve performace for [snmposter](https://github.com/ekiojp/snmposter) and support *any* community
+- [ ] Make the code nicer
 
 ----
 

carpa/Install-CARPA.md

@@ -0,0 +1,51 @@
+# Install CARPA
+***
+### Install/Update Packages
+* Install packages
+```
+sudo apt-get install -y python-pip git
+```
+* Install Scapy > 2.3.3
+```
+git clone https://github.com/secdev/scapy
+cd scapy
+sudo python setup.py install && cd .. && sudo rm -rf scapy
+```
+## Download latest release
+```
+git clone https://github.com/ekiojp/circo
+```
+## Install Python Requirements (grab a coffee)
+```
+cd circo/carpa
+sudo pip install -r requirements.txt
+```
+## Configure CARPA
+### Filter packets on public interface to avoid RST & ICMP packets out, block ping response
+```
+sudo iptables -A INPUT -i eth0 -p icmp -j DROP
+sudo iptables -A OUTPUT -o eth0 -p tcp --tcp-flags RST RST -j DROP
+sudo iptables -A OUTPUT -o eth0 -p icmp --icmp-type port-unreachable -j DROP
+```
+### Update CARPA #Config section
+``` 
+vi carpa.py
+```
+Look for section below `#Config`
+
+* Change AES `passphrase` and `salt`, these need to match `circo.py` config
+```
+phrase = 'Waaaaa! awesome :)'
+salt = 'salgruesa'
+```
+* Define `domain/sub-domain` (NS Server IP must be CARPA Public IP)
+```
+ccname = 'evil.sub.domain'
+```
+* Change relative path of CARPA (optional)
+```
+dirname = '/home/ekio/circo/carpa/'
+```
+
+## Notes
+* There are free/pay DNS sub domain services like [afraid](https://afraid.org)