orange-cyberdefense / fenrir-ocd Goto Github PK

License: MIT License

Python 100.00%

fenrir-ocd's Introduction

                        *,ood8888booo,*
                     *,od8           8bo,*
                  *,od                   bo,*
                *,d8                       8b,*
               *,o                           o,    ,a8b*
              *,8           FENRIR            8,,od8  8*
              *8'      Valérian LEGRAND      d8'     8b*
              *8                           d8'ba     aP'*
              *Y,                       o8'         aP'*
               *Y8,                      YaaaP'    ba*
                *Y8o                   Y8'         88*
                 *`Y8               ,8"           `P*
                    *8o        ,d8P'              ba*
              *ooood8888888P"""'                  P'*
           *,od                                  8*
        *,dP     o88o                           o'*
       *,dP          8                          8*
      *,d'   oo       8                       ,8*
      *$    d$"8      8           Y    Y  o   8*
     *d    d  d8    od  ""boooaaaaoob   d""8  8*
     *$    8  d  ood'-I   8         b  8   '8  b*
     *$   $  8  8     d  d8        `b  d    '8  b*
      *$  $ 8   b    Y  d8          8 ,P     '8  b*
      *`$$  Yb  b     8b 8b         8 8,      '8  o,*
           *`Y  b      8o  $$       d  b        b   $o*
            *8   '$     8$,,$"      $   $o      '$o$$*
            *$o$$P"                 $$o$*

FENRIR

FENRIR is a tool designed to be used "out-of-the-box" for penetration tests and offensive engagements. Its main feature and purpose is to bypass wired 802.1x protection and to give you an access to the target network.

Keep in mind FENRIR is still a Work in Progress

Branches :

master : main branch for (relatively) stable code
bleeding : branch with hotfixes and latest updates

Usage

FENRIR must be ran as root and you must have 2 network interfaces if you want it to work Also, check that both network interfaces are in promisc mode and that ip_forwarding is enabled (see Install section)

To run it :

sudo python Interface.py

Notice that FENRIR's interface supports autocompletion

You can run shell commands with "!"

!ls -la

You first have to create a virtual tap for FENRIR with :

create_virtual_tap

Then you can either configure it manually or start autoconfiguration :

set <option> <value>
autoconf

Once FENRIR is configured you can run it normally or in debug mode

run
run_debug

The wiki pages are coming shortly with examples and better explanations !

Troubleshooting

Are you interfaces in promisc mode ? Even FENRIR's tap interface ?
You external interfaces must not have an IP address, only the tap hsould have one
Your default route should be pointing to the tap interface
Have you enabled ip_forwarding ?
FENRIR will tell you if it is lacking configuration. It must have at least the legitimate host IP and MAC addresses.
Not all protocols are currently supported ! But feel free to help the project by creating a module !
If you have found a bug, report it to me ! I'll look at it as quickly as i can.

Disclaimer

I suck at naming stuff & especially function names
The code is always a work-in-progress, there are bugs and weird stuffs ! Feel free to throw bug tickets & pull requests
Java sucks

Current and planned features

Specific protocol modules have their own separate table below !

Feature	Current state	Details
802.1x tapping and bypass	Done	N/A
Stealth	Partially Done	Other specific headers L2/L3 are to be added
Autoconfiguration	Done	N/A
Reverse connections capabilities	Done	Currently being reworked
Port translation	TODO	Collision issue avoidance
Runtime interface	Done	N/A
Better stats	TODO
Bug smashing	Doing	Bugs, bugs everywhere
Code cleaning	Doing	It needs it badly !
Not developed in Java	Done !!!	'Cause we all know Java sucks right ? :)

Protocol modules table

Protocol	Current state	Details
IP	Done (FENRIR Core)	N/A
ARP	Done	N/A
ICMP	Done	N/A
LLMNR/NBNS (Responder)	Partially Done	Need to push it inside a separate module
SSH	TBD	Need to figure out key exchange rewritting
SMB	TBD	Next thing on my ToDo list !
???	???	???

Install

apt-get update
apt-get upgrade
apt-get install python-pip
apt-get install build-essential
apt-get install python-dev
pip install python-pytun
pip install scapy
pip install Cmd2
git clone this repo

Important note on install

It seems that with the arrival of Python3 some prerequisite packages are now bugged. For now, to avoid bugs while we migrate this tool to Python3, one should remove any files from the following packages and install them like this:

sudo -H -E pip install "cmd2<=0.7.0"
sudo -H -E pip install "scapy<=2.3.2"

For running FENRIR

sysctl net.ipv4.ip_forward=1
ifconfig iface1 promisc
ifconfig iface2 promisc

If you have any problem with installation, shoot me an email ! I can probably help you out !

Have a beer and participate !

The project is open for pull requests and bug reports ! The great thing is I would be more than happy to offer you a beer for any form of contribution. Please participate in this project and help me make it better :)
And if you don't know where to start or want some help, do not hesitate to contact me !

Also, if you want to chat about the project or ask questions, you can find me on IRC : WaffleWrath

Docs & Vids

My presentation of 802.1x bypass techniques and FENRIR are available on the Hack in Paris website

License

This software is licensed under the terms of the MIT license

by Valérian Legrand (main developer), Andrei Dumitrescu and Quentin Biguenet (contributors)

fenrir-ocd's People

Contributors

Stargazers

Watchers

fenrir-ocd's Issues

global name 'TunTapDevice' is not defined

root@naren-VirtualBox:/opt/fenrir-ocd# python Interface.py
You need 2 physical network interfaces to use FENRIR !

FENRIR > create_virtual_tap
EXCEPTION of type 'NameError' occured with message: 'global name 'TunTapDevice' is not defined'
To enable full traceback, run the following command: 'set debug true'

Machine Details:
Linux naren-VirtualBox 5.8.0-43-generic #49~20.04.1-Ubuntu SMP Fri Feb 5 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Note:

FENRIR is running as Virtual box guest
Host Machine has two physical NICs bridged into Guest machine

Interface Configuration

sorry for my question, but do i have to configure a bridge interface or something before i start fenrir?

Can this be used on OpenWRT/LEDE to make the router to do 802.1x for bridged clients ?

OpenWRT/LEDE support VLAN config to bridge LAN or WiFi ports to WAN, as doctumented at https://wiki.openwrt.org/doc/uci/network/switch and https://lede-project.org/docs/user-guide/switch_configuration.

I wonder if I can set LEDE to make WAN and WiFi at the same VLAN, and then let the router to complete 802.1x by-MAC-auth for my notebook over WiFi.

I think it can be done with some injection on the LEDE router.

Transparent bridge

Forgive me if my question is trivial.
Im configuring the Fenrir between eth0 and eth1 (inline to a targeted PC)
When i connect it to a switch - and run "show mac address-table" , i can see the MAC address of the target PC, and that of the USB-Ethernet adapter - and obviously it gets blocked.

Is there a way where only the MAC address of the targeted PC will be visible ?

Furthermore, is there a way where the various parameters be set automaticaly (trying autoconf didnt work).

TSO issue

This problem arises especially for client-certificates 802.1x networks.

The client sends its certificate using baby jumbo frames which FENRIR cannot handle correctly atm.
A quick fix is available on the bleeding branch and a (hpefully) full patch will come up on master branch asap.

Missing prerequisite in README

Thanks for developing this. While configuring on current Kali rolling, I had to install cmd2 with "easy_install -U cmd2".

Documentation

This is awesome tool any updates to it by chance? Do you mind updating the wiki examples on how to use this gem?

Replying back multicast packets into netIface

Hello Team,

Fenrir working nicely, doing MITM for my 802.1x session: Raspberry Pi connected as 802.1x supplicant to hostIface of Fenrir (and Fenrir itself is actually another Raspberry Pi).
I was troubelshooting why i see multiple sessions/mac addresses on my switch:

9200-1#show access-session interface g1/0/13
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/13                 000c.2985.ba94 N/A     UNKNOWN Unauth      078C3E0A00001CC9A9CE92B2
Gi1/0/13                 000c.29cf.a965 N/A     UNKNOWN Unauth      078C3E0A00001CC8A9CD1AAE
Gi1/0/13                 0050.56a5.0be8 N/A     UNKNOWN Unauth      078C3E0A00001CC5A9CA00B2
Gi1/0/13                 0050.56a5.1a64 N/A     UNKNOWN Unauth      078C3E0A00001CC3A9C9DFFE
Gi1/0/13                 0050.56a5.2a81 N/A     UNKNOWN Unauth      078C3E0A00001CD0A9D117D2
Gi1/0/13                 0050.56a5.2cbf N/A     UNKNOWN Unauth      078C3E0A00001CC4A9C9F2D2
Gi1/0/13                 0050.56a5.5f9d N/A     UNKNOWN Unauth      078C3E0A00001CC7A9CAAF46
Gi1/0/13                 0050.56a5.961b N/A     UNKNOWN Unauth      078C3E0A00001CC6A9CA9A86
Gi1/0/13                 c4b2.398a.fd0d N/A     UNKNOWN Unauth      078C3E0A00001CC1A9C9CC12
Gi1/0/13                 d037.456c.c044 dot1x   DATA    Auth        078C3E0A00001CC2A9C9DDF6

Those mac addresses starting with 0050* were VM hosts in my network sending multicast/broadcast traffic into netIface (net vlan). So my 802.1x should be able to receive that traffic but never respond with such source mac addresses. As a result switch should never try to build a session for such mac addresses on that port. Gig1/0/13 is having Fenrir connected with 802.1x Raspbery Pi behind - that is all. We should see only one 802.1x session, nothing more (just a bit more if Fenrir is leaking some traffic sometimes).

And found out that Fenrir is sending back more multicast traffic back.
First we do see traffic on netIface where multicast frames are received (from host 00:50:56:a5:0b:e8 which is VM machine in my network). Then i see my switch trying to send EAPOL frames for that mac, which suggest that some packets from that mac had to be received on this switchport:

root@rpi3:~# tcpdump -i eth1 -en ether host 00:50:56:a5:0b:e8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

09:21:22.749884 00:50:56:a5:0b:e8 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 65: 10.62.140.133.60142 > 224.0.0.252.5355: UDP, length 23
09:21:22.856499 00:50:56:a5:0b:e8 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 65: 10.62.140.133.60142 > 224.0.0.252.5355: UDP, length 23
09:21:23.109878 00:50:56:a5:0b:e8 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 65: 10.62.140.133.60142 > 224.0.0.252.5355: UDP, length 23
09:21:52.140749 c4:b2:39:8a:fd:0d > 00:50:56:a5:0b:e8, ethertype EAPOL (0x888e), length 60: EAP packet (0) v3, len 5
09:21:52.319874 c4:b2:39:8a:fd:0d > 00:50:56:a5:0b:e8, ethertype EAPOL (0x888e), length 60: EAP packet (0) v3, len 5
09:22:22.141081 c4:b2:39:8a:fd:0d > 00:50:56:a5:0b:e8, ethertype EAPOL (0x888e), length 60: EAP packet (0) v3, len 5

Now when sniffing at the same time on hostIface of Fenrir i could confirm those multicast frames where never forwarded to my 802.1x supplicant:

root@rpi3:~# tcpdump -i eth2 -en ether host 00:50:56:a5:0b:e8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Now looking closely at netIface again (eth1) i have found out that Fenrir is actually sending back those multicast frames via the same interface (sniffing only traffic sent out via netIface):

root@rpi3:~# tcpdump -i eth1 -en ether host 00:50:56:a5:0b:e8 --direction=out
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:34:00.059875 00:50:56:a5:0b:e8 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 66: 10.62.140.133.60860 > 224.0.0.252.5355: UDP, length 24
09:34:00.479876 00:50:56:a5:0b:e8 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 66: 10.62.140.133.60860 > 224.0.0.252.5355: UDP, length 24

So for me it looks like traffic which is not supported by Fenrir - in this case multicast traffic is send back via the same netIface (instead of being forwarded out via hostIface). Is that expected ?

Also - what would be your recommendation ? Would it be reasonable to use iptables and filter out incoming multicast traffic received on netIface ?

Update, my workaround (for testing) was to block multicast traffic via ACL on the switch (iptables on Fenrir did not work):

9200-1#sh ip access-lists DROP_MULTICAST
Extended IP access list DROP_MULTICAST
    10 deny ip any 224.0.0.0 15.255.255.255
    20 permit ip any any
9200-1#sh run int g1/0/13
Building configuration...

Current configuration : 641 bytes
!
interface GigabitEthernet1/0/13
 ip access-group DROP_MULTICAST out

Thanks,
Michal

Legitimate host cannot fetch IP adress through DHCP

This is probably due to specific DHCP frames handling (frames without sender IP adress)

The fix should not be too hard to do, probably a new "if" to add in FENRIR2.py

Routing issue?

I am able to run Fenrir such that the legitimate PC can send and receive traffic and that the attacker's machine can ping the LAN's default gateway.

However, when I try to communicate with anything else on the LAN, or on other subnets, the connection times out/is not reachable. Weirdly, running a traceroute to any other IP shows the first line as the Fenrir TAP interface 10.0.0.42 (time of ~3000ms which seems large), and then the traceroute terminates without attempting any more steps.

Has anyone seen this problem before? Am I missing some important configuration step? Any help would be great.

Pour info, the default gateway is set to the TAP interface, both ethernet interfaces have promisc mode activated. If any more info is required don't hesitate to ask.

Name conflict with other security tool

While reviewing your tool, we saw there is already another tool with the same name. We want to include your tool on our website, but with the conflict in the name we want to ask you to reconsider renaming it.

Other security tool: https://github.com/Neo23x0/Fenrir

Python 3 support

Python 2.7 will reach the end of its life on January 1st, 2020.

Add Python packaging and deploy to PyPI

In order to make FENRIR available to Python users, it would be great to make it available on PyPI, the Python Package Index. This would allow users to get the package via pip as

pip install fenrir

Auto-configuration module is bugged

The auto-configuration module integration to the core was incomplete and the module is currently NOT working.

A fix should be coming asap. :)

Cmd2 for python2 not available anymore ?